Edit tour

Windows Analysis Report
hZbkP3TJBJ.exe

Overview

General Information

Sample name:	hZbkP3TJBJ.exe renamed because original name is a hash value
Original sample name:	0eb8abfd2709e701ef3a5263c404a107e328537af080cd9e976fa199eb5d8894.exe
Analysis ID:	1588083
MD5:	286d68b773e946b301bd7134769a58e6
SHA1:	82004957c97f892b7ae6025c333bc6da0b17ca1a
SHA256:	0eb8abfd2709e701ef3a5263c404a107e328537af080cd9e976fa199eb5d8894
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hZbkP3TJBJ.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\hZbkP3TJBJ.exe" MD5: 286D68B773E946B301BD7134769A58E6)

outbluffed.exe (PID: 5416 cmdline: "C:\Users\user\Desktop\hZbkP3TJBJ.exe" MD5: 286D68B773E946B301BD7134769A58E6)

RegSvcs.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\hZbkP3TJBJ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 1848 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 2044 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 6240 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

outbluffed.exe (PID: 744 cmdline: "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe" MD5: 286D68B773E946B301BD7134769A58E6)

RegSvcs.exe (PID: 1252 cmdline: "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 3312 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 820 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7838541807:AAEJadvLoc1DBjJfseqmrMSpZAXwRkaHwwk/sendMessage?chat_id=7488699642", "Token": "7838541807:AAEJadvLoc1DBjJfseqmrMSpZAXwRkaHwwk", "Chat_id": "7488699642", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bf7:$a1: get_encryptedPassword 0x14ee3:$a2: get_encryptedUsername 0x14a03:$a3: get_timePasswordChanged 0x14afe:$a4: get_passwordField 0x14c0d:$a5: set_encryptedPassword 0x162a2:$a7: get_logins 0x16205:$a10: KeyLoggerEventArgs 0x15e70:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbf0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c023:$a4: \Orbitum\User Data\Default\Login Data 0x1d062:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157ea:$s1: UnHook 0x157f1:$s2: SetHook 0x157f9:$s3: CallNextHook 0x15806:$s4: _hook
0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c28:$x1: $%SMTPDV$ 0x1860c:$x2: $#TheHashHere%& 0x19bd0:$x3: %FTPDV$ 0x185ac:$x4: $%TelegramDv$ 0x15e70:$x5: KeyLoggerEventArgs 0x16205:$x5: KeyLoggerEventArgs 0x19bf4:$m2: Clipboard Logs ID 0x19e32:$m2: Screenshot Logs ID 0x19f42:$m2: keystroke Logs ID 0x1a21c:$m3: SnakePW 0x19e0a:$m4: \SnakeKeylogger\
0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149f7:$a1: get_encryptedPassword 0x14ce3:$a2: get_encryptedUsername 0x14803:$a3: get_timePasswordChanged 0x148fe:$a4: get_passwordField 0x14a0d:$a5: set_encryptedPassword 0x160a2:$a7: get_logins 0x16005:$a10: KeyLoggerEventArgs 0x15c70:$a11: KeyLoggerEventArgsEventHandler
0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a28:$x1: $%SMTPDV$ 0x1840c:$x2: $#TheHashHere%& 0x199d0:$x3: %FTPDV$ 0x183ac:$x4: $%TelegramDv$ 0x15c70:$x5: KeyLoggerEventArgs 0x16005:$x5: KeyLoggerEventArgs 0x199f4:$m2: Clipboard Logs ID 0x19c32:$m2: Screenshot Logs ID 0x19d42:$m2: keystroke Logs ID 0x1a01c:$m3: SnakePW 0x19c0a:$m4: \SnakeKeylogger\
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bf7:$a1: get_encryptedPassword 0x14ee3:$a2: get_encryptedUsername 0x14a03:$a3: get_timePasswordChanged 0x14afe:$a4: get_passwordField 0x14c0d:$a5: set_encryptedPassword 0x162a2:$a7: get_logins 0x16205:$a10: KeyLoggerEventArgs 0x15e70:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbf0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c023:$a4: \Orbitum\User Data\Default\Login Data 0x1d062:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157ea:$s1: UnHook 0x157f1:$s2: SetHook 0x157f9:$s3: CallNextHook 0x15806:$s4: _hook
00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c28:$x1: $%SMTPDV$ 0x1860c:$x2: $#TheHashHere%& 0x19bd0:$x3: %FTPDV$ 0x185ac:$x4: $%TelegramDv$ 0x15e70:$x5: KeyLoggerEventArgs 0x16205:$x5: KeyLoggerEventArgs 0x19bf4:$m2: Clipboard Logs ID 0x19e32:$m2: Screenshot Logs ID 0x19f42:$m2: keystroke Logs ID 0x1a21c:$m3: SnakePW 0x19e0a:$m4: \SnakeKeylogger\
0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: outbluffed.exe PID: 5416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: outbluffed.exe PID: 5416	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: outbluffed.exe PID: 5416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdcc499:$a1: get_encryptedPassword 0xdcc77b:$a2: get_encryptedUsername 0xdcc2af:$a3: get_timePasswordChanged 0xdcc3aa:$a4: get_passwordField 0xdcc4af:$a5: set_encryptedPassword 0xdce988:$a7: get_logins 0xdce8eb:$a10: KeyLoggerEventArgs 0xdce556:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: outbluffed.exe PID: 5416	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xdce556:$x5: KeyLoggerEventArgs 0xdce8eb:$x5: KeyLoggerEventArgs 0xdcf1f2:$x5: KeyLoggerEventArgs 0xdcf553:$x5: KeyLoggerEventArgs 0xdd0b16:$m2: Clipboard Logs ID 0xdd0c1c:$m2: Screenshot Logs ID 0xdd0c72:$m2: keystroke Logs ID 0xdd0da7:$m3: SnakePW 0xdd0c08:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 3180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3180	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 3180	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10d1c:$a1: get_encryptedPassword 0x10ffe:$a2: get_encryptedUsername 0x10b32:$a3: get_timePasswordChanged 0x10c2d:$a4: get_passwordField 0x10d32:$a5: set_encryptedPassword 0x1320b:$a7: get_logins 0x1316e:$a10: KeyLoggerEventArgs 0x12dd9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 3180	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x12dd9:$x5: KeyLoggerEventArgs 0x1316e:$x5: KeyLoggerEventArgs 0x13a75:$x5: KeyLoggerEventArgs 0x13dd6:$x5: KeyLoggerEventArgs 0x15399:$m2: Clipboard Logs ID 0x1549f:$m2: Screenshot Logs ID 0x154f5:$m2: keystroke Logs ID 0x1562a:$m3: SnakePW 0x1548b:$m4: \SnakeKeylogger\
Process Memory Space: outbluffed.exe PID: 744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: outbluffed.exe PID: 744	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: outbluffed.exe PID: 744	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x43ecdb:$a1: get_encryptedPassword 0x43efbd:$a2: get_encryptedUsername 0x43eaf1:$a3: get_timePasswordChanged 0x43ebec:$a4: get_passwordField 0x43ecf1:$a5: set_encryptedPassword 0x4411ca:$a7: get_logins 0x44112d:$a10: KeyLoggerEventArgs 0x440d98:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: outbluffed.exe PID: 744	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x440d98:$x5: KeyLoggerEventArgs 0x44112d:$x5: KeyLoggerEventArgs 0x441a34:$x5: KeyLoggerEventArgs 0x441d95:$x5: KeyLoggerEventArgs 0x443358:$m2: Clipboard Logs ID 0x44345e:$m2: Screenshot Logs ID 0x4434b4:$m2: keystroke Logs ID 0x4435e9:$m3: SnakePW 0x44344a:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 1252	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.outbluffed.exe.10c0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.outbluffed.exe.10c0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.outbluffed.exe.10c0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
13.2.outbluffed.exe.10c0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bf7:$a1: get_encryptedPassword 0x14ee3:$a2: get_encryptedUsername 0x14a03:$a3: get_timePasswordChanged 0x14afe:$a4: get_passwordField 0x14c0d:$a5: set_encryptedPassword 0x162a2:$a7: get_logins 0x16205:$a10: KeyLoggerEventArgs 0x15e70:$a11: KeyLoggerEventArgsEventHandler
13.2.outbluffed.exe.10c0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbf0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c023:$a4: \Orbitum\User Data\Default\Login Data 0x1d062:$a5: \Kometa\User Data\Default\Login Data
13.2.outbluffed.exe.10c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157ea:$s1: UnHook 0x157f1:$s2: SetHook 0x157f9:$s3: CallNextHook 0x15806:$s4: _hook
13.2.outbluffed.exe.10c0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c28:$x1: $%SMTPDV$ 0x1860c:$x2: $#TheHashHere%& 0x19bd0:$x3: %FTPDV$ 0x185ac:$x4: $%TelegramDv$ 0x15e70:$x5: KeyLoggerEventArgs 0x16205:$x5: KeyLoggerEventArgs 0x19bf4:$m2: Clipboard Logs ID 0x19e32:$m2: Screenshot Logs ID 0x19f42:$m2: keystroke Logs ID 0x1a21c:$m3: SnakePW 0x19e0a:$m4: \SnakeKeylogger\
8.2.outbluffed.exe.1490000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.outbluffed.exe.1490000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.outbluffed.exe.1490000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12df7:$a1: get_encryptedPassword 0x130e3:$a2: get_encryptedUsername 0x12c03:$a3: get_timePasswordChanged 0x12cfe:$a4: get_passwordField 0x12e0d:$a5: set_encryptedPassword 0x144a2:$a7: get_logins 0x14405:$a10: KeyLoggerEventArgs 0x14070:$a11: KeyLoggerEventArgsEventHandler
8.2.outbluffed.exe.1490000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1abbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19df0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a223:$a4: \Orbitum\User Data\Default\Login Data 0x1b262:$a5: \Kometa\User Data\Default\Login Data
8.2.outbluffed.exe.1490000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x139ea:$s1: UnHook 0x139f1:$s2: SetHook 0x139f9:$s3: CallNextHook 0x13a06:$s4: _hook
8.2.outbluffed.exe.1490000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17e28:$x1: $%SMTPDV$ 0x1680c:$x2: $#TheHashHere%& 0x17dd0:$x3: %FTPDV$ 0x167ac:$x4: $%TelegramDv$ 0x14070:$x5: KeyLoggerEventArgs 0x14405:$x5: KeyLoggerEventArgs 0x17df4:$m2: Clipboard Logs ID 0x18032:$m2: Screenshot Logs ID 0x18142:$m2: keystroke Logs ID 0x1841c:$m3: SnakePW 0x1800a:$m4: \SnakeKeylogger\
13.2.outbluffed.exe.10c0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.outbluffed.exe.10c0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
13.2.outbluffed.exe.10c0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12df7:$a1: get_encryptedPassword 0x130e3:$a2: get_encryptedUsername 0x12c03:$a3: get_timePasswordChanged 0x12cfe:$a4: get_passwordField 0x12e0d:$a5: set_encryptedPassword 0x144a2:$a7: get_logins 0x14405:$a10: KeyLoggerEventArgs 0x14070:$a11: KeyLoggerEventArgsEventHandler
13.2.outbluffed.exe.10c0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1abbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19df0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a223:$a4: \Orbitum\User Data\Default\Login Data 0x1b262:$a5: \Kometa\User Data\Default\Login Data
13.2.outbluffed.exe.10c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x139ea:$s1: UnHook 0x139f1:$s2: SetHook 0x139f9:$s3: CallNextHook 0x13a06:$s4: _hook
13.2.outbluffed.exe.10c0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17e28:$x1: $%SMTPDV$ 0x1680c:$x2: $#TheHashHere%& 0x17dd0:$x3: %FTPDV$ 0x167ac:$x4: $%TelegramDv$ 0x14070:$x5: KeyLoggerEventArgs 0x14405:$x5: KeyLoggerEventArgs 0x17df4:$m2: Clipboard Logs ID 0x18032:$m2: Screenshot Logs ID 0x18142:$m2: keystroke Logs ID 0x1841c:$m3: SnakePW 0x1800a:$m4: \SnakeKeylogger\
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
10.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bf7:$a1: get_encryptedPassword 0x14ee3:$a2: get_encryptedUsername 0x14a03:$a3: get_timePasswordChanged 0x14afe:$a4: get_passwordField 0x14c0d:$a5: set_encryptedPassword 0x162a2:$a7: get_logins 0x16205:$a10: KeyLoggerEventArgs 0x15e70:$a11: KeyLoggerEventArgsEventHandler
10.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbf0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c023:$a4: \Orbitum\User Data\Default\Login Data 0x1d062:$a5: \Kometa\User Data\Default\Login Data
10.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157ea:$s1: UnHook 0x157f1:$s2: SetHook 0x157f9:$s3: CallNextHook 0x15806:$s4: _hook
10.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c28:$x1: $%SMTPDV$ 0x1860c:$x2: $#TheHashHere%& 0x19bd0:$x3: %FTPDV$ 0x185ac:$x4: $%TelegramDv$ 0x15e70:$x5: KeyLoggerEventArgs 0x16205:$x5: KeyLoggerEventArgs 0x19bf4:$m2: Clipboard Logs ID 0x19e32:$m2: Screenshot Logs ID 0x19f42:$m2: keystroke Logs ID 0x1a21c:$m3: SnakePW 0x19e0a:$m4: \SnakeKeylogger\
8.2.outbluffed.exe.1490000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.outbluffed.exe.1490000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.outbluffed.exe.1490000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.outbluffed.exe.1490000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bf7:$a1: get_encryptedPassword 0x14ee3:$a2: get_encryptedUsername 0x14a03:$a3: get_timePasswordChanged 0x14afe:$a4: get_passwordField 0x14c0d:$a5: set_encryptedPassword 0x162a2:$a7: get_logins 0x16205:$a10: KeyLoggerEventArgs 0x15e70:$a11: KeyLoggerEventArgsEventHandler
8.2.outbluffed.exe.1490000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c9be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1bbf0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1c023:$a4: \Orbitum\User Data\Default\Login Data 0x1d062:$a5: \Kometa\User Data\Default\Login Data
8.2.outbluffed.exe.1490000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157ea:$s1: UnHook 0x157f1:$s2: SetHook 0x157f9:$s3: CallNextHook 0x15806:$s4: _hook
8.2.outbluffed.exe.1490000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c28:$x1: $%SMTPDV$ 0x1860c:$x2: $#TheHashHere%& 0x19bd0:$x3: %FTPDV$ 0x185ac:$x4: $%TelegramDv$ 0x15e70:$x5: KeyLoggerEventArgs 0x16205:$x5: KeyLoggerEventArgs 0x19bf4:$m2: Clipboard Logs ID 0x19e32:$m2: Screenshot Logs ID 0x19f42:$m2: keystroke Logs ID 0x1a21c:$m3: SnakePW 0x19e0a:$m4: \SnakeKeylogger\
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" , ProcessId: 6240, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs" , ProcessId: 6240, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:11:18.890997+0100	2803305	3	Unknown Traffic	192.168.2.7	49712	104.21.48.1	443	TCP
2025-01-10T21:11:22.248000+0100	2803305	3	Unknown Traffic	192.168.2.7	49738	104.21.48.1	443	TCP
2025-01-10T21:11:31.583966+0100	2803305	3	Unknown Traffic	192.168.2.7	49798	104.21.48.1	443	TCP
2025-01-10T21:11:33.646398+0100	2803305	3	Unknown Traffic	192.168.2.7	49816	104.21.48.1	443	TCP
2025-01-10T21:11:34.643088+0100	2803305	3	Unknown Traffic	192.168.2.7	49822	104.21.48.1	443	TCP
2025-01-10T21:11:42.675518+0100	2803305	3	Unknown Traffic	192.168.2.7	49875	104.21.48.1	443	TCP
2025-01-10T21:11:46.306419+0100	2803305	3	Unknown Traffic	192.168.2.7	49904	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:11:15.328067+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T21:11:18.140582+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T21:11:21.640551+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49718	193.122.6.168	80	TCP
2025-01-10T21:11:31.390606+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49789	193.122.6.168	80	TCP
2025-01-10T21:11:34.057919+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49789	193.122.6.168	80	TCP
2025-01-10T21:11:37.140595+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49827	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7838541807:AAEJadvLoc1DBjJfseqmrMSpZAXwRkaHwwk/sendMessage?chat_id=7488699642", "Token": "7838541807:AAEJadvLoc1DBjJfseqmrMSpZAXwRkaHwwk", "Chat_id": "7488699642", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: hZbkP3TJBJ.exe	Virustotal: Detection: 70%			Perma Link
Source: hZbkP3TJBJ.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hZbkP3TJBJ.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: hZbkP3TJBJ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49804 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: outbluffed.exe, 00000008.00000003.1318487579.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 00000008.00000003.1318273400.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1475246351.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1473679606.0000000003860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: outbluffed.exe, 00000008.00000003.1318487579.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 00000008.00000003.1318273400.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1475246351.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1473679606.0000000003860000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6445A
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6C6D1 FindFirstFileW,FindClose,	0_2_00A6C6D1
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A6C75C
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6EF95
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6F0F2
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6F3F3
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A637EF
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A63B12
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6BCBC
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061445A GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0061445A
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061C6D1 FindFirstFileW,FindClose,	8_2_0061C6D1
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_0061C75C
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0061EF95
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0061F0F2
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_0061F3F3
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_006137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_006137EF
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00613B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00613B12
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_0061BCBC

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49718 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49789 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49827 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49738 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49798 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49904 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49712 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49816 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49822 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49875 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49804 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A722EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000344F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003372000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: outbluffed.exe, 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000339D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: outbluffed.exe, 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A74164

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00A74164
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00624164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		8_2_00624164

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A73F66

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00A6001C

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00A8CABC
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0063CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_0063CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A03B3A
Source: hZbkP3TJBJ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: hZbkP3TJBJ.exe, 00000000.00000000.1247081982.0000000000AB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_748ebc99-6
Source: hZbkP3TJBJ.exe, 00000000.00000000.1247081982.0000000000AB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9fd084ac-e
Source: hZbkP3TJBJ.exe, 00000000.00000003.1283665042.0000000003503000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f4b84e75-e
Source: hZbkP3TJBJ.exe, 00000000.00000003.1283665042.0000000003503000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f33e9e2a-6
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: This is a third-party compiled AutoIt script.	8_2_005B3B3A
Source: outbluffed.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: outbluffed.exe, 00000008.00000002.1321484438.0000000000664000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_78233a1f-d
Source: outbluffed.exe, 00000008.00000002.1321484438.0000000000664000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_972baae6-d
Source: outbluffed.exe, 0000000D.00000002.1475906426.0000000000664000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cb93687c-7
Source: outbluffed.exe, 0000000D.00000002.1475906426.0000000000664000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_14981077-2
Source: hZbkP3TJBJ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_916fb979-3
Source: hZbkP3TJBJ.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_553393b2-9
Source: outbluffed.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fdcf5657-9
Source: outbluffed.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e747c7f0-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00A6A1EF

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A58310

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00A651BD
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_006151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_006151BD

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A0E6A0	0_2_00A0E6A0
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A2D975	0_2_00A2D975
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A0FCE0	0_2_00A0FCE0
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A221C5	0_2_00A221C5
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A362D2	0_2_00A362D2
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A803DA	0_2_00A803DA
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A3242E	0_2_00A3242E
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A225FA	0_2_00A225FA
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A166E1	0_2_00A166E1
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A5E616	0_2_00A5E616
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A3878F	0_2_00A3878F
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A68889	0_2_00A68889
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A18808	0_2_00A18808
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A36844	0_2_00A36844
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A80857	0_2_00A80857
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A2CB21	0_2_00A2CB21
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A36DB6	0_2_00A36DB6
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A16F9E	0_2_00A16F9E
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A13030	0_2_00A13030
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A23187	0_2_00A23187
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A2F1D9	0_2_00A2F1D9
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A01287	0_2_00A01287
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A21484	0_2_00A21484
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A15520	0_2_00A15520
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A27696	0_2_00A27696
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A15760	0_2_00A15760
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A21978	0_2_00A21978
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A39AB5	0_2_00A39AB5
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A2BDA6	0_2_00A2BDA6
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A21D90	0_2_00A21D90
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A87DDB	0_2_00A87DDB
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A13FE0	0_2_00A13FE0
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A0DF00	0_2_00A0DF00
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00D876B0	0_2_00D876B0
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005BE6A0	8_2_005BE6A0
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005DD975	8_2_005DD975
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005BFCE0	8_2_005BFCE0
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D21C5	8_2_005D21C5
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005E62D2	8_2_005E62D2
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_006303DA	8_2_006303DA
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005E242E	8_2_005E242E
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D25FA	8_2_005D25FA
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0060E616	8_2_0060E616
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C66E1	8_2_005C66E1
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005E878F	8_2_005E878F
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005E6844	8_2_005E6844
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00630857	8_2_00630857
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C8808	8_2_005C8808
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00618889	8_2_00618889
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005DCB21	8_2_005DCB21
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005E6DB6	8_2_005E6DB6
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C6F9E	8_2_005C6F9E
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C3030	8_2_005C3030
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005DF1D9	8_2_005DF1D9
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D3187	8_2_005D3187
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005B1287	8_2_005B1287
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D1484	8_2_005D1484
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C5520	8_2_005C5520
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D7696	8_2_005D7696
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C5760	8_2_005C5760
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D1978	8_2_005D1978
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005E9AB5	8_2_005E9AB5
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00637DDB	8_2_00637DDB
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D1D90	8_2_005D1D90
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005DBDA6	8_2_005DBDA6
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005BDF00	8_2_005BDF00
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005C3FE0	8_2_005C3FE0
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_01713D78	8_2_01713D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3B328	10_2_02B3B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3C190	10_2_02B3C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B36108	10_2_02B36108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3C753	10_2_02B3C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3C470	10_2_02B3C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B34AD9	10_2_02B34AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3CA33	10_2_02B3CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3BBD3	10_2_02B3BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B36880	10_2_02B36880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B39858	10_2_02B39858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3BEB0	10_2_02B3BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B3B4F3	10_2_02B3B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B33573	10_2_02B33573
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 13_2_013652D8	13_2_013652D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CB328	14_2_030CB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030C6108	14_2_030C6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CC190	14_2_030CC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030C6730	14_2_030C6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CC752	14_2_030CC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CC470	14_2_030CC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CBBD2	14_2_030CBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CCA32	14_2_030CCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030C4AD9	14_2_030C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030C9858	14_2_030C9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CBEB0	14_2_030CBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030C3572	14_2_030C3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030CB4F2	14_2_030CB4F2

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: String function: 005D0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: String function: 005D8900 appears 42 times
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: String function: 005B7DE1 appears 36 times
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: String function: 00A28900 appears 42 times
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: String function: 00A07DE1 appears 35 times
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: String function: 00A20AE3 appears 70 times

Source: hZbkP3TJBJ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@20/7@2/2

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A6A06A GetLastError,FormatMessageW,

0_2_00A6A06A

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A581CB AdjustTokenPrivileges,CloseHandle,	0_2_00A581CB
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00A587E1
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_006081CB AdjustTokenPrivileges,CloseHandle,	8_2_006081CB
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_006087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_006087E1

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A6B3FB

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A7EE0D

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00A783BB

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A04E89

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

File created: C:\Users\user\AppData\Local\maneuverability

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3256:120:WilError_03

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut905D.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs"

Source: hZbkP3TJBJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hZbkP3TJBJ.exe	Virustotal: Detection: 70%
Source: hZbkP3TJBJ.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

File read: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hZbkP3TJBJ.exe "C:\Users\user\Desktop\hZbkP3TJBJ.exe"
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Process created: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe "C:\Users\user\Desktop\hZbkP3TJBJ.exe"
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hZbkP3TJBJ.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Process created: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe "C:\Users\user\Desktop\hZbkP3TJBJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hZbkP3TJBJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: hZbkP3TJBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hZbkP3TJBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hZbkP3TJBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hZbkP3TJBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hZbkP3TJBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hZbkP3TJBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hZbkP3TJBJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: outbluffed.exe, 00000008.00000003.1318487579.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 00000008.00000003.1318273400.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1475246351.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1473679606.0000000003860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: outbluffed.exe, 00000008.00000003.1318487579.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 00000008.00000003.1318273400.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1475246351.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, outbluffed.exe, 0000000D.00000003.1473679606.0000000003860000.00000004.00001000.00020000.00000000.sdmp

Source: hZbkP3TJBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hZbkP3TJBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hZbkP3TJBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hZbkP3TJBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hZbkP3TJBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A04B37 LoadLibraryA,GetProcAddress,

0_2_00A04B37

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A28945 push ecx; ret	0_2_00A28958
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005BC4C6 push A3005BBAh; retn 005Bh	8_2_005BC50D
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005D8945 push ecx; ret	8_2_005D8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B324B9 push 8BFFFFFFh; retf	10_2_02B324BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_030C24B9 push 8BFFFFFFh; retf	14_2_030C24BF

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

File created: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Jump to behavior

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00A048D7
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00A85376
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_005B48D7
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00635376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_00635376

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A23187

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	API/Special instruction interceptor: Address: 171399C
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	API/Special instruction interceptor: Address: 1364EFC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599595	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597007	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596901	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596753	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594939	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1518	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2252	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7572	Jump to behavior

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-105584
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	API coverage: 4.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6445A
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6C6D1 FindFirstFileW,FindClose,	0_2_00A6C6D1
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A6C75C
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6EF95
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6F0F2
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6F3F3
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A637EF
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A63B12
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6BCBC
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061445A GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0061445A
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061C6D1 FindFirstFileW,FindClose,	8_2_0061C6D1
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_0061C75C
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0061EF95
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0061F0F2
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_0061F3F3
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_006137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_006137EF
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00613B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00613B12
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_0061BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_0061BCBC

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A049A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599595	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597007	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596901	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596753	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594939	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vmwaretrat
Source: outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe
Source: wscript.exe, 0000000C.00000002.1436286473.00000194E7485000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vmtoolsd
Source: outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vmwareuser
Source: RegSvcs.exe, 0000000A.00000002.1520615196.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1661684495.00000000014A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	API call chain: ExitProcess graph end node	graph_0-104265
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A73F09 BlockInput,

0_2_00A73F09

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A03B3A

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A35A7C

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A04B37 LoadLibraryA,GetProcAddress,

0_2_00A04B37

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00D875A0 mov eax, dword ptr fs:[00000030h]	0_2_00D875A0
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00D87540 mov eax, dword ptr fs:[00000030h]	0_2_00D87540
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00D85EF0 mov eax, dword ptr fs:[00000030h]	0_2_00D85EF0
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_017125B8 mov eax, dword ptr fs:[00000030h]	8_2_017125B8
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_01713C68 mov eax, dword ptr fs:[00000030h]	8_2_01713C68
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_01713C08 mov eax, dword ptr fs:[00000030h]	8_2_01713C08
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 13_2_01363B18 mov eax, dword ptr fs:[00000030h]	13_2_01363B18
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 13_2_01365168 mov eax, dword ptr fs:[00000030h]	13_2_01365168
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 13_2_013651C8 mov eax, dword ptr fs:[00000030h]	13_2_013651C8

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00A580A9

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A2A124 SetUnhandledExceptionFilter,	0_2_00A2A124
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A2A155
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005DA155
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_005DA124 SetUnhandledExceptionFilter,	8_2_005DA124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B82008			Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1170008			Jump to behavior

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A587B1 LogonUserW,

0_2_00A587B1

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A03B3A

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00A048D7

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A64C27 mouse_event,

0_2_00A64C27

Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hZbkP3TJBJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00A57CAF

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A5874B

Source: hZbkP3TJBJ.exe, outbluffed.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: hZbkP3TJBJ.exe, outbluffed.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A2862B cpuid

0_2_00A2862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A34E87

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A41E06 GetUserNameW,

0_2_00A41E06

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A33F3A

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Code function: 0_2_00A049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A049A0

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1252, type: MEMORYSTR

Source: outbluffed.exe	Binary or memory string: WIN_81
Source: outbluffed.exe	Binary or memory string: WIN_XP
Source: outbluffed.exe	Binary or memory string: WIN_XPe
Source: outbluffed.exe	Binary or memory string: WIN_VISTA
Source: outbluffed.exe	Binary or memory string: WIN_7
Source: outbluffed.exe	Binary or memory string: WIN_8
Source: outbluffed.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.outbluffed.exe.10c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.outbluffed.exe.1490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outbluffed.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outbluffed.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1252, type: MEMORYSTR

Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00A76283
Source: C:\Users\user\Desktop\hZbkP3TJBJ.exe	Code function: 0_2_00A76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00A76747
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00626283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	8_2_00626283
Source: C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	Code function: 8_2_00626747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_00626747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hZbkP3TJBJ.exe	71%	Virustotal		Browse
hZbkP3TJBJ.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
hZbkP3TJBJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\maneuverability\outbluffed.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000344F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003372000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	outbluffed.exe, 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E59000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000339D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	outbluffed.exe, 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1521902845.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outbluffed.exe, 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1663779981.0000000003384000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588083
Start date and time:	2025-01-10 21:10:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hZbkP3TJBJ.exe renamed because original name is a hash value
Original Sample Name:	0eb8abfd2709e701ef3a5263c404a107e328537af080cd9e976fa199eb5d8894.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@20/7@2/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 279
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 1252 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 3180 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:11:17	API Interceptor	246x Sleep call for process: RegSvcs.exe modified
21:11:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
193.122.6.168	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	348426869538810128.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3
	statement.doc	Get hash	malicious	KnowBe4	Browse	104.17.245.203
	http://url4619.blast.fresha.com/ls/click?upn=u001.G0bnNiVD8tDhPRdNyxjhDe6AC2ZUylxwA-2FPGy7qPBOFCUALhhiYANslkdkKDsOuTa2ZqT7n3N6bFcUrsV3ma3w-3D-3DiLPp_ykKDCurTiMzdScmvRsWtgHw-2Bx-2FsD8gtjZ2QYvaL9rQITVCU8DqQaupyP3UmfqTkykrcOULUqJB8vo6EwGC-2FXTrZZmpb9VysDXh-2Bs9eImE1UjAPhR388ASwoK2AP8BEYSRfU-2BeoIKBzUjhDstghksAsPKSpvEGafa0WwVUEqkryumMEQR7LzeuVihS6omMjDxWLWVMpRaOOynXHENqj69QJe59g4iFPytRm60mTk5xjXMgeEaRzFxoPJ4ml3mi0VzHAqUdjS3jfMBnOzPxHyb77YZzptZnuj5FOqVfelcRKxyeSqvYRwMU4ICLhbfcggUpY9RSJQ7f8uHQHGk5X2Upw-3D-3D	Get hash	malicious	Unknown	Browse	104.17.245.203
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	188.114.96.3
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Temp\aut905D.tmp

Download File

Process:	C:\Users\user\Desktop\hZbkP3TJBJ.exe
File Type:	data
Category:	dropped
Size (bytes):	104710
Entropy (8bit):	7.943913393156172
Encrypted:	false
SSDEEP:	3072:QrepGM6sjVCUiHQ1W5+9jzBDvijvo2P6fBmEaZPYmBDqdbTJ/AXm:Qnps5/65+9jtijv3oozNYmhqd31em
MD5:	22A3C9BC11EE2F112A3BA722CF360880
SHA1:	18F9583FED117ABA016ACBF0CD863613605FF71E
SHA-256:	C41C7066BB389076E4AD691BBA0B22210F188B53D02D1623B85216D289ABB2D9
SHA-512:	EFB5F84582F3C7EE85D9D0CBCAC4E5F832623DF3625DF3B1C9FD5C69FAD3A91D2B006A637A5E865D815888FA7C218129D20C2A744BFB10166E23D6BFA668347F
Malicious:	false
Preview:	EA06.....[8.I...9..(.Nw>.5..5:$.U.M..J.>mP.L..J...1.R&.P....q...+RomZ....m8.[.r.V%.ku..+.Oj..FM:..%.i.R!:.V.R.....[.uy...;.......i.[.n.S..z.0.\|.:.-VeV.Q...."k!.t.n.4.Q.`..R`.tE..k...7....9..Wji;..(...Pb\|....N.J..Z..eW.t../.it...:bTZ.....D.j../..E..(.:8..g1.D...u...(.....}f.T........F.W.n.....&.P.`..:..t]i.i.X.t.M@.>......Mf..n.S...0z..Z..'.....6..W\|~:...v..+.)..<.U..m..aK..:.:$..w...A_...6T..w........).J..iO...j..tE@.....s.:...D..t....`.r~..H...P..W.W .......:.@.B]E...u..6.G"tz..r.I.s.D.j.~P(vJ.:y..T..).BeG.nj..5B...Mg.."ri4....%Z.6.G..z...^.U%U...kP..7RZ.V.-.X.t...i2.."w...U$.R&...F.S...J% .M..(...9..).I..?.~/5..."..[.3.5Bi6.U"wY5^.1.X.....D.P....ju@.t#.+m.C..#S...o..H...G8.U.k.Z.Q...tk.N._..k...]E..f.....M(..D.O[..&3.tw+Z..m..=V.6._.s....E.....e.7..Q.......".(..YT..e......"R.4.h.....i.....K.r...w..Q....{..'V...58.Uy...r....t.:4.aJ......Q..@+...6.T. L%..L.R&.....E.Se....Y.....?W.Qe5."c..Pj4zl....\&....P.\......p..g..=V...[. ....v.O{

C:\Users\user\AppData\Local\Temp\aut9EA6.tmp

Download File

Process:	C:\Users\user\AppData\Local\maneuverability\outbluffed.exe
File Type:	data
Category:	dropped
Size (bytes):	104710
Entropy (8bit):	7.943913393156172
Encrypted:	false
SSDEEP:	3072:QrepGM6sjVCUiHQ1W5+9jzBDvijvo2P6fBmEaZPYmBDqdbTJ/AXm:Qnps5/65+9jtijv3oozNYmhqd31em
MD5:	22A3C9BC11EE2F112A3BA722CF360880
SHA1:	18F9583FED117ABA016ACBF0CD863613605FF71E
SHA-256:	C41C7066BB389076E4AD691BBA0B22210F188B53D02D1623B85216D289ABB2D9
SHA-512:	EFB5F84582F3C7EE85D9D0CBCAC4E5F832623DF3625DF3B1C9FD5C69FAD3A91D2B006A637A5E865D815888FA7C218129D20C2A744BFB10166E23D6BFA668347F
Malicious:	false
Preview:	EA06.....[8.I...9..(.Nw>.5..5:$.U.M..J.>mP.L..J...1.R&.P....q...+RomZ....m8.[.r.V%.ku..+.Oj..FM:..%.i.R!:.V.R.....[.uy...;.......i.[.n.S..z.0.\|.:.-VeV.Q...."k!.t.n.4.Q.`..R`.tE..k...7....9..Wji;..(...Pb\|....N.J..Z..eW.t../.it...:bTZ.....D.j../..E..(.:8..g1.D...u...(.....}f.T........F.W.n.....&.P.`..:..t]i.i.X.t.M@.>......Mf..n.S...0z..Z..'.....6..W\|~:...v..+.)..<.U..m..aK..:.:$..w...A_...6T..w........).J..iO...j..tE@.....s.:...D..t....`.r~..H...P..W.W .......:.@.B]E...u..6.G"tz..r.I.s.D.j.~P(vJ.:y..T..).BeG.nj..5B...Mg.."ri4....%Z.6.G..z...^.U%U...kP..7RZ.V.-.X.t...i2.."w...U$.R&...F.S...J% .M..(...9..).I..?.~/5..."..[.3.5Bi6.U"wY5^.1.X.....D.P....ju@.t#.+m.C..#S...o..H...G8.U.k.Z.Q...tk.N._..k...]E..f.....M(..D.O[..&3.tw+Z..m..=V.6._.s....E.....e.7..Q.......".(..YT..e......"R.4.h.....i.....K.r...w..Q....{..'V...58.Uy...r....t.:4.aJ......Q..@+...6.T. L%..L.R&.....E.Se....Y.....?W.Qe5."c..Pj4zl....\&....P.\......p..g..=V...[. ....v.O{

C:\Users\user\AppData\Local\Temp\autD98C.tmp

Download File

Process:	C:\Users\user\AppData\Local\maneuverability\outbluffed.exe
File Type:	data
Category:	dropped
Size (bytes):	104710
Entropy (8bit):	7.943913393156172
Encrypted:	false
SSDEEP:	3072:QrepGM6sjVCUiHQ1W5+9jzBDvijvo2P6fBmEaZPYmBDqdbTJ/AXm:Qnps5/65+9jtijv3oozNYmhqd31em
MD5:	22A3C9BC11EE2F112A3BA722CF360880
SHA1:	18F9583FED117ABA016ACBF0CD863613605FF71E
SHA-256:	C41C7066BB389076E4AD691BBA0B22210F188B53D02D1623B85216D289ABB2D9
SHA-512:	EFB5F84582F3C7EE85D9D0CBCAC4E5F832623DF3625DF3B1C9FD5C69FAD3A91D2B006A637A5E865D815888FA7C218129D20C2A744BFB10166E23D6BFA668347F
Malicious:	false
Preview:	EA06.....[8.I...9..(.Nw>.5..5:$.U.M..J.>mP.L..J...1.R&.P....q...+RomZ....m8.[.r.V%.ku..+.Oj..FM:..%.i.R!:.V.R.....[.uy...;.......i.[.n.S..z.0.\|.:.-VeV.Q...."k!.t.n.4.Q.`..R`.tE..k...7....9..Wji;..(...Pb\|....N.J..Z..eW.t../.it...:bTZ.....D.j../..E..(.:8..g1.D...u...(.....}f.T........F.W.n.....&.P.`..:..t]i.i.X.t.M@.>......Mf..n.S...0z..Z..'.....6..W\|~:...v..+.)..<.U..m..aK..:.:$..w...A_...6T..w........).J..iO...j..tE@.....s.:...D..t....`.r~..H...P..W.W .......:.@.B]E...u..6.G"tz..r.I.s.D.j.~P(vJ.:y..T..).BeG.nj..5B...Mg.."ri4....%Z.6.G..z...^.U%U...kP..7RZ.V.-.X.t...i2.."w...U$.R&...F.S...J% .M..(...9..).I..?.~/5..."..[.3.5Bi6.U"wY5^.1.X.....D.P....ju@.t#.+m.C..#S...o..H...G8.U.k.Z.Q...tk.N._..k...]E..f.....M(..D.O[..&3.tw+Z..m..=V.6._.s....E.....e.7..Q.......".(..YT..e......"R.4.h.....i.....K.r...w..Q....{..'V...58.Uy...r....t.:4.aJ......Q..@+...6.T. L%..L.R&.....E.Se....Y.....?W.Qe5."c..Pj4zl....\&....P.\......p..g..=V...[. ....v.O{

C:\Users\user\AppData\Local\Temp\peaks

Download File

Process:	C:\Users\user\Desktop\hZbkP3TJBJ.exe
File Type:	data
Category:	modified
Size (bytes):	135168
Entropy (8bit):	7.063912519930493
Encrypted:	false
SSDEEP:	3072:7HxgjyeYoVEwg2buXM80Zi1LLayVj8MPXuBgE9qpLnA8:dc3YyeM80Zi1LOytPXuBn8
MD5:	D56BFDC723CFB738E1168C3AD4E83EB9
SHA1:	1565C3500B4B38585D5ED76286F7A595D1326C54
SHA-256:	86CC767B123AC8B61E7D8AEAD6F2C2604F85E54B7CBEC841FED3F3080CD32EA3
SHA-512:	332DE2A6D0C8427E19BB238D84D1B5A46D8D296539305CC5599BAA1323E9D5FD31355AC41D023058C1F56B84691090277636A6E0E7FE919BFB07D773F83726D2
Malicious:	false
Preview:	.l.41GT9SXFT..H5.ZASD0GU.68DSO6P42GT9WXFT10H55ZASD0GUN68DSO6.42GZ&.VF.8.i.4..r.X.&nFJ+4=W=.Q&:W8,f6T.:@[z(=dt..n[W 6a;]>.GT9WXFTauH5y[BS...3N68DSO6P.2EU2V.FT.1H5!ZASD0G.V48DsO6P.0GT9.XFt10H75ZESD0GUN6<DSO6P42G4;WXDT10H55XA..0GEN6(DSO6@42WT9WXFT!0H55ZASD0GU6.:D.O6P4.ET.GXFT10H55ZASD0GUN68D.M6\42GT9WXFT10H55ZASD0GUN68DSO6P42GT9WXFT10H55ZASD0GUN6.DSG6P42GT9WXFT9.H5}ZASD0GUN68D};S(@2GT.YFT.0H5.[ASF0GUN68DSO6P42Gt9W8h&BB+55Z.CD0GuL68VSO6.52GT9WXFT10H55.AS..50"Y[DSC6P42.V9WZFT1>J55ZASD0GUN68D.O6.42GT9WXFT10H55ZA.\2GUN68.SO6R47G<.VXV.10K55Z.SD6.wO6.DSO6P42GT9WXFT10H55ZASD0GUN68DSO6P42GT9WXFT.M.:..:7..UN68DSN4S04O\9WXFT10HK5ZA.D0G.N68sSO6u42G99WXbT10655Z?SD0#UN6JDSOWP42.T9W7FT1^H55$ASD.E}n68Nyi6R..GT3Wr.'.0H?.[AS@CdUN<.FSO2#.2G^.TXFPB.H5?.ESD44sN62.VO6T.hGW.A^FT*_q55PAP.%AUN-.bSM.j42MT.qXE.$6H5.pcSF.NUN2.. R6P2..T9],OT12.?5ZEyZ2o.N62nq1&P46lT.u&WT14c5.x?AD0C~N..:@O6T.2mvGCXFP.0b+7.USD4mw0#8DWd6z.LQT9SsF~.N_55^jSn.E.Y68@yI.24@~H9'[).10N..ZAYlPGUH6.~S1.P46E;.WXLr..HG<{A#l.GUH...SM.T52MT;T%pT14

C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

Download File

Process:	C:\Users\user\Desktop\hZbkP3TJBJ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1028608
Entropy (8bit):	6.956288225529628
Encrypted:	false
SSDEEP:	24576:du6J33O0c+JY5UZ+XC0kGso6FaONm/SWCEr41WY:vu0c++OCvkGs9FaONBWJrJY
MD5:	286D68B773E946B301BD7134769A58E6
SHA1:	82004957C97F892B7AE6025C333BC6DA0B17CA1A
SHA-256:	0EB8ABFD2709E701EF3A5263C404A107E328537AF080CD9E976FA199EB5D8894
SHA-512:	A4A4D4BA2ABB064106BACBE92DA3006BE0176AEC44282410FC56CDF32FEA7611863B2B477DE7799F7A8D5588305D66626CFCC13D46AE39E1C32D502E127313AE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...61Zg.........."..................}............@.......................... ......0(....@...@.......@.....................L...\|....p..D(.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...D(...p...*..................@..@.reloc...q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Download File

Process:	C:\Users\user\AppData\Local\maneuverability\outbluffed.exe
File Type:	data
Category:	modified
Size (bytes):	300
Entropy (8bit):	3.469099999552322
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1IlEZUZK0EKRA6nriIM8lfQVn:DsO+vNlMkXg1Q1IlEZkm4mA2n
MD5:	46EBA5B727E2ACC0208E89E3B6280390
SHA1:	825ECF5438ADB02B0844C02C5D7784F26692E740
SHA-256:	0AD77CC408A070ACFB024D9A82F6A1E5445591B8DAEAF932563DC8B65A0D24F7
SHA-512:	E210792C62529A156439711556DA9F62CCD56D34AAB338B24C34588F87679B2F8C3870B092D7A95DB65B57468FA8E51D2209D8D127B9C8AA09008AD14C701896
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.m.a.n.e.u.v.e.r.a.b.i.l.i.t.y.\.o.u.t.b.l.u.f.f.e.d...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.956288225529628
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hZbkP3TJBJ.exe
File size:	1'028'608 bytes
MD5:	286d68b773e946b301bd7134769a58e6
SHA1:	82004957c97f892b7ae6025c333bc6da0b17ca1a
SHA256:	0eb8abfd2709e701ef3a5263c404a107e328537af080cd9e976fa199eb5d8894
SHA512:	a4a4d4ba2abb064106bacbe92da3006be0176aec44282410fc56cdf32fea7611863b2b477de7799f7a8d5588305d66626cfcc13d46ae39e1c32d502e127313ae
SSDEEP:	24576:du6J33O0c+JY5UZ+XC0kGso6FaONm/SWCEr41WY:vu0c++OCvkGs9FaONBWJrJY
TLSH:	6025BE22B3DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675A3136 [Thu Dec 12 00:41:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F23F12D2A2Ah
jmp 00007F23F12C57F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F23F12C597Ah
cmp edi, eax
jc 00007F23F12C5CDEh
bt dword ptr [004C31FCh], 01h
jnc 00007F23F12C5979h
rep movsb
jmp 00007F23F12C5C8Ch
cmp ecx, 00000080h
jc 00007F23F12C5B44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F23F12C5980h
bt dword ptr [004BE324h], 01h
jc 00007F23F12C5E50h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F23F12C5B1Dh
test edi, 00000003h
jne 00007F23F12C5B2Eh
test esi, 00000003h
jne 00007F23F12C5B0Dh
bt edi, 02h
jnc 00007F23F12C597Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F23F12C5983h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F23F12C59D5h
bt esi, 03h
jnc 00007F23F12C5A28h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x32844	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfa000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x32844	0x32a00	0dd06ed8903b193e725ef506b9e9b747	False	0.8690972222222222	data	7.748250087595687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfa000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x29b0b	data			1.0003572202409188
RT_GROUP_ICON	0xf92c4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf933c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf9350	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf9364	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf9378	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf9454	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:11:15.328067+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T21:11:18.140582+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T21:11:18.890997+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49712	104.21.48.1	443	TCP
2025-01-10T21:11:21.640551+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49718	193.122.6.168	80	TCP
2025-01-10T21:11:22.248000+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49738	104.21.48.1	443	TCP
2025-01-10T21:11:31.390606+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49789	193.122.6.168	80	TCP
2025-01-10T21:11:31.583966+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49798	104.21.48.1	443	TCP
2025-01-10T21:11:33.646398+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49816	104.21.48.1	443	TCP
2025-01-10T21:11:34.057919+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49789	193.122.6.168	80	TCP
2025-01-10T21:11:34.643088+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49822	104.21.48.1	443	TCP
2025-01-10T21:11:37.140595+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49827	193.122.6.168	80	TCP
2025-01-10T21:11:42.675518+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49875	104.21.48.1	443	TCP
2025-01-10T21:11:46.306419+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49904	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:11:14.108664989 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:14.113478899 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:14.113643885 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:14.113848925 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:14.118741989 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:15.055517912 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:15.059886932 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:15.064650059 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:15.278093100 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:15.328067064 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:15.595110893 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:15.595160961 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:15.595225096 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:15.602449894 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:15.602483034 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.083033085 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.083101988 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:16.089159966 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:16.089183092 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.089468002 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.140516043 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:16.162241936 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:16.203340054 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.276420116 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.276494026 CET	443	49700	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:16.276551008 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:16.283770084 CET	49700	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:16.288319111 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:16.293194056 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:18.094904900 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:18.129679918 CET	49712	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:18.129717112 CET	443	49712	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:18.129776001 CET	49712	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:18.130078077 CET	49712	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:18.130089998 CET	443	49712	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:18.140582085 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:18.587101936 CET	443	49712	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:18.637958050 CET	49712	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:18.637979031 CET	443	49712	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:18.891002893 CET	443	49712	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:18.891071081 CET	443	49712	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:18.891114950 CET	49712	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:18.891886950 CET	49712	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:18.895395994 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:18.896553993 CET	49718	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:18.900347948 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:18.900408030 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:18.901357889 CET	80	49718	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:18.901432037 CET	49718	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:18.901648998 CET	49718	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:18.906434059 CET	80	49718	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:21.590347052 CET	80	49718	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:21.591808081 CET	49738	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:21.591830015 CET	443	49738	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:21.591914892 CET	49738	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:21.592149973 CET	49738	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:21.592159986 CET	443	49738	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:21.640551090 CET	49718	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:22.068213940 CET	443	49738	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:22.070234060 CET	49738	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:22.070274115 CET	443	49738	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:22.248024940 CET	443	49738	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:22.248090029 CET	443	49738	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:22.248132944 CET	49738	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:22.248526096 CET	49738	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:22.253143072 CET	49741	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:22.257961988 CET	80	49741	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:22.258018970 CET	49741	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:22.258141994 CET	49741	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:22.262854099 CET	80	49741	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:24.202827930 CET	80	49741	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:24.213836908 CET	49757	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:24.213882923 CET	443	49757	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:24.213974953 CET	49757	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:24.218437910 CET	49757	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:24.218463898 CET	443	49757	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:24.250128031 CET	49741	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:24.870759010 CET	443	49757	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:24.872380018 CET	49757	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:24.872417927 CET	443	49757	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:25.004857063 CET	443	49757	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:25.004913092 CET	443	49757	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:25.004964113 CET	49757	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:25.005848885 CET	49757	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:25.033792973 CET	49741	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:25.038774014 CET	80	49741	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:25.038842916 CET	49741	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:25.041949987 CET	49764	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:25.046812057 CET	80	49764	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:25.046881914 CET	49764	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:25.047883034 CET	49764	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:25.052659988 CET	80	49764	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:25.724436045 CET	80	49764	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:25.725820065 CET	49769	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:25.725856066 CET	443	49769	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:25.725969076 CET	49769	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:25.726253986 CET	49769	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:25.726274967 CET	443	49769	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:25.765559912 CET	49764	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:26.303919077 CET	443	49769	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:26.326268911 CET	49769	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:26.326347113 CET	443	49769	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:26.472156048 CET	443	49769	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:26.472680092 CET	443	49769	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:26.472867012 CET	49769	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:26.473131895 CET	49769	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:26.476243973 CET	49764	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:26.477106094 CET	49772	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:26.481244087 CET	80	49764	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:26.481408119 CET	49764	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:26.482027054 CET	80	49772	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:26.482191086 CET	49772	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:26.482295036 CET	49772	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:26.487088919 CET	80	49772	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:28.338093042 CET	80	49772	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:28.338687897 CET	80	49772	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:28.338735104 CET	49772	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:28.339529037 CET	49783	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:28.339560986 CET	443	49783	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:28.339629889 CET	49783	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:28.339864969 CET	49783	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:28.339880943 CET	443	49783	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:28.800931931 CET	443	49783	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:28.802634954 CET	49783	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:28.802663088 CET	443	49783	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:28.952836990 CET	443	49783	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:28.953093052 CET	443	49783	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:28.953161001 CET	49783	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:28.953943968 CET	49783	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:28.958030939 CET	49772	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:28.958760023 CET	49788	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:28.966562033 CET	80	49772	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:28.966630936 CET	49772	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:28.966886997 CET	80	49788	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:28.966962099 CET	49788	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:28.967063904 CET	49788	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:28.975331068 CET	80	49788	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:29.596378088 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:29.602333069 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:29.602413893 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:29.602682114 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:29.607522011 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:30.638572931 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:30.642426968 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:30.647253036 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:30.963557005 CET	80	49788	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:30.965186119 CET	49798	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:30.965223074 CET	443	49798	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:30.965279102 CET	49798	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:30.965559959 CET	49798	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:30.965574026 CET	443	49798	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.015585899 CET	49788	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.338572979 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:31.388031960 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.388088942 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.388231993 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.390605927 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.394012928 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.394042969 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.441879034 CET	443	49798	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.444078922 CET	49798	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.444093943 CET	443	49798	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.583986044 CET	443	49798	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.584048986 CET	443	49798	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.584131002 CET	49798	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.584650040 CET	49798	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.588907957 CET	49788	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.589677095 CET	49805	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.594033003 CET	80	49788	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:31.594090939 CET	49788	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.594717026 CET	80	49805	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:31.594789982 CET	49805	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.594914913 CET	49805	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:31.599764109 CET	80	49805	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:31.858709097 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.858855009 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.861291885 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.861323118 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.861614943 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:31.906227112 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.932149887 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:31.975333929 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:32.040924072 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:32.040976048 CET	443	49804	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:32.041026115 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:32.044935942 CET	49804	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:32.049429893 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:32.054272890 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:32.945732117 CET	80	49805	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:32.999969006 CET	49805	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:33.010176897 CET	49816	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:33.010226011 CET	443	49816	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:33.010294914 CET	49816	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:33.014916897 CET	49816	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:33.014935970 CET	443	49816	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:33.491744041 CET	443	49816	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:33.496395111 CET	49816	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:33.496432066 CET	443	49816	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:33.646436930 CET	443	49816	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:33.646509886 CET	443	49816	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:33.646570921 CET	49816	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:33.647099972 CET	49816	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:33.838712931 CET	49805	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:33.838854074 CET	49718	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.015392065 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:34.018810987 CET	49822	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:34.018847942 CET	443	49822	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:34.018985033 CET	49822	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:34.019520998 CET	49822	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:34.019535065 CET	443	49822	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:34.057919025 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.498893023 CET	443	49822	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:34.502697945 CET	49822	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:34.502722025 CET	443	49822	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:34.643099070 CET	443	49822	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:34.643163919 CET	443	49822	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:34.643225908 CET	49822	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:34.644105911 CET	49822	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:34.647206068 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.648503065 CET	49827	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.653065920 CET	80	49789	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:34.653127909 CET	49789	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.654082060 CET	80	49827	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:34.656850100 CET	49827	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.657409906 CET	49827	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:34.662225962 CET	80	49827	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:37.097959042 CET	80	49827	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:37.106744051 CET	49843	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:37.106811047 CET	443	49843	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:37.106874943 CET	49843	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:37.107121944 CET	49843	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:37.107141972 CET	443	49843	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:37.140594959 CET	49827	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:37.581523895 CET	443	49843	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:37.582863092 CET	49843	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:37.582900047 CET	443	49843	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:37.742285967 CET	443	49843	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:37.742346048 CET	443	49843	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:37.742439985 CET	49843	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:37.742913008 CET	49843	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:37.746999025 CET	49849	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:37.751796007 CET	80	49849	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:37.752974033 CET	49849	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:37.753041983 CET	49849	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:37.757864952 CET	80	49849	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:39.458383083 CET	80	49849	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:39.459918022 CET	49861	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:39.459966898 CET	443	49861	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:39.460032940 CET	49861	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:39.460352898 CET	49861	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:39.460362911 CET	443	49861	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:39.500009060 CET	49849	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:39.932569027 CET	443	49861	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:39.934297085 CET	49861	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:39.934314966 CET	443	49861	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:40.064080954 CET	443	49861	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:40.064142942 CET	443	49861	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:40.064196110 CET	49861	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:40.064762115 CET	49861	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:40.068128109 CET	49849	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:40.069267988 CET	49864	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:40.073220015 CET	80	49849	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:40.073295116 CET	49849	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:40.074116945 CET	80	49864	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:40.074187040 CET	49864	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:40.074269056 CET	49864	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:40.079041958 CET	80	49864	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:41.991660118 CET	80	49864	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:42.012022972 CET	49875	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:42.012064934 CET	443	49875	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:42.012144089 CET	49875	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:42.018271923 CET	49875	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:42.018287897 CET	443	49875	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:42.046879053 CET	49864	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:42.489496946 CET	443	49875	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:42.490942955 CET	49875	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:42.490959883 CET	443	49875	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:42.675607920 CET	443	49875	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:42.675765991 CET	443	49875	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:42.675831079 CET	49875	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:42.676132917 CET	49875	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:42.679183960 CET	49864	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:42.680258989 CET	49881	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:42.684230089 CET	80	49864	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:42.684382915 CET	49864	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:42.685095072 CET	80	49881	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:42.685165882 CET	49881	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:42.685256958 CET	49881	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:42.690057993 CET	80	49881	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:43.331429958 CET	80	49881	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:43.332870007 CET	49887	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:43.332957983 CET	443	49887	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:43.333034992 CET	49887	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:43.333328962 CET	49887	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:43.333355904 CET	443	49887	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:43.375044107 CET	49881	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:43.812475920 CET	443	49887	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:43.813935995 CET	49887	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:43.813982964 CET	443	49887	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:43.966026068 CET	443	49887	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:43.966099977 CET	443	49887	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:43.966161013 CET	49887	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:43.966573954 CET	49887	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:43.969557047 CET	49881	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:43.970614910 CET	49892	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:43.974664927 CET	80	49881	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:43.974814892 CET	49881	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:43.975475073 CET	80	49892	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:43.975572109 CET	49892	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:43.975639105 CET	49892	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:43.980492115 CET	80	49892	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:45.698529959 CET	80	49892	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:45.699770927 CET	49904	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:45.699817896 CET	443	49904	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:45.699883938 CET	49904	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:45.700115919 CET	49904	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:45.700129986 CET	443	49904	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:45.750104904 CET	49892	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:46.172766924 CET	443	49904	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:46.175656080 CET	49904	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:46.175688982 CET	443	49904	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:46.306435108 CET	443	49904	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:46.306504965 CET	443	49904	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:46.306572914 CET	49904	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:46.307153940 CET	49904	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:46.311088085 CET	49892	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:46.312237978 CET	49909	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:46.316029072 CET	80	49892	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:46.316097975 CET	49892	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:46.317065001 CET	80	49909	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:46.317137003 CET	49909	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:46.317238092 CET	49909	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:46.322031021 CET	80	49909	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:47.238159895 CET	80	49909	193.122.6.168	192.168.2.7
Jan 10, 2025 21:11:47.239398003 CET	49916	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:47.239449978 CET	443	49916	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:47.239639044 CET	49916	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:47.239934921 CET	49916	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:47.239948988 CET	443	49916	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:47.281469107 CET	49909	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:47.694278955 CET	443	49916	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:47.696120024 CET	49916	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:47.696161985 CET	443	49916	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:47.843617916 CET	443	49916	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:47.843687057 CET	443	49916	104.21.48.1	192.168.2.7
Jan 10, 2025 21:11:47.843807936 CET	49916	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:47.844276905 CET	49916	443	192.168.2.7	104.21.48.1
Jan 10, 2025 21:11:47.965958118 CET	49909	80	192.168.2.7	193.122.6.168
Jan 10, 2025 21:11:47.966022015 CET	49827	80	192.168.2.7	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:11:14.092991114 CET	59950	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:11:14.099855900 CET	53	59950	1.1.1.1	192.168.2.7
Jan 10, 2025 21:11:15.587209940 CET	54449	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:11:15.594435930 CET	53	54449	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:11:14.092991114 CET	192.168.2.7	1.1.1.1	0x8487	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.587209940 CET	192.168.2.7	1.1.1.1	0x1591	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:11:14.099855900 CET	1.1.1.1	192.168.2.7	0x8487	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:11:14.099855900 CET	1.1.1.1	192.168.2.7	0x8487	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:14.099855900 CET	1.1.1.1	192.168.2.7	0x8487	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:14.099855900 CET	1.1.1.1	192.168.2.7	0x8487	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:14.099855900 CET	1.1.1.1	192.168.2.7	0x8487	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:14.099855900 CET	1.1.1.1	192.168.2.7	0x8487	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:11:15.594435930 CET	1.1.1.1	192.168.2.7	0x1591	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:14.113848925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:15.055517912 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:11:15.059886932 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:11:15.278093100 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:11:16.288319111 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:11:18.094904900 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49718	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:18.901648998 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:11:21.590347052 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49741	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:22.258141994 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:24.202827930 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49764	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:25.047883034 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:25.724436045 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49772	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:26.482295036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:28.338093042 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:11:28.338687897 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49788	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:28.967063904 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:30.963557005 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49789	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:29.602682114 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:30.638572931 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:11:30.642426968 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:11:31.338572979 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:11:32.049429893 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:11:34.015392065 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49805	193.122.6.168	80	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:31.594914913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:32.945732117 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49827	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:34.657409906 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:11:37.097959042 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49849	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:37.753041983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:39.458383083 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49864	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:40.074269056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:41.991660118 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49881	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:42.685256958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:43.331429958 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49892	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:43.975639105 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:45.698529959 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49909	193.122.6.168	80	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:11:46.317238092 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:11:47.238159895 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:16 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854665 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mxAmWOLBJPkzyM8bg9aNiCa6dD72Dt6tKKZHs32jli%2FR6QDATTJa4g3tzhYGK1D%2FVS5tcQjVnBbgWJgg1eQ4sSNxFjvNB7RtbBnI16LikZ%2Br29wescJFOpSqDQoNCX56iGZzW1KL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff50b25d518c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1778&min_rtt=1766&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1567364&cwnd=238&unsent_bytes=0&cid=fb39cbd54c7f2762&ts=206&x=0"
2025-01-10 20:11:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49712	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:18 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:18 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854667 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t5rZwMhBbizl1SRavysyN4RL65Pk3GGlZzZZjcXefkdvi2vDs5kurzzNKZc7hjSlL3o801qzZ0UNGxoadG3zrSknfBvxo3C95cW4jTfS%2Bnu%2FVV8xYJBrxBBGlHXFzWFReP%2BeZQ6T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff50c2aaa242e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1671&rtt_var=629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1736028&cwnd=240&unsent_bytes=0&cid=60d865a1660624b1&ts=311&x=0"
2025-01-10 20:11:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49738	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:22 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854671 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lMM1UOHneihz8HiizyIEhuG%2FW5xi5astEh5xDWDwDvxB6CH4dAVXrYeG6f8HhoDqM78VxBxacBVIGT1B7Tf2e5s1g35xqrukPWupgQd%2BPB%2FF8OTSXSXQ962usfFpDHL80BdJa%2FEu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff50d77deac461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1624&rtt_var=616&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1798029&cwnd=228&unsent_bytes=0&cid=628b0425b9fc608c&ts=185&x=0"
2025-01-10 20:11:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49757	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:24 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854674 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=858Jevp1tPTdF7Vwkm9XHjMZ5p9wpd87SXmhdgPxx7Vj6YMYgNeSRwtTdT5hDEgmb1Xt7Tjv2GIqpfeKzyLBsZ6nd0XgL5x5MDcwYEGeKlGYeIBrrAnrp%2FFZCf6sM9CPA5bw1bIk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff50e8e89243be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1548&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1794714&cwnd=226&unsent_bytes=0&cid=2630140f4693db84&ts=317&x=0"
2025-01-10 20:11:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49769	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:26 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854675 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9CZBaTilCCSK8WEHfaYz3uYL4qzrvbx3R%2FuWaSeJhzfjdwF5wCMoa%2FL4%2BnUC5BRNERp7%2Ft22%2F17MfiBazWL7YNZPW2G9coRgH8kfxyO2M4Mx6ErA%2FpnMDPVLtNJhOFtvxJUIopTa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff50f1ff2a43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1613&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1780487&cwnd=226&unsent_bytes=0&cid=3ae2b10660372848&ts=285&x=0"
2025-01-10 20:11:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49783	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:28 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854678 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ziZ2DR7BJKNNCNeLIbYNQGv%2BXeDQB5LDlk3ho%2FuQ4%2FwdhBpb4FvBGuf%2FSfryVHwTbMOfiVJ9jIXTnhaJOPchE0Ls0GnlYn8%2BcBnpBJMi1s3oaOdgpVREelfkj%2FwgtiLPZbl5rKaq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff51019d4a8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1779&min_rtt=1778&rtt_var=670&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1628555&cwnd=238&unsent_bytes=0&cid=dfa53c568db11e7a&ts=157&x=0"
2025-01-10 20:11:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49798	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:31 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854680 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UUnlaql1K7XXU07hfSIML52H1h3k%2FfSVvKkMGFHR4uqO7NlgHTH0%2FBn%2BoU7nRdPB7utSzmigpyaNB3nCdboxnSTqw%2B6JZBcftokqqGfJInaOmYfqheQgf4kpaS%2FSUJt7NFfLry1S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff5111fdffc323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1479&rtt_var=563&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1927392&cwnd=214&unsent_bytes=0&cid=8b7951b1734e9aa0&ts=148&x=0"
2025-01-10 20:11:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49804	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:32 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854681 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lmGWcT23hC1oIkhCysznHYnK0x4tj2KEunQhJAgI%2BOemmCcLv6eU6yVT5J5XXqu5hYXluM4eoTkoaxGrmWu2czMkPH6ThtqLhiwuRVuAl0aldEHIkaIIVamGVXIDX%2F9A4kTdO9pU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff5114ec3142e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1726&rtt_var=670&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1604395&cwnd=240&unsent_bytes=0&cid=51db97af6fac4196&ts=187&x=0"
2025-01-10 20:11:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49816	104.21.48.1	443	3180	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:33 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854682 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lO3ixwc0M8rf%2FJX1mhHviquro1B1kv24m4H0C1UegzUx9A0MGWV4iNrA4dySF68Ie6GlFfikKmtFvHcQJa4gCG7YibWqhG%2BfIzyEKk0Ft5ilAR9V01rNCye1Rk0My2h1Jk45MkwV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff511eea5f42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1577&rtt_var=616&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1742243&cwnd=240&unsent_bytes=0&cid=91e37c51c962fdd1&ts=162&x=0"
2025-01-10 20:11:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49822	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:34 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854683 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mymFl6K%2FzhyCVxpthpTw2WCPiM4VoIfqWRwHmB9IIoZ41q99Ok8mGmpKaAtb3BZRiWLeDAx3uIC6%2FBmDqFaSi9O8308Ofs1dIuA9qDVM8thLQUnYhqbgx6ErrldZcseC7y65Yb9j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff51252f058cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1977&rtt_var=762&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1417475&cwnd=243&unsent_bytes=0&cid=517ac51faf0a972c&ts=151&x=0"
2025-01-10 20:11:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49843	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:37 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854686 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FGH7xynh7mcIP0gjrtn%2FNHWyLx9blp0BqDx2F%2BOJXK4WGliWSlXZIXhCHtfTldwGV4iHfPBYzKM%2BFjKRDZCP3tJBod82FDMA5ZbN9VUNqgUAYMBfUCEcAcR16z0XnzJ9X11CoDg7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff5138584d8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2047&min_rtt=2047&rtt_var=769&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1422308&cwnd=243&unsent_bytes=0&cid=269a6a3ae2086c44&ts=170&x=0"
2025-01-10 20:11:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49861	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:40 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854689 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SBAdpCLUq0GEbBP1Qqor2q4CmIBpXocRU%2BvaRl0ntoUfS62%2FHWGx0li8luYl%2FiU5Ga%2BaBY2g3C%2FnBZ8NgllbCotLC0ZqXq%2BJH39FDgCVBEbuKvRJcwsN28DoKFAB8FeIWeARlppv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff51470b83c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1461&rtt_var=566&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1904761&cwnd=214&unsent_bytes=0&cid=fb1769869914c2c6&ts=136&x=0"
2025-01-10 20:11:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49875	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:42 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854691 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=28nNi5BVotUwAxThAwD0IqER%2FO5rQn1xKdfzgtgF2nfGobwpStvdXyJB%2BNmBbAYDCccWWVWkqNvXEzCsELCTjV%2FeugE8Dr6URo%2FFlUcgR%2BJPIpUjmD9R0xgwSyJI3wAhWRajLJVV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff51573a6ac461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1537&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1782661&cwnd=228&unsent_bytes=0&cid=5c345552a5fb6219&ts=194&x=0"
2025-01-10 20:11:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49887	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:43 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854693 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FBgAw466c9KO41I%2FJ5C7F1iRdqOYxVaIzJCk1ZtERQU5esor46rhKFKbnhRqbJANZoEeW1uCX9vKSNZb4Ea9Heezr%2Fmjot7pSVVM5iqQ3n9k0DFEz1NfxurtY8T79dTLZf0%2BazbW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff515f592543be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1801&min_rtt=1612&rtt_var=740&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1811414&cwnd=226&unsent_bytes=0&cid=1158ea66abd6a505&ts=171&x=0"
2025-01-10 20:11:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49904	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:46 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 20:11:46 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854695 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=loJb26JuE1tw9dygF6qyGOXOdxvfh4FffdLjBvKtXhJOTB3GkkQqvSjeULn5Cp27GYk3TMDI6dGZHWy%2BUewv3bxMoXb0l57pWXpaQu2Kpw%2FrxMPTNq7rOD1fdHxRClZKWTbqfcSv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff516e0bff8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1924&rtt_var=752&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1517671&cwnd=243&unsent_bytes=0&cid=d132128e488e5f69&ts=137&x=0"
2025-01-10 20:11:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49916	104.21.48.1	443	1252	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:11:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:11:47 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:11:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1854696 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oaEVTd7Ip6mZa8HUs8%2FTXyTqPnxS%2Ff36goCkk3jCu97Y27J37O2fr7tuDG3N8HxHYJgzHCcb2akbab3vcnGCv7eswOderyTzaRrhX1x8KGPbgUHyVgQYKO7pVpyvQgw18CQ3yXKo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff5177ad1b42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1701&min_rtt=1695&rtt_var=649&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1669525&cwnd=240&unsent_bytes=0&cid=56b2da2d5e3dc817&ts=153&x=0"
2025-01-10 20:11:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	15:11:05
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\hZbkP3TJBJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hZbkP3TJBJ.exe"
Imagebase:	0xa00000
File size:	1'028'608 bytes
MD5 hash:	286D68B773E946B301BD7134769A58E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:11:09
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\maneuverability\outbluffed.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hZbkP3TJBJ.exe"
Imagebase:	0x5b0000
File size:	1'028'608 bytes
MD5 hash:	286D68B773E946B301BD7134769A58E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.1321912320.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:11:12
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hZbkP3TJBJ.exe"
Imagebase:	0x9f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000A.00000002.1520335017.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.1521902845.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:11:23
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs"
Imagebase:	0x7ff6e4230000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:11:24
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\maneuverability\outbluffed.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"
Imagebase:	0x5b0000
File size:	1'028'608 bytes
MD5 hash:	286D68B773E946B301BD7134769A58E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000D.00000002.1476335401.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:00:19
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\maneuverability\outbluffed.exe"
Imagebase:	0xea0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.1663779981.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:00:24
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:00:24
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:00:24
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x5f0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:00:38
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 2840, Parent PID: 3312

General

Target ID:	19
Start time:	17:00:38
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:00:38
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x5f0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	68

Executed Functions

Function 00A03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A03B68
IsDebuggerPresent.KERNEL32 ref: 00A03B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00AC52F8,00AC52E0,?,?), ref: 00A03BEB

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Part of subcall function 00A1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A03C14,00AC52F8,?,?,?), ref: 00A1096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00A03C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AB7770,00000010), ref: 00A3D281
SetCurrentDirectoryW.KERNEL32(?,00AC52F8,?,?,?), ref: 00A3D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AB4260,00AC52F8,?,?,?), ref: 00A3D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00A3D346

Part of subcall function 00A03A46: GetSysColorBrush.USER32(0000000F), ref: 00A03A50
Part of subcall function 00A03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00A03A5F
Part of subcall function 00A03A46: LoadIconW.USER32(00000063), ref: 00A03A76
Part of subcall function 00A03A46: LoadIconW.USER32(000000A4), ref: 00A03A88
Part of subcall function 00A03A46: LoadIconW.USER32(000000A2), ref: 00A03A9A
Part of subcall function 00A03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A03AC0
Part of subcall function 00A03A46: RegisterClassExW.USER32(?), ref: 00A03B16

Part of subcall function 00A039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A03A03
Part of subcall function 00A039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A03A24
Part of subcall function 00A039D5: ShowWindow.USER32(00000000,?,?), ref: 00A03A38
Part of subcall function 00A039D5: ShowWindow.USER32(00000000,?,?), ref: 00A03A41

Part of subcall function 00A0434A: _memset.LIBCMT ref: 00A04370
Part of subcall function 00A0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A04415

Strings

runas, xrefs: 00A3D33A
This is a third-party compiled AutoIt script., xrefs: 00A3D279

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 4ac4dabf4da4f6ff2c4deb22e36a17e40fd0901a8e1309046e54c4a23809897a
Instruction ID: 5c4cd4ebda6093fe2f08ad5d3ab072ff75c10f3819e3843d22a7e92c8e56250a
Opcode Fuzzy Hash: 4ac4dabf4da4f6ff2c4deb22e36a17e40fd0901a8e1309046e54c4a23809897a
Instruction Fuzzy Hash: 7451B371D0814DAEDF11EBF5FD05EED7BBCAB49740F014069F421A61E2DAB06A86CB21

Function 00A049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A049CD

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

GetCurrentProcess.KERNEL32(?,00A8FAEC,00000000,00000000,?), ref: 00A04A9A
IsWow64Process.KERNEL32(00000000), ref: 00A04AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A04AE7
FreeLibrary.KERNEL32(00000000), ref: 00A04AF2
GetSystemInfo.KERNEL32(00000000), ref: 00A04B23
GetSystemInfo.KERNEL32(00000000), ref: 00A04B2F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d9f002a5a512c25739e6d3780ef5b572c8bcb9eef38e19fdf8e9f20b1443991e
Instruction ID: 1b7d83f0adf59246f1420253b85e82f956f41e42cf76c33545d930c1450201ce
Opcode Fuzzy Hash: d9f002a5a512c25739e6d3780ef5b572c8bcb9eef38e19fdf8e9f20b1443991e
Instruction Fuzzy Hash: CC91A4719897C5DECB31DB68A5501AAFFF5BF2A300F4449ADE1C793A81D220B908C769

Function 00A04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A04D8E,?,?,00000000,00000000), ref: 00A04E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A04D8E,?,?,00000000,00000000), ref: 00A04EB0
LoadResource.KERNEL32(?,00000000,?,?,00A04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A04E2F), ref: 00A3D937
SizeofResource.KERNEL32(?,00000000,?,?,00A04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A04E2F), ref: 00A3D94C
LockResource.KERNEL32(00A04D8E,?,?,00A04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A04E2F,00000000), ref: 00A3D95F

Strings

SCRIPT, xrefs: 00A04EA6

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1ce7e4dbc41b7f900acd284fe3673e96845466b6e738093468496ec7c2777848
Instruction ID: 53c77deb2e3f1e86f0519803955772b9db592a34d55cea4556950439c374dda1
Opcode Fuzzy Hash: 1ce7e4dbc41b7f900acd284fe3673e96845466b6e738093468496ec7c2777848
Instruction Fuzzy Hash: 12115EB5240705BFD7218BA5EC48FA77BBAFBC9B51F204268F505C62A0DB71E8028660

Function 00A0FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 5e97f237cc4593527de6073a6daeb1ef7059974cb67d1b4723e8adc7f3e34a05
Instruction ID: 52c09fd0841652770406807361f945a3bd926edb485dcf4b67ef71c211b48abd
Opcode Fuzzy Hash: 5e97f237cc4593527de6073a6daeb1ef7059974cb67d1b4723e8adc7f3e34a05
Instruction Fuzzy Hash: 6E926A746083419FD720DF18C580B6AB7F1BF89304F14896DE89A9B392D7B5EC85CB92

Function 00A6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A3E398), ref: 00A6446A
FindFirstFileW.KERNELBASE(?,?), ref: 00A6447B
FindClose.KERNEL32(00000000), ref: 00A6448B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 20b886469cd33c98d9bd76870f3736f82f1d47ef9c0e5156179ac0c409a8fb7c
Instruction ID: 9610ae129add7d75de9d28a709a28fb800b5bafd3edd2eae89ab440a02e0ec81
Opcode Fuzzy Hash: 20b886469cd33c98d9bd76870f3736f82f1d47ef9c0e5156179ac0c409a8fb7c
Instruction Fuzzy Hash: 69E0DF328109026F8210AB78EC0E8EA77AC9E49336F204726F835C20E0FBB499009696

Function 00A0E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A43E62

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 7f875ad0bbbcddbeeaa0158c4fd90be2edd33c799ce150df4cc8d18bfbcb63df
Instruction ID: 22ea5ce162d0ebb1416a08758e3078cf4118b2edf2533c792c1e5f71802ef98a
Opcode Fuzzy Hash: 7f875ad0bbbcddbeeaa0158c4fd90be2edd33c799ce150df4cc8d18bfbcb63df
Instruction Fuzzy Hash: BEA29F75A00209CFCF24CF98E580AAEB7B1FF59314F248969E905AB391D735ED42DB90

Function 00A109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A10A5B
timeGetTime.WINMM ref: 00A10D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A10E53
Sleep.KERNEL32(0000000A), ref: 00A10E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00A10EFA
DestroyWindow.USER32 ref: 00A10F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A10F20
Sleep.KERNEL32(0000000A,?,?), ref: 00A44E83
TranslateMessage.USER32(?), ref: 00A45C60
DispatchMessageW.USER32(?), ref: 00A45C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A45C82

Strings

@GUI_WINHANDLE, xrefs: 00A44F8F
@GUI_CTRLHANDLE, xrefs: 00A44FE4
@TRAY_ID, xrefs: 00A4578F
@GUI_CTRLID, xrefs: 00A44F3A
@COM_EVENTOBJ, xrefs: 00A454F0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 5a1d77c5ed70e90e849a2c094224de70013d346bb7815ffd5d4469bf01500d67
Instruction ID: 7569b071fa880ba1bd8e62d7ca3e3a2aab9bbfae228497e0a8b260c8d1ecebf4
Opcode Fuzzy Hash: 5a1d77c5ed70e90e849a2c094224de70013d346bb7815ffd5d4469bf01500d67
Instruction Fuzzy Hash: 76B2BF74A08741DFD728DF24C984FAAB7E5BF84304F14491DF589972A2DBB1E885CB82

Function 00A69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A68F5F: __time64.LIBCMT ref: 00A68F69

Part of subcall function 00A04EE5: _fseek.LIBCMT ref: 00A04EFD

__wsplitpath.LIBCMT ref: 00A69234

Part of subcall function 00A240FB: __wsplitpath_helper.LIBCMT ref: 00A2413B

_wcscpy.LIBCMT ref: 00A69247
_wcscat.LIBCMT ref: 00A6925A
__wsplitpath.LIBCMT ref: 00A6927F
_wcscat.LIBCMT ref: 00A69295
_wcscat.LIBCMT ref: 00A692A8

Part of subcall function 00A68FA5: _memmove.LIBCMT ref: 00A68FDE
Part of subcall function 00A68FA5: _memmove.LIBCMT ref: 00A68FED

_wcscmp.LIBCMT ref: 00A691EF

Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69824
Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A69452
_wcsncpy.LIBCMT ref: 00A694C5
DeleteFileW.KERNEL32(?,?), ref: 00A694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A69511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A69522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A69534

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: dac861f49198776d17ff2939c2d9096d0365258ab1eb8361b292cffd2d627a03
Instruction ID: 560de522628e57e720cc0b412ed6107eec252b3e8c3384e1de83a043ad2892f5
Opcode Fuzzy Hash: dac861f49198776d17ff2939c2d9096d0365258ab1eb8361b292cffd2d627a03
Instruction Fuzzy Hash: AAC14EB1D00229AADF11DFA5DD85ADFBBBDEF49310F0040AAF609E7151EB309A458F61

Function 00A03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A03074
RegisterClassExW.USER32(00000030), ref: 00A0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A030AF
InitCommonControlsEx.COMCTL32(?), ref: 00A030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A030DC
LoadIconW.USER32(000000A9), ref: 00A030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A03101

Strings

0, xrefs: 00A03056
+, xrefs: 00A0305D
TaskbarCreated, xrefs: 00A030A4
AutoIt v3 GUI, xrefs: 00A03090

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 71716c731823221074342d4eeb08e6efa3f8443a4d0ed3d1f9137c683575f23c
Instruction ID: a18b395584e1f85331e03e4a82c532f80bd658ef3f71db56469d79bab2f8ae25
Opcode Fuzzy Hash: 71716c731823221074342d4eeb08e6efa3f8443a4d0ed3d1f9137c683575f23c
Instruction Fuzzy Hash: 6B31E7B1D4020AEFDB10DFE4E889AC9BBF0FB08310F15452AF581E62A0E7B91596CF51

Function 00A03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A03074
RegisterClassExW.USER32(00000030), ref: 00A0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A030AF
InitCommonControlsEx.COMCTL32(?), ref: 00A030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A030DC
LoadIconW.USER32(000000A9), ref: 00A030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A03101

Strings

0, xrefs: 00A03056
+, xrefs: 00A0305D
TaskbarCreated, xrefs: 00A030A4
AutoIt v3 GUI, xrefs: 00A03090

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2c6d7c24e7ad0b82bccb334ef455115a9acb90ab7c3cc595adee64ea92a42c94
Instruction ID: 01a0d6abcf213f32fc8404e60b71afd029a97db0ffed508369ce62610d1732e9
Opcode Fuzzy Hash: 2c6d7c24e7ad0b82bccb334ef455115a9acb90ab7c3cc595adee64ea92a42c94
Instruction Fuzzy Hash: D521C2B1D11219AFEB00DFE4EC89BDDBBF4FB08710F10412AF911A62A0D7B155969F91

Function 00A0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AC52F8,?,00A037AE,?), ref: 00A04724

Part of subcall function 00A2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A07165), ref: 00A2052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A3E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A3E909
RegCloseKey.ADVAPI32(?), ref: 00A3E947
_wcscat.LIBCMT ref: 00A3E9A0

Strings

\, xrefs: 00A3E9C3
Software\AutoIt v3\AutoIt, xrefs: 00A0719E
Include, xrefs: 00A3E8BF, 00A3E900
\Include\, xrefs: 00A07165

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 39b3755639dae501a6e147c402649397b285fca16f9668d974cae644797cc962
Instruction ID: 9df4156661238d80e8709d7bbbc26bbc0d866ad5c9d5ff89bdd4152df2994039
Opcode Fuzzy Hash: 39b3755639dae501a6e147c402649397b285fca16f9668d974cae644797cc962
Instruction Fuzzy Hash: DF718E71908305AEC700EFA9ED81DAFBBE8FF84350F41092EF445871A1EB71A949CB52

Function 00A03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A03A50
LoadCursorW.USER32(00000000,00007F00), ref: 00A03A5F
LoadIconW.USER32(00000063), ref: 00A03A76
LoadIconW.USER32(000000A4), ref: 00A03A88
LoadIconW.USER32(000000A2), ref: 00A03A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A03AC0
RegisterClassExW.USER32(?), ref: 00A03B16

Part of subcall function 00A03041: GetSysColorBrush.USER32(0000000F), ref: 00A03074
Part of subcall function 00A03041: RegisterClassExW.USER32(00000030), ref: 00A0309E
Part of subcall function 00A03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A030AF
Part of subcall function 00A03041: InitCommonControlsEx.COMCTL32(?), ref: 00A030CC
Part of subcall function 00A03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A030DC
Part of subcall function 00A03041: LoadIconW.USER32(000000A9), ref: 00A030F2
Part of subcall function 00A03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A03101

Strings

AutoIt v3, xrefs: 00A03B05
0, xrefs: 00A03AF4
#, xrefs: 00A03AFB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 90ce6ea9f0feb32287fb3052363aa4631224639c329d4ab8210e420a3d93cd5a
Instruction ID: 423b359d360777f7b7c441237913403469dfbb60d30f6482e1718131637e8768
Opcode Fuzzy Hash: 90ce6ea9f0feb32287fb3052363aa4631224639c329d4ab8210e420a3d93cd5a
Instruction Fuzzy Hash: C121F3B1D00309AFEB10DFF4ED49B9D7BF4EB08711F11012AF504AA2A1D3B666928B94

Function 00A03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A036D2
KillTimer.USER32(?,00000001), ref: 00A036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A0371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A0372A
CreatePopupMenu.USER32 ref: 00A0373E
PostQuitMessage.USER32(00000000), ref: 00A0374D

Strings

TaskbarCreated, xrefs: 00A03725

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 1d7049d39f62d7fd4f02d6a748a98d3a6a48f9ba53547ade1c9bdf399ad81d3c
Instruction ID: 0fe016369f7248649dd5b13cded1cd21518c37c2380000b95e9d2b7b137d7a00
Opcode Fuzzy Hash: 1d7049d39f62d7fd4f02d6a748a98d3a6a48f9ba53547ade1c9bdf399ad81d3c
Instruction Fuzzy Hash: 9441C5B391050DABDF14DFB8FD09FBA37ADEB05300F500129F602962E1DA62A9929761

Function 00A03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00A038A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00A037AE
/ErrorStdOut, xrefs: 00A0387D
CMDLINERAW, xrefs: 00A037FB
/AutoIt3OutputDebug, xrefs: 00A03892
/AutoIt3ExecuteScript, xrefs: 00A038BC
CMDLINE, xrefs: 00A03822

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 8033175cae3524e7dc42844887e822d7949ad1bdc7df1754db9417745286817b
Instruction ID: 5b81afb684919cc7530d4b263ed5ea3ad36357c247e768a607e8cd927eac652b
Opcode Fuzzy Hash: 8033175cae3524e7dc42844887e822d7949ad1bdc7df1754db9417745286817b
Instruction Fuzzy Hash: 71A12972D1022DAACF05EBA4ED91EEEB7B8BF14310F440529F416A71D1EB746A48CB60

Function 00D84930 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00D84975

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 368b66755dcb095e73b16b4f629b9c66b6f6ddf52536939d18beef86beb20ccb
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: EF512875A50209FBEF24EFA0CC49FDF7778AF48704F108508F65AEA180DA749A44DB64

Function 00A039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A03A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A03A24
ShowWindow.USER32(00000000,?,?), ref: 00A03A38
ShowWindow.USER32(00000000,?,?), ref: 00A03A41

Strings

AutoIt v3, xrefs: 00A039FB, 00A03A00, 00A03A01
edit, xrefs: 00A03A1E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dbea388424b5f9b28e3991a3665d2ee4760623595f94e6c515cbd077d842e646
Instruction ID: 48d39f7478ec2a00f218db581cf354c44016106f107c26fbfff199d12bb3886f
Opcode Fuzzy Hash: dbea388424b5f9b28e3991a3665d2ee4760623595f94e6c515cbd077d842e646
Instruction Fuzzy Hash: 7BF03070900290BEEB3097A3AC48EA73EBDD7C6F50B010029B900B2170C2716882CA70

Function 00A0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A3D3D7

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

_memset.LIBCMT ref: 00A040FC
_wcscpy.LIBCMT ref: 00A04150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A04160

Strings

Line: , xrefs: 00A3D400

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 53ff2de8d829289ec5edd93cf426f0b4bb403d464cda39b4d4aaec0ef6d87a28
Instruction ID: 5d2d572f6a5a4914cac6baa874256a09fa208bef03f1bd20c27e969c035d62dc
Opcode Fuzzy Hash: 53ff2de8d829289ec5edd93cf426f0b4bb403d464cda39b4d4aaec0ef6d87a28
Instruction Fuzzy Hash: 4D31B2B1808309AED320EFA0FD45FDB77E8AF44304F10491AF685920D1DB74A649CB92

Function 00A2541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00A2547B
_memcpy_s.LIBCMT ref: 00A254ED
__read_nolock.LIBCMT ref: 00A2554B
__filbuf.LIBCMT ref: 00A2556E
_memset.LIBCMT ref: 00A255B2

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 243849ee16fc0ca7cbc6cc89d67c08ad07340be8490ee83058a82653c32e3566
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 64518070E00B259BDB249F7DE98066EB7B6BF41325F248739F825962D1D770DD908B40

Function 00A0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04E0F

_free.LIBCMT ref: 00A3E263
_free.LIBCMT ref: 00A3E2AA

Part of subcall function 00A06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A06BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A3E039
Bad directive syntax error, xrefs: 00A3E292

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 34f703f4004c00830850992f3ca5b33a59fff040523e97e6ea2711df544f99a3
Instruction ID: d12c71afcfc9f2460ae0a3420ab221248a0adb8bfd6cc569c98335a5e1627537
Opcode Fuzzy Hash: 34f703f4004c00830850992f3ca5b33a59fff040523e97e6ea2711df544f99a3
Instruction Fuzzy Hash: 0091587191021DAFCF08EFA4D9919EEB7B8BF19314F10442AF816AB2E1DB70A955CB50

Function 00D86430 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D86320: Sleep.KERNELBASE(000001F4), ref: 00D86331

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D86561

Strings

O6P42GT9WXFT10H55ZASD0GUN68DS, xrefs: 00D865E1, 00D865E4

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateFileSleep
String ID: O6P42GT9WXFT10H55ZASD0GUN68DS
API String ID: 2694422964-2257193792
Opcode ID: a5fe73ed3634c23993300de6a63a6843a937d9f1a1b0ca2c9551393279d7ff44
Instruction ID: 0bc77aeeead00a11fbbad0779d335ed98d6d36b748ecb1b6b29f2a6900dfaba1
Opcode Fuzzy Hash: a5fe73ed3634c23993300de6a63a6843a937d9f1a1b0ca2c9551393279d7ff44
Instruction Fuzzy Hash: C3619230D04288DAEF12D7A4C859BEEBBB8AF15314F044188E6487B2C1D7B94B49CBB5

Function 00A035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A035A1,SwapMouseButtons,00000004,?), ref: 00A035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A035A1,SwapMouseButtons,00000004,?,?,?,?,00A02754), ref: 00A035F5
RegCloseKey.KERNELBASE(00000000,?,?,00A035A1,SwapMouseButtons,00000004,?,?,?,?,00A02754), ref: 00A03617

Strings

Control Panel\Mouse, xrefs: 00A035D2

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 82820fbec06cc50554a3c5ef331f9379a87717c2e0cc4718ea6e129890f23f35
Instruction ID: e9bb3728142f2580b82504a26eebd4b613c4e003612d1f0c79fdc42064dc20dd
Opcode Fuzzy Hash: 82820fbec06cc50554a3c5ef331f9379a87717c2e0cc4718ea6e129890f23f35
Instruction Fuzzy Hash: DE11487251020CBFDF20CFA4EC409AFB7BCEF04740F108469E805D7250E6729E419760

Function 00A6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A04EE5: _fseek.LIBCMT ref: 00A04EFD

Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69824
Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69837

_free.LIBCMT ref: 00A696A2
_free.LIBCMT ref: 00A696A9
_free.LIBCMT ref: 00A69714

Part of subcall function 00A22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A29A24), ref: 00A22D69
Part of subcall function 00A22D55: GetLastError.KERNEL32(00000000,?,00A29A24), ref: 00A22D7B

_free.LIBCMT ref: 00A6971C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction ID: f2be66cb9a3ab9175e7ae186302d808eb31b3a63c76aab107c26c6fe75af58e4
Opcode Fuzzy Hash: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction Fuzzy Hash: FC514DB1D04259AFDF249F64DC81A9EBBB9FF48300F1045AEF609A3241DB715A90CF58

Function 00A2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A247A0
__flush.LIBCMT ref: 00A247C0
__write.LIBCMT ref: 00A247F3
__flsbuf.LIBCMT ref: 00A24821

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction ID: b23306783b40eaca12b45ac89fd486af644d8b33294e1e35aa105e0005e12a04
Opcode Fuzzy Hash: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction Fuzzy Hash: 3341D775B00B659FDB18CF6DE9809AE7BB6EF49360B24813DE825C7640D770DD408B40

Function 00A044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A044CF

Part of subcall function 00A0407C: _memset.LIBCMT ref: 00A040FC
Part of subcall function 00A0407C: _wcscpy.LIBCMT ref: 00A04150
Part of subcall function 00A0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A04160

KillTimer.USER32(?,00000001,?,?), ref: 00A04524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A04533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A3D4B9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: b79205f6f999ed4222e950f6edba84619579d667140909ca85079272dc692ea6
Instruction ID: 43e5ad1fb00a480a3be48dcc5b9e55e228cf06d6bdacd76fa335fda5c426210b
Opcode Fuzzy Hash: b79205f6f999ed4222e950f6edba84619579d667140909ca85079272dc692ea6
Instruction Fuzzy Hash: 5521C5B0904798AFE732CB64AC55BE6BBECAB05318F04009DF79A5A181C3742D85CB51

Function 00A07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A3EA39
GetOpenFileNameW.COMDLG32(?), ref: 00A3EA83

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

Part of subcall function 00A20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A207B0

Strings

X, xrefs: 00A3EA51

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7c8c290a296ca843265ba7ffa7c999c968cccd5004d8131b8e56f78b64d50916
Instruction ID: bcaab4be8f974a2ef1ee84ef39c1a762ef6efdd27996ad07c7af4deb0df08999
Opcode Fuzzy Hash: 7c8c290a296ca843265ba7ffa7c999c968cccd5004d8131b8e56f78b64d50916
Instruction Fuzzy Hash: 3C219371E0025C9BDB41DF98D845BEE7BFCAF49714F004059F508AB282DBB45989CFA1

Function 00A68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A68DAC
__fread_nolock.LIBCMT ref: 00A68DC1

Strings

EA06, xrefs: 00A68DF3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 9a01e92bad6019a411709813fe0a097185793ccfc60f3338ab6b4c96b56ab772
Instruction ID: d18bd9fd2b385161d51bd7f9a2f2d27032bf5630cd7f836a2552aaf2cf5cf4b7
Opcode Fuzzy Hash: 9a01e92bad6019a411709813fe0a097185793ccfc60f3338ab6b4c96b56ab772
Instruction Fuzzy Hash: CB01B971D042287EDB18CBA8D856EFE7BFCDB15311F0045AAF552D2181E979E6048760

Function 00D85010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D85055
ExitProcess.KERNEL32(00000000), ref: 00D85074

Strings

D, xrefs: 00D85021

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
Instruction ID: 2e6c5411254fa1f4e8bc1ad3bc922f0df98151fcaa64ecb942e9e0a1a1a84adf
Opcode Fuzzy Hash: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
Instruction Fuzzy Hash: FDF0ECB154024CABDB60EFE0CC4AFEE777CBF04701F148508BB5A9A184EA75D6088B61

Function 00A698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A6990F

Strings

aut, xrefs: 00A69909

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9ca06543492ba8c28657594f30638d61ee8ff5d22168eaa94c37ab91932afff8
Instruction ID: 72a000a23c4ab35520007ead8eca490a3655984f07467dd422a0284bbacc6097
Opcode Fuzzy Hash: 9ca06543492ba8c28657594f30638d61ee8ff5d22168eaa94c37ab91932afff8
Instruction Fuzzy Hash: 33D05E7954030EBFDB50DBE4DC0EFDA773CE704700F0006B1BA54D10A2EAB095998B91

Function 00A7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16e93b708e1fcb84866c172936ad5c8ac1bfb9533ff6a4f2472e380577b9316
Instruction ID: c9087cb03793e5bf561c0390a32d8846e5229079d83e075d2ffe0b9c2344ccb4
Opcode Fuzzy Hash: c16e93b708e1fcb84866c172936ad5c8ac1bfb9533ff6a4f2472e380577b9316
Instruction Fuzzy Hash: 78F118716083059FC714DF28C984A6ABBE5FF88324F54C92EF8999B252D731E945CF82

Function 00A0F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A20193
Part of subcall function 00A20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A2019B
Part of subcall function 00A20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A201A6
Part of subcall function 00A20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A201B1
Part of subcall function 00A20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A201B9
Part of subcall function 00A20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A201C1

Part of subcall function 00A160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A0F930), ref: 00A16154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A0F9CD
OleInitialize.OLE32(00000000), ref: 00A0FA4A
CloseHandle.KERNEL32(00000000), ref: 00A445C8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4b1a7fab80215492a698a9c2dadfd99a215163ba28bdbb5a320921129e551015
Instruction ID: 20bfca6a5b21239f111d57ad509bce3ed80e358d8f4fcb1070cef4a0db75d1ac
Opcode Fuzzy Hash: 4b1a7fab80215492a698a9c2dadfd99a215163ba28bdbb5a320921129e551015
Instruction Fuzzy Hash: 6781C3B0D01A40CFC788DFB9EA54E197BE6EB98306752852AF019CB361E77464C6CF10

Function 00A0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A04370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A04415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A04432

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 3af1b16c8b4d9a64df2040a7cd48a06bfad1b0df140ccc521101b59d3394a64d
Instruction ID: adf03851d8dad3704b9ecc5f27be1a8cf39d76e05e823198131c1b11f8e37569
Opcode Fuzzy Hash: 3af1b16c8b4d9a64df2040a7cd48a06bfad1b0df140ccc521101b59d3394a64d
Instruction Fuzzy Hash: EC3181B09047058FD720DF74E884A9BBBF8FB59309F00092EF69A86291D771A944CB52

Function 00A2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A25733

Part of subcall function 00A2A16B: __NMSG_WRITE.LIBCMT ref: 00A2A192
Part of subcall function 00A2A16B: __NMSG_WRITE.LIBCMT ref: 00A2A19C

__NMSG_WRITE.LIBCMT ref: 00A2573A

Part of subcall function 00A2A1C8: GetModuleFileNameW.KERNEL32(00000000,00AC33BA,00000104,?,00000001,00000000), ref: 00A2A25A
Part of subcall function 00A2A1C8: ___crtMessageBoxW.LIBCMT ref: 00A2A308

Part of subcall function 00A2309F: ___crtCorExitProcess.LIBCMT ref: 00A230A5
Part of subcall function 00A2309F: ExitProcess.KERNEL32 ref: 00A230AE

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,00000000,?,?,?,00A20DD3,?), ref: 00A2575F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6e40573312b6dae124acc0233b08a86e6ab6eb35810fe16298ba4254f59455bf
Instruction ID: a7d19e035d8eb0063f3f2bddae785ff332ea057143d2322b36f732e2ec59c0c8
Opcode Fuzzy Hash: 6e40573312b6dae124acc0233b08a86e6ab6eb35810fe16298ba4254f59455bf
Instruction Fuzzy Hash: 8D01F132A80B32DFEE14677CFD82A2E7398AB92761F110939F9059A181DE748D014661

Function 00A698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A69548,?,?,?,?,?,00000004), ref: 00A698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A698D1
CloseHandle.KERNEL32(00000000,?,00A69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A698D8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ceedd15fe8d6de0c1587e7f8b992de6071d88bc030ea9799396b6b90b8f58cf3
Instruction ID: 18f93426011647cb0d80d8e1403a0c2f6758110a7ccb786994a7ccc9ca2f7464
Opcode Fuzzy Hash: ceedd15fe8d6de0c1587e7f8b992de6071d88bc030ea9799396b6b90b8f58cf3
Instruction Fuzzy Hash: A7E08632141215BBD7216B94EC0DFDA7F69EB06760F104220FB24A90E087B115229798

Function 00A68D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A68D1B

Part of subcall function 00A22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A29A24), ref: 00A22D69
Part of subcall function 00A22D55: GetLastError.KERNEL32(00000000,?,00A29A24), ref: 00A22D7B

_free.LIBCMT ref: 00A68D2C
_free.LIBCMT ref: 00A68D3E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: 2a4d16a065b6d2a8658ef79c645ff31b9163ff674b7bbadfd7b04d14a228d245
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: 7CE012B160161197CB24A77CBA40B9313EC4F5C7527140A2DB50DD71C6CE68F8528274

Function 00A0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00A3FC01

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 3abcb23c599442910f7b0bc533058b286b8ec3f862ac9c684c09987fd01d5639
Instruction ID: 4737e5cda5ec764d55ba49ba95efed01e24c787a695e45b97e1462c5d8a66e7c
Opcode Fuzzy Hash: 3abcb23c599442910f7b0bc533058b286b8ec3f862ac9c684c09987fd01d5639
Instruction Fuzzy Hash: CE226874A08305DFDB24DF14D594A6ABBF1BF94304F15896DE88A8B3A2D731EC45CB82

Function 00A04C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A04CBA

Strings

EA06, xrefs: 00A3D8CC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: f9ff5a00d59a50dd8876d6ba391c0b1c34689e0bbb75f603306cb02231a24d37
Instruction ID: 2cb3b60e29ce19d38c85fee90edf7c9f0392cbf8e00b4dd35d3817d0ca1ec9e2
Opcode Fuzzy Hash: f9ff5a00d59a50dd8876d6ba391c0b1c34689e0bbb75f603306cb02231a24d37
Instruction Fuzzy Hash: 034159B1A0425C6BDF219B64F9617BE7FB2BB5D300F284475EE829B2C2D6209D4483A1

Function 00A07A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A07AAB
_memmove.LIBCMT ref: 00A07B16

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: bca7b7334fb109a55cd48c05b61990d5440e9d0b7809684dbcdfd2197bdc6def
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: F83184B1B0450AAFC704DF68E8D1E6DB3A5FF493507158629E519CB2D1EB30F950CB90

Function 00A047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A04834

Part of subcall function 00A2336C: __lock.LIBCMT ref: 00A23372
Part of subcall function 00A2336C: DecodePointer.KERNEL32(00000001,?,00A04849,00A57C74), ref: 00A2337E
Part of subcall function 00A2336C: EncodePointer.KERNEL32(?,?,00A04849,00A57C74), ref: 00A23389

Part of subcall function 00A048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A04915
Part of subcall function 00A048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A0492A

Part of subcall function 00A03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A03B68
Part of subcall function 00A03B3A: IsDebuggerPresent.KERNEL32 ref: 00A03B7A
Part of subcall function 00A03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AC52F8,00AC52E0,?,?), ref: 00A03BEB
Part of subcall function 00A03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00A03C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A04874

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 280f4324c461ab8ba7ecc6a353d23f7a4b6e7376817db485e20620cc3ba2bf7e
Instruction ID: afcdc1ad78e248dbde8f433fde0603ea63b83ff8a10b004a5629f963c6b8b2c2
Opcode Fuzzy Hash: 280f4324c461ab8ba7ecc6a353d23f7a4b6e7376817db485e20620cc3ba2bf7e
Instruction Fuzzy Hash: A51190B29043059FC700DFB9E90594ABBE8FF99750F11891EF440972B1DB70964ACB91

Function 00A20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A2571C: __FF_MSGBANNER.LIBCMT ref: 00A25733
Part of subcall function 00A2571C: __NMSG_WRITE.LIBCMT ref: 00A2573A
Part of subcall function 00A2571C: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,00000000,?,?,?,00A20DD3,?), ref: 00A2575F

std::exception::exception.LIBCMT ref: 00A20DEC
__CxxThrowException@8.LIBCMT ref: 00A20E01

Part of subcall function 00A2859B: RaiseException.KERNEL32(?,?,?,00AB9E78,00000000,?,?,?,?,00A20E06,?,00AB9E78,?,00000001), ref: 00A285F0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 894b755e2e3ae823477b495da46e2418eb5ae4c00e1ffa855bedd258e13409f3
Instruction ID: 49288c1829e7ecf484e1661f7598e4807fca76acbf2e339bc6730a8480f6167d
Opcode Fuzzy Hash: 894b755e2e3ae823477b495da46e2418eb5ae4c00e1ffa855bedd258e13409f3
Instruction Fuzzy Hash: 02F081359422297ADB10BBACFE01ADEB7ACAF01311F104835F90496182EF709A8092D1

Function 00A255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A2562C
__lock_file.LIBCMT ref: 00A2564D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 0ecf6c5bfeea4e8657bb78787fe742c66d5f5a54ebda4af1e7b8d0c315809e1f
Instruction ID: 46b7e86802fe24a9e085820aea679c27f99a66dc1d70b23551fe12d47760ade9
Opcode Fuzzy Hash: 0ecf6c5bfeea4e8657bb78787fe742c66d5f5a54ebda4af1e7b8d0c315809e1f
Instruction Fuzzy Hash: 07018471C01628ABCF22AF7CBD0649E7B61BF51361F584135F8141B191EB358A51DF91

Function 00A253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

__lock_file.LIBCMT ref: 00A253EB

Part of subcall function 00A26C11: __lock.LIBCMT ref: 00A26C34

__fclose_nolock.LIBCMT ref: 00A253F6

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 872d297a23a9bc47723b2303f124ab39a1786934a7bed41ab59710360f9b1c00
Instruction ID: 291966fd953d28a5a5478059381203b655a62701f1ac57534b89b8acb0db5508
Opcode Fuzzy Hash: 872d297a23a9bc47723b2303f124ab39a1786934a7bed41ab59710360f9b1c00
Instruction Fuzzy Hash: 3CF09031C02A249ADB10BB7DB9027AD66E07F41374F209268F424AF1C1CBBCC941AF92

Function 00D85080 Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00D848F0: GetFileAttributesW.KERNELBASE(?), ref: 00D848FB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00D8521B

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 6681f51aa02458e03f218fa922fc47bfae38c96ff9d93acbc6d57850732be6a1
Instruction ID: 77c63511de85829b1259b80886cac1ea4edfa55d43fc2b182d6565e841446eb0
Opcode Fuzzy Hash: 6681f51aa02458e03f218fa922fc47bfae38c96ff9d93acbc6d57850732be6a1
Instruction Fuzzy Hash: 0E619431A1160897EF14EFB4D844BEE733AEF58700F108569A60DE7290FB769A44CB65

Function 00A0750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A075EA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1500c10a084fe4b38af83d2ee32b38ca55db9cfccc56911aab8d16a9946aa7a5
Instruction ID: 9c43f3d3f46eed27af8770d64aac660794e56a90114c0e8d392bfb81f3e61158
Opcode Fuzzy Hash: 1500c10a084fe4b38af83d2ee32b38ca55db9cfccc56911aab8d16a9946aa7a5
Instruction Fuzzy Hash: B731C279A08A169FC714DF18E990966F7B0FF09310B14C569E98A8B391D730F881CB80

Function 00A20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A20CB7

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c78b2afb5153848c07000f5714b9b0b21083dbdb90e87cb7f9b9a2ef506280f3
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3F31AEB0A001169BC718DF5DE484A69FBB6FB59300B6486A5E84ACB356DA31EDC1DB80

Function 00A3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A3FCB7

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 885c61fbd9d07ecb580fefd4b5b8ffb969e18331930aa6ad5a90b30c562f72ab
Instruction ID: e64034269cf3de203542821e066133f88076ec544dfdeb501430a3ebab687515
Opcode Fuzzy Hash: 885c61fbd9d07ecb580fefd4b5b8ffb969e18331930aa6ad5a90b30c562f72ab
Instruction Fuzzy Hash: 614118745043559FDB14DF18D548B1ABBE1BF45318F0988ACE8998B3A2C731EC45CF52

Function 00A07B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A07BB3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2508f243e5ba8f884e7734dad93bfb0b774f4e39b08957d0a5b46d3b4bc7613f
Instruction ID: 540b96358a089fa86512a23f99c704e104617b0246155f613801a4e91e38afb7
Opcode Fuzzy Hash: 2508f243e5ba8f884e7734dad93bfb0b774f4e39b08957d0a5b46d3b4bc7613f
Instruction Fuzzy Hash: CA212172A04A19EBDB10CF66F841B6E7BB4FB14350F21852AF886C51E1EB30D0E0D781

Function 00A04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00A04BEF

Part of subcall function 00A2525B: __wfsopen.LIBCMT ref: 00A25266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04E0F

Part of subcall function 00A04B6A: FreeLibrary.KERNEL32(00000000), ref: 00A04BA4

Part of subcall function 00A04C70: _memmove.LIBCMT ref: 00A04CBA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1b7f8c4e1d656a231c43b38cac1a991694dc6dcff2228e18418de8663ea477c2
Instruction ID: 653f83153d3d8574b82a55a6226e3bcad5b5b3dc070845c5297b47e0af431829
Opcode Fuzzy Hash: 1b7f8c4e1d656a231c43b38cac1a991694dc6dcff2228e18418de8663ea477c2
Instruction Fuzzy Hash: A211E37164020AEBCF14FF70E916FAE77A8BF88710F108829F641A71C1EA719A019B50

Function 00A3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A3FD91

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 360315a0bd4ebd79e60215314082aaad9cdf059d9473443199cf2dc395d8ea84
Instruction ID: 36977664b76902c7b81b0a67bca63a062c4650aa3fd235793cfad5e20f161f5e
Opcode Fuzzy Hash: 360315a0bd4ebd79e60215314082aaad9cdf059d9473443199cf2dc395d8ea84
Instruction Fuzzy Hash: 672130B4908305DFDB14DF64D844B1ABBE0BF88314F05886CF88A977A2D731E805CB92

Function 00A24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A248A6

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 206740293e18ca66c466c63819cb97fdfb34c76914a0ee3d4ecafe2e8a34ac08
Instruction ID: 1455bf1312e6d48a06a0874bdc37ea0370c25af1ce021765ccef613bd1d4fb59
Opcode Fuzzy Hash: 206740293e18ca66c466c63819cb97fdfb34c76914a0ee3d4ecafe2e8a34ac08
Instruction Fuzzy Hash: 75F02231812628EBDF11AFBCAE063EE36A0AF05320F008434F4209B282DB7C8950DB41

Function 00A04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04E7E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 48e331e91c66fa0780bae3c55939a40f87ae581521861cb7c814031193903bb0
Instruction ID: dc60591b41e40b944f574af04066addfb5c68e5420b93a53420dfb0027589462
Opcode Fuzzy Hash: 48e331e91c66fa0780bae3c55939a40f87ae581521861cb7c814031193903bb0
Instruction Fuzzy Hash: 8EF039B1501716CFDB349F64F494892BBF1BF183693208A3EE2D682660C732A840DF40

Function 00A20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A207B0

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 70f6be6b69f2143ae58c7c84e4d9bb048471436425ef91644fbc8253c0598e1f
Instruction ID: 0d45549d095aafdcb2333835874a03cbec6f9a9869b569a019d419cc5c12a335
Opcode Fuzzy Hash: 70f6be6b69f2143ae58c7c84e4d9bb048471436425ef91644fbc8253c0598e1f
Instruction Fuzzy Hash: 37E08636A041285BC720D6989C06FEA779DDB897A0F0541B5FC0CD7244E960AC8086D0

Function 00A68E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A68EC1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 656f391a09484efea2d2e96a81ae6d0e2e7d1bd3caad1b6211c4a17215a0992c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D8E092B0504B005BD7388B24D800BA373E5AB05304F00091DF2AA83241EB63B8418759

Function 00D848F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00D848FB

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 01e0c9319345bd68a6b6fc11cd1951b9697f14ca94bc817115e6ed17e1feaf12
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 3DE08C31A0520DEBCB30FEE88808AAA73A8D708320F144659E846C3280D5348E40AF28

Function 00D848C0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00D848CB

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 7f7580b7361bf4a6957dc32ba3cca36e01a891fb8893f07aa9e983c2a2bcd805
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 9FD0A73090624DEBCB10EFB49C04ADA73B8DB05321F108754FD15C3280D5319D50A760

Function 00A2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00A25266

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 8218024f2292eaf6f1526d619068c98a9c91e7f761203792b0aebcfb5e241e77
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 80B092B684020CB7CE012A96FC02A993B19AB41764F408020FB0C181A2A673A6649A89

Function 00D8631C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D86331

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 65aa30c3ad3df441b64dd015a043140c7d12cc75bae548e583c5c442e2ad32d7
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 9AE0BF7494010DEFDB00EFA8D5496DE7BB4EF04311F1005A1FD05D7680DB319E548A62

Function 00D86320 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D86331

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5f0291bbfe73394a57df6ad0eb6a30fc3484548514381438780c5c90c3c1e026
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A0E0E67494010DDFDB00EFB8D54969E7FF4EF04301F100161FD01D2280D6319D508A72

Non-executed Functions

Function 00A8CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A8CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8CB95
GetWindowLongW.USER32(?,000000F0), ref: 00A8CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A8CC00
SendMessageW.USER32 ref: 00A8CC29
_wcsncpy.LIBCMT ref: 00A8CC95
GetKeyState.USER32(00000011), ref: 00A8CCB6
GetKeyState.USER32(00000009), ref: 00A8CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8CCD9
GetKeyState.USER32(00000010), ref: 00A8CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A8CD0C
SendMessageW.USER32 ref: 00A8CD33
SendMessageW.USER32(?,00001030,?,00A8B348), ref: 00A8CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A8CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A8CE60
SetCapture.USER32(?), ref: 00A8CE69
ClientToScreen.USER32(?,?), ref: 00A8CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A8CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A8CEF5
ReleaseCapture.USER32 ref: 00A8CF00
GetCursorPos.USER32(?), ref: 00A8CF3A
ScreenToClient.USER32(?,?), ref: 00A8CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A8CFA3
SendMessageW.USER32 ref: 00A8CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A8D00E
SendMessageW.USER32 ref: 00A8D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A8D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A8D06D
GetCursorPos.USER32(?), ref: 00A8D08D
ScreenToClient.USER32(?,?), ref: 00A8D09A
GetParent.USER32(?), ref: 00A8D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A8D123
SendMessageW.USER32 ref: 00A8D154
ClientToScreen.USER32(?,?), ref: 00A8D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A8D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A8D20C
SendMessageW.USER32 ref: 00A8D22F
ClientToScreen.USER32(?,?), ref: 00A8D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A8D2B5

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

GetWindowLongW.USER32(?,000000F0), ref: 00A8D351

Strings

F, xrefs: 00A8D235
@GUI_DRAGID, xrefs: 00A8CE9C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: f1065746fef08ad80f086767014a1f529d5f3ff696f582c75dc2b61fd636857c
Instruction ID: f8d21231fb17d9d0f01a89aebf31e982b05aa53a5743e2c0bf815730fb5ee700
Opcode Fuzzy Hash: f1065746fef08ad80f086767014a1f529d5f3ff696f582c75dc2b61fd636857c
Instruction Fuzzy Hash: E542AC74604741AFD724EF68D848FAABBE5FF48320F140A29F5598B2A0D731E851DF62

Function 00A16F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A171C3
_memset.LIBCMT ref: 00A17539
_memmove.LIBCMT ref: 00A176AC

Strings

DEFINE, xrefs: 00A52103
[:>:]], xrefs: 00A17492
\b(?=\w), xrefs: 00A53769
\b(?<=\w), xrefs: 00A53773
[:<:]], xrefs: 00A17479
Q\E, xrefs: 00A17FCB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 96dd9847458407611a88967e2cfa06784283657646516f8efd0fd253f4044597
Instruction ID: 867063dd62100e8baeeac8b8950a2ce8fdcb6f5f02154184972e5fdaea1c92bb
Opcode Fuzzy Hash: 96dd9847458407611a88967e2cfa06784283657646516f8efd0fd253f4044597
Instruction Fuzzy Hash: A693A176A04219DBDF24CF98C881BEDB7B1FF48351F24816AED55AB281E7709E85CB40

Function 00A048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00A048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A3D665
IsIconic.USER32(?), ref: 00A3D66E
ShowWindow.USER32(?,00000009), ref: 00A3D67B
SetForegroundWindow.USER32(?), ref: 00A3D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A3D69B
GetCurrentThreadId.KERNEL32 ref: 00A3D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A3D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A3D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A3D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00A3D6CF
SetForegroundWindow.USER32(?), ref: 00A3D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D6E7
keybd_event.USER32(00000012,00000000), ref: 00A3D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D6FC
keybd_event.USER32(00000012,00000000), ref: 00A3D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D70A
keybd_event.USER32(00000012,00000000), ref: 00A3D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D719
keybd_event.USER32(00000012,00000000), ref: 00A3D71E
SetForegroundWindow.USER32(?), ref: 00A3D721
AttachThreadInput.USER32(?,?,00000000), ref: 00A3D748

Strings

Shell_TrayWnd, xrefs: 00A3D660

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 998e957157891dfbf1e832ff43464e618fcc47629101f2798799a0523fc12294
Instruction ID: eb418855183998edd3dcee93fb5cb4bebc62ccb729ca667957065c6370fa06bb
Opcode Fuzzy Hash: 998e957157891dfbf1e832ff43464e618fcc47629101f2798799a0523fc12294
Instruction Fuzzy Hash: F2315271A40318BEEB206BA19C4AF7F7E6CEB44B50F104035FA04EA1D1D6B05951ABA1

Function 00A58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00A587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5882B
Part of subcall function 00A587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A58858
Part of subcall function 00A587E1: GetLastError.KERNEL32 ref: 00A58865

_memset.LIBCMT ref: 00A58353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A583A5
CloseHandle.KERNEL32(?), ref: 00A583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A583CD
GetProcessWindowStation.USER32 ref: 00A583E6
SetProcessWindowStation.USER32(00000000), ref: 00A583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A5840A

Part of subcall function 00A581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A58309), ref: 00A581E0
Part of subcall function 00A581CB: CloseHandle.KERNEL32(?,?,00A58309), ref: 00A581F2

Strings

default, xrefs: 00A58405
winsta0, xrefs: 00A583C8
, xrefs: 00A58362

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 9c8d2d583ae7fb009bb3f8b148e8e3c4fd3e24be8b79a6157f124d5c8fde2e78
Instruction ID: 01323bdc44d5914776610e4b6bb9592e449c7a96cc412cbe6a2a3abbcb7a7d24
Opcode Fuzzy Hash: 9c8d2d583ae7fb009bb3f8b148e8e3c4fd3e24be8b79a6157f124d5c8fde2e78
Instruction Fuzzy Hash: 7B8156B1900249AFDF11DFA4DD45AEEBBB9FF08305F144169FD10B6261EB398A19DB20

Function 00A6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6C78D
FindClose.KERNEL32(00000000), ref: 00A6C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A6C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A6C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A6C844
__swprintf.LIBCMT ref: 00A6C890
__swprintf.LIBCMT ref: 00A6C8D3

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

__swprintf.LIBCMT ref: 00A6C927

Part of subcall function 00A23698: __woutput_l.LIBCMT ref: 00A236F1

__swprintf.LIBCMT ref: 00A6C975

Part of subcall function 00A23698: __flsbuf.LIBCMT ref: 00A23713
Part of subcall function 00A23698: __flsbuf.LIBCMT ref: 00A2372B

__swprintf.LIBCMT ref: 00A6C9C4
__swprintf.LIBCMT ref: 00A6CA13
__swprintf.LIBCMT ref: 00A6CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A6C88A
%4d, xrefs: 00A6C8CD
%02d, xrefs: 00A6C91B, 00A6C925, 00A6C973, 00A6C9C2, 00A6CA11, 00A6CA60

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: bf26cfa50ac55b744ac4a7b03638f65278db42d2a6b63159c41b94a1dc2a4604
Instruction ID: 4a2fb8e249f667d2c835f5664e716c4a06f4e5ef6de59a234f372ab6997fe3e3
Opcode Fuzzy Hash: bf26cfa50ac55b744ac4a7b03638f65278db42d2a6b63159c41b94a1dc2a4604
Instruction Fuzzy Hash: 5CA120B2404309AFC710EFA4D995DAFB7ECFF95700F404929F59587192EA34DA08CB62

Function 00A6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00A6EFB6
_wcscmp.LIBCMT ref: 00A6EFCB
_wcscmp.LIBCMT ref: 00A6EFE2
GetFileAttributesW.KERNEL32(?), ref: 00A6EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00A6F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00A6F026
FindClose.KERNEL32(00000000), ref: 00A6F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00A6F04D
_wcscmp.LIBCMT ref: 00A6F074
_wcscmp.LIBCMT ref: 00A6F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6F09D
SetCurrentDirectoryW.KERNEL32(00AB8920), ref: 00A6F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6F0C5
FindClose.KERNEL32(00000000), ref: 00A6F0D2
FindClose.KERNEL32(00000000), ref: 00A6F0E4

Strings

*.*, xrefs: 00A6F048

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: fd7fe1378d6ee365c2f8adf81ab0a70b3d9ef42ebf68bde360d6da17511bba66
Instruction ID: 0f6e0e59dd39db372b5944892537618ea2c5527d0b3fc30d2c9225f07b3d1971
Opcode Fuzzy Hash: fd7fe1378d6ee365c2f8adf81ab0a70b3d9ef42ebf68bde360d6da17511bba66
Instruction Fuzzy Hash: 2731AF3250121A7EDF14EFA4EC49AEE77BCAF49360F114176E904E30A1EB74DA85CB61

Function 00A80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A80953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A8F910,00000000,?,00000000,?,?), ref: 00A809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A80A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A80A92
RegCloseKey.ADVAPI32(?), ref: 00A80DB2
RegCloseKey.ADVAPI32(00000000), ref: 00A80DBF

Strings

REG_EXPAND_SZ, xrefs: 00A80A2F
REG_SZ, xrefs: 00A80AD0
REG_BINARY, xrefs: 00A80D4D
REG_MULTI_SZ, xrefs: 00A80B7A
REG_QWORD, xrefs: 00A80D00
REG_DWORD, xrefs: 00A80C83

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 4a7cf8bc4e1665fa6e9502ede924658172086566a3d349c6af0c1b59bd488206
Instruction ID: 55fee705de4f1002ad405c22edeb78cb09c60b687371e414ab5469ab23d18e78
Opcode Fuzzy Hash: 4a7cf8bc4e1665fa6e9502ede924658172086566a3d349c6af0c1b59bd488206
Instruction Fuzzy Hash: 43024B756006159FCB54EF28D941E2AB7E5FF89314F04895CF89A9B3A2DB30EC49CB81

Function 00A6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00A6F113
_wcscmp.LIBCMT ref: 00A6F128
_wcscmp.LIBCMT ref: 00A6F13F

Part of subcall function 00A64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A643A0

FindNextFileW.KERNEL32(00000000,?), ref: 00A6F16E
FindClose.KERNEL32(00000000), ref: 00A6F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00A6F195
_wcscmp.LIBCMT ref: 00A6F1BC
_wcscmp.LIBCMT ref: 00A6F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6F1E5
SetCurrentDirectoryW.KERNEL32(00AB8920), ref: 00A6F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6F20D
FindClose.KERNEL32(00000000), ref: 00A6F21A
FindClose.KERNEL32(00000000), ref: 00A6F22C

Strings

*.*, xrefs: 00A6F190

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 0028526011558c4885482da6b396f2585df7a7315a69432f3f471e487dd2fb1a
Instruction ID: 0a777c350a96dfa94dedf85f8075b84b50e7a41d6e176eb9022fc091d6d0e8c3
Opcode Fuzzy Hash: 0028526011558c4885482da6b396f2585df7a7315a69432f3f471e487dd2fb1a
Instruction Fuzzy Hash: FB31703650021A7EDF10EFB4FC59AEE77BC9F46360F100175E914A21A1EA34DA45CA64

Function 00A6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A6A20F
__swprintf.LIBCMT ref: 00A6A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A6A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A6A293
_memset.LIBCMT ref: 00A6A2B2
_wcsncpy.LIBCMT ref: 00A6A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A6A323
CloseHandle.KERNEL32(00000000), ref: 00A6A32E
RemoveDirectoryW.KERNEL32(?), ref: 00A6A337
CloseHandle.KERNEL32(00000000), ref: 00A6A341

Strings

:, xrefs: 00A6A252
\, xrefs: 00A6A247
\??\%s, xrefs: 00A6A22B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 0344da21ff4f5fca7f0af5938e6753f507b131690a92f77322cf2cb427871e14
Instruction ID: 1ed63783ec047ec346f99706fcc41009399e65cd0a51ad20d774a507a4e30123
Opcode Fuzzy Hash: 0344da21ff4f5fca7f0af5938e6753f507b131690a92f77322cf2cb427871e14
Instruction Fuzzy Hash: CB31E4B590011AABDB20DFA4DC49FEB77BCEF88700F1041B6F508E6160EB7496458F25

Function 00A57CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A58202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A5821E
Part of subcall function 00A58202: GetLastError.KERNEL32(?,00A57CE2,?,?,?), ref: 00A58228
Part of subcall function 00A58202: GetProcessHeap.KERNEL32(00000008,?,?,00A57CE2,?,?,?), ref: 00A58237
Part of subcall function 00A58202: HeapAlloc.KERNEL32(00000000,?,00A57CE2,?,?,?), ref: 00A5823E
Part of subcall function 00A58202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A58255

Part of subcall function 00A5829F: GetProcessHeap.KERNEL32(00000008,00A57CF8,00000000,00000000,?,00A57CF8,?), ref: 00A582AB
Part of subcall function 00A5829F: HeapAlloc.KERNEL32(00000000,?,00A57CF8,?), ref: 00A582B2
Part of subcall function 00A5829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A57CF8,?), ref: 00A582C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A57D13
_memset.LIBCMT ref: 00A57D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A57D47
GetLengthSid.ADVAPI32(?), ref: 00A57D58
GetAce.ADVAPI32(?,00000000,?), ref: 00A57D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A57DB1
GetLengthSid.ADVAPI32(?), ref: 00A57DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A57DDD
HeapAlloc.KERNEL32(00000000), ref: 00A57DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A57E05
CopySid.ADVAPI32(00000000), ref: 00A57E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A57E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A57E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A57E77

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 841f9296f0778658d8f188faaa4599d17968c4ca62a76fa77e6b07d9b827b6bc
Instruction ID: 71f4730d1ea11459ee2a62c963d71c6438b8ffed81fc8126929d8592879553c1
Opcode Fuzzy Hash: 841f9296f0778658d8f188faaa4599d17968c4ca62a76fa77e6b07d9b827b6bc
Instruction Fuzzy Hash: C2612C7190420AAFDF00DFA5EC45AEEBB79FF04301F148269ED15A6291DB359E1ACB60

Function 00A166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UCP), xrefs: 00A5110D
LIMIT_MATCH=, xrefs: 00A51170
NO_AUTO_POSSESS), xrefs: 00A5112E
ANY), xrefs: 00A512DE
BSR_ANYCRLF), xrefs: 00A5131E
UTF), xrefs: 00A510FA
NO_START_OPT), xrefs: 00A5114F
CRLF), xrefs: 00A512C1
BSR_UNICODE), xrefs: 00A51338
CR), xrefs: 00A51287
UTF16), xrefs: 00A510CF
LF), xrefs: 00A512A4
ANYCRLF), xrefs: 00A512FB
LIMIT_RECURSION=, xrefs: 00A511FC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: b7032571e27c48ae86aa27a512b0634588b8174c3c0ef78c4cb9ef0d6ba0aef1
Instruction ID: 677362369a26a451a7b89099b507e0ca19b99e5d237514fc853fc4bdc6453e34
Opcode Fuzzy Hash: b7032571e27c48ae86aa27a512b0634588b8174c3c0ef78c4cb9ef0d6ba0aef1
Instruction Fuzzy Hash: 82726D75E002199BDB14CF59C8907FEB7B5FF48311F14816AE809EB291EB749E85CB90

Function 00A6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A60097
SetKeyboardState.USER32(?), ref: 00A60102
GetAsyncKeyState.USER32(000000A0), ref: 00A60122
GetKeyState.USER32(000000A0), ref: 00A60139
GetAsyncKeyState.USER32(000000A1), ref: 00A60168
GetKeyState.USER32(000000A1), ref: 00A60179
GetAsyncKeyState.USER32(00000011), ref: 00A601A5
GetKeyState.USER32(00000011), ref: 00A601B3
GetAsyncKeyState.USER32(00000012), ref: 00A601DC
GetKeyState.USER32(00000012), ref: 00A601EA
GetAsyncKeyState.USER32(0000005B), ref: 00A60213
GetKeyState.USER32(0000005B), ref: 00A60221

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2ba1c613b3c381b8c1b2567811b01d226e25d18a7e61a8e7c71b472545dfcb6e
Instruction ID: aa036b476340c9de0aa37271512203cdb69a4af4f7f9db79e25e5ed3997455cb
Opcode Fuzzy Hash: 2ba1c613b3c381b8c1b2567811b01d226e25d18a7e61a8e7c71b472545dfcb6e
Instruction Fuzzy Hash: 1551D93090478829FB35DBB08954FEBBFB49F12380F08469ED5C65A5C2DAA49BCCC761

Function 00A803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A804AC

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A8054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A80822
RegCloseKey.ADVAPI32(00000000), ref: 00A8082F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: acbb658a5b4cf05cce866dd74d47b68501420014bdf38d32255b832bce67401b
Instruction ID: b87e91905dfc69a9cb0d13224ea78dfb238132a2b5d0fad9eb40251a1584b063
Opcode Fuzzy Hash: acbb658a5b4cf05cce866dd74d47b68501420014bdf38d32255b832bce67401b
Instruction Fuzzy Hash: 6FE14D71604204AFCB54EF28C991D6BBBF8FF89314F04856DF84ADB2A2D630E945CB91

Function 00A783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

CoInitialize.OLE32 ref: 00A78403
CoUninitialize.OLE32 ref: 00A7840E
CoCreateInstance.OLE32(?,00000000,00000017,00A92BEC,?), ref: 00A7846E
IIDFromString.OLE32(?,?), ref: 00A784E1
VariantInit.OLEAUT32(?), ref: 00A7857B
VariantClear.OLEAUT32(?), ref: 00A785DC

Strings

Failed to create object, xrefs: 00A78479, 00A7852F
NULL Pointer assignment, xrefs: 00A784B3
Invalid parameter, xrefs: 00A784FA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: f8505a5e10647be8bb75b993dd1972ffd07ea073f97206d1abce3f76eee91517
Instruction ID: 2507adeefbf2e47ad60bbfd662f0e54b4d9355eb94fab6142f66607867399e04
Opcode Fuzzy Hash: f8505a5e10647be8bb75b993dd1972ffd07ea073f97206d1abce3f76eee91517
Instruction Fuzzy Hash: 9861AE70648312AFC710DF64D948F6AB7E8AF49754F00C819F9899B291CB78ED48CB92

Function 00A74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A7418B
EmptyClipboard.USER32 ref: 00A74191
GlobalAlloc.KERNEL32(00000002,?), ref: 00A741A6
CloseClipboard.USER32 ref: 00A74245

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d1bb22a305eee6aef4d40991e8c6b83a33788d4a6e487bea99566314f7427fe6
Instruction ID: c7c145b2f3da99aa1917ede59c8091077dd06208c932c9a3a2f3ff21b7b519f3
Opcode Fuzzy Hash: d1bb22a305eee6aef4d40991e8c6b83a33788d4a6e487bea99566314f7427fe6
Instruction Fuzzy Hash: 4B21B5752012159FDB10EFA4EC09B6E7BA8FF04711F10C125F949DB2A2EB30AC42CB94

Function 00A637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

Part of subcall function 00A64A31: GetFileAttributesW.KERNEL32(?,00A6370B), ref: 00A64A32

FindFirstFileW.KERNEL32(?,?), ref: 00A638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A6394B
MoveFileW.KERNEL32(?,?), ref: 00A6395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A6397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A639B9

Strings

\*.*, xrefs: 00A6384E, 00A63857, 00A6386C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8ec35d00fc28fd8ba1f5af411ac67fd5b3a8ea144712b9da2bc57a17510eb33d
Instruction ID: 44d8c878e5f6dac92f68cbb72c1f820acbeb0e51b6a9fad734e1df4d4ffbee4c
Opcode Fuzzy Hash: 8ec35d00fc28fd8ba1f5af411ac67fd5b3a8ea144712b9da2bc57a17510eb33d
Instruction Fuzzy Hash: D8514F72C0514DAACF05EBE0EA929EDB779AF15304F600069E406B7191EB716F0ACB61

Function 00A6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A6F440
Sleep.KERNEL32(0000000A), ref: 00A6F470
_wcscmp.LIBCMT ref: 00A6F484
_wcscmp.LIBCMT ref: 00A6F49F
FindNextFileW.KERNEL32(?,?), ref: 00A6F53D
FindClose.KERNEL32(00000000), ref: 00A6F553

Strings

*.*, xrefs: 00A6F425

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: cf35354279bd934dcac6fe6b8566ade7a701e016cae70ac0cc41a36fda2affc0
Instruction ID: 875492f975906582ebdbd2bf6ec8b1b304003336b682d331f734295736207b31
Opcode Fuzzy Hash: cf35354279bd934dcac6fe6b8566ade7a701e016cae70ac0cc41a36fda2affc0
Instruction Fuzzy Hash: 5E415D7294421AAFDF14EFA4EC49AEEBBB8FF05310F144466E815A7191EB309E45CF50

Function 00A15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A158A5
_memmove.LIBCMT ref: 00A158F5
_memmove.LIBCMT ref: 00A1595B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c92c9cd05c342aac3c93b399a5879d94f0c2ae68566fd2b347ea1beefbf8d6b9
Instruction ID: c243c8f9872a036ade3805ceee55ed1ca87b45ba6c92387cb6e106c0d9ef6e57
Opcode Fuzzy Hash: c92c9cd05c342aac3c93b399a5879d94f0c2ae68566fd2b347ea1beefbf8d6b9
Instruction Fuzzy Hash: 45129A70E00A09DFDF04DFA5DA81AEEB7F5FF88300F104529E846A7291EB36A955CB51

Function 00A63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

Part of subcall function 00A64A31: GetFileAttributesW.KERNEL32(?,00A6370B), ref: 00A64A32

FindFirstFileW.KERNEL32(?,?), ref: 00A63B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A63BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A63BEA
FindClose.KERNEL32(00000000), ref: 00A63C01
FindClose.KERNEL32(00000000), ref: 00A63C0A

Strings

\*.*, xrefs: 00A63B5B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e31956d3b0b519b73f9f007dfd8f6c4a186f099d6a0f94916c8e5d11df5cacf0
Instruction ID: 23e1a84b3da79b62a49700bf0668c9acdc8c785aa65064061df4805beb5e5fe1
Opcode Fuzzy Hash: e31956d3b0b519b73f9f007dfd8f6c4a186f099d6a0f94916c8e5d11df5cacf0
Instruction Fuzzy Hash: 4B316F32408389AFC701EF64D9918AFB7F8BE95304F404D2DF4E5921D1EB21AA0ACB52

Function 00A651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5882B
Part of subcall function 00A587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A58858
Part of subcall function 00A587E1: GetLastError.KERNEL32 ref: 00A58865

ExitWindowsEx.USER32(?,00000000), ref: 00A651F9

Strings

, xrefs: 00A651E7
@, xrefs: 00A651EC
SeShutdownPrivilege, xrefs: 00A651C9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e99c0047ad415d5efad38c368d43f94c972aafae3e95430861baf897a8d0d6bf
Instruction ID: 8f4d4efdbcd9cf106ee9670219945a56d2e41686fa680a90fa1be90083a6862e
Opcode Fuzzy Hash: e99c0047ad415d5efad38c368d43f94c972aafae3e95430861baf897a8d0d6bf
Instruction Fuzzy Hash: F801F731F916126FF7286378ACAAFFA73B8EB05341F200521FD13E20D2E9611C418690

Function 00A76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A762DC
WSAGetLastError.WSOCK32(00000000), ref: 00A762EB
bind.WSOCK32(00000000,?,00000010), ref: 00A76307
listen.WSOCK32(00000000,00000005), ref: 00A76316
WSAGetLastError.WSOCK32(00000000), ref: 00A76330
closesocket.WSOCK32(00000000,00000000), ref: 00A76344

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 1657d7861de487241767ac1a4cbb45295673f34a2539deb61c419b67cb383cf2
Instruction ID: 2c84f6e359fbbd9fb9f170f0590a74706d21938ef7642c28affface5d1fdeda7
Opcode Fuzzy Hash: 1657d7861de487241767ac1a4cbb45295673f34a2539deb61c419b67cb383cf2
Instruction Fuzzy Hash: 1D21CE716006059FCB10EF64DD45B6EB7A9EF49320F14C168F85AAB3D2C770AD05CB51

Function 00A15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

_memmove.LIBCMT ref: 00A50258
_memmove.LIBCMT ref: 00A5036D
_memmove.LIBCMT ref: 00A50414

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 1cf317d192ec9eb059dfdea67e0d8f04649612bbd0bd6798a0e008943a79e55e
Instruction ID: c3325cebe3128eed9afdcdb5eab4be659958da54c3b55713a40799089a0d7181
Opcode Fuzzy Hash: 1cf317d192ec9eb059dfdea67e0d8f04649612bbd0bd6798a0e008943a79e55e
Instruction Fuzzy Hash: 9202B170E00609DFCF04DF68DA81AAEBBB5FF84310F148069E846DB295EB35D955CB91

Function 00A01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A019FA
GetSysColor.USER32(0000000F), ref: 00A01A4E
SetBkColor.GDI32(?,00000000), ref: 00A01A61

Part of subcall function 00A01290: DefDlgProcW.USER32(?,00000020,?), ref: 00A012D8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: b6117cf55c031e62e7a937b688b8542ccea9dcf5f7a3d7d8ab4263a9aa475de8
Instruction ID: ea8099fffee0634ee2883de8d66e7ef0f436056a7d6e2e7d936190b777b4fdf2
Opcode Fuzzy Hash: b6117cf55c031e62e7a937b688b8542ccea9dcf5f7a3d7d8ab4263a9aa475de8
Instruction Fuzzy Hash: E4A1587121254CBFE729ABA8AD48EFF35AEDF423C1F14011AF602D61D2CB259D4197B1

Function 00A6BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6BCE6
_wcscmp.LIBCMT ref: 00A6BD16
_wcscmp.LIBCMT ref: 00A6BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00A6BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A6BD6C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 1123484b5aeb8117f7c044efdb36531c3b405a154a5af5db5bfd6d8922cd0e1d
Instruction ID: c895a688ca6ef1d381ed14ba8186bafaddaa8505011356fdf284ad0797f92859
Opcode Fuzzy Hash: 1123484b5aeb8117f7c044efdb36531c3b405a154a5af5db5bfd6d8922cd0e1d
Instruction Fuzzy Hash: A3518975A14602DFD714DF68D490EAAB3F8EF49320F104629E95ACB3A1DB30ED44CBA1

Function 00A76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A77DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A7679E
WSAGetLastError.WSOCK32(00000000), ref: 00A767C7
bind.WSOCK32(00000000,?,00000010), ref: 00A76800
WSAGetLastError.WSOCK32(00000000), ref: 00A7680D
closesocket.WSOCK32(00000000,00000000), ref: 00A76821

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 548e3e7b890f6370dfd1fc34c8eba5ea7a90d21ac40fd388697869ca3a56b239
Instruction ID: 2dad0c85efbd16c6e99a5a92cbdc29c5e4d12bf4622eceef2d78564ca34de5c5
Opcode Fuzzy Hash: 548e3e7b890f6370dfd1fc34c8eba5ea7a90d21ac40fd388697869ca3a56b239
Instruction Fuzzy Hash: 27411471B00604AFEB10BF649D82F2E77A8EF09710F04C158FA49AB3C3CA749D018791

Function 00A85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A853C5
IsWindowEnabled.USER32 ref: 00A853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00A853E0
IsIconic.USER32 ref: 00A853EE
IsZoomed.USER32 ref: 00A853FC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ac82f3671463cb7687718d01ff397042492ec457b5a6406f79c9acc396c41e31
Instruction ID: f1851a38fde1bbadd972a9839c2373c7e15a2513ebcd03e87cb8cb5f95838b1c
Opcode Fuzzy Hash: ac82f3671463cb7687718d01ff397042492ec457b5a6406f79c9acc396c41e31
Instruction Fuzzy Hash: F611B231B00915AFEB217F76DC54A6A7B99FF447A1B404438FC45D7241DB70DC028BA0

Function 00A580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A580F6

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 705ba2859e061c1618e5b7976947dca5a484a8bb5bb480b4277aeaf509088f55
Instruction ID: 4d0d85f31da9c51d5ba40cf9f79d2001f7196742d25f56ee6757cefa52ab82cf
Opcode Fuzzy Hash: 705ba2859e061c1618e5b7976947dca5a484a8bb5bb480b4277aeaf509088f55
Instruction Fuzzy Hash: 75F04F31240305EFEB108FA5EC8DE673BACFF49755B100125F945D6150DA759C46DB60

Function 00A04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04AD0), ref: 00A04B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A04B57

Strings

GetNativeSystemInfo, xrefs: 00A04B51
kernel32.dll, xrefs: 00A04B40

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d4e7e752917b049239263a9a8d8814ba39485d8b8e96135fc6f6b8f386e38611
Instruction ID: 1f402a52a678154003d622ced1863b48db3ba0f699483900373d27a479c48b2d
Opcode Fuzzy Hash: d4e7e752917b049239263a9a8d8814ba39485d8b8e96135fc6f6b8f386e38611
Instruction Fuzzy Hash: 82D01774A10717DFEB20FF72E82CB0676E4BF4A791B11CC3A9586D6190E674E880CB54

Function 00A13030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: be9753fc36795781a4fa4c7e9549ca1ceb2685c22fcc3470877131933c6eea3d
Instruction ID: 7f5d767c25a6d1ddaf72d800012b0ea02a52a53339da0b429d7e4edad245074d
Opcode Fuzzy Hash: be9753fc36795781a4fa4c7e9549ca1ceb2685c22fcc3470877131933c6eea3d
Instruction Fuzzy Hash: 6E22AE766083009FDB24DF24D981BAFB7E4BF85310F14492DF89A97291DB71E984CB92

Function 00A7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A7EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00A7EE4B

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Process32NextW.KERNEL32(00000000,?), ref: 00A7EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A7EF1A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 65284222883f061834a54a326f9cf150e1f24bfd50394b07054ad30749f249b6
Instruction ID: f6cafe11c6b20e4aaf23cd035025ca1895afc072fedce901e074258a3280716a
Opcode Fuzzy Hash: 65284222883f061834a54a326f9cf150e1f24bfd50394b07054ad30749f249b6
Instruction Fuzzy Hash: F5519D71504305AFD310EF24DC85E6BB7E8EF88750F10892DF595972A2EB30A908CB92

Function 00A5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A5E628

Strings

|, xrefs: 00A5E658
(, xrefs: 00A5E66E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 92d2665b0cf6d4a9b1ed35c3f1a304f054d0c756fd5633d4b860bba1a95d4d91
Instruction ID: 494e2c35387dafcdca2489d8563febfea6925281a53ba3774d3815631a770f81
Opcode Fuzzy Hash: 92d2665b0cf6d4a9b1ed35c3f1a304f054d0c756fd5633d4b860bba1a95d4d91
Instruction Fuzzy Hash: 13323575A007059FDB28CF29C48196AB7F1FF48320B15C56EE99ADB7A1E770EA41CB40

Function 00A722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A7180A,00000000), ref: 00A723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A72418

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c0bd07c9c4c742a57192af14c13b4d55826b26c719facd1de71bf5c33e9345b5
Instruction ID: 99efaa3bfc6b1ac72557c84fdb0aa769164c23cf058a7593e0c92e09374ac1af
Opcode Fuzzy Hash: c0bd07c9c4c742a57192af14c13b4d55826b26c719facd1de71bf5c33e9345b5
Instruction Fuzzy Hash: B141D571A04209BFEB20DF95DD85FBBB7BCEB40314F10C06AF649AB241EA759E419760

Function 00A6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A6B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A6B4B2

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4aad3954540f6534d33af28b10ae4c0cb1b46e33df9a7d8ea62501b8393810a8
Instruction ID: b51964a099e090f8966e34c5d42eb1c5d261314f5c01a32f8f9fab5d6614cef6
Opcode Fuzzy Hash: 4aad3954540f6534d33af28b10ae4c0cb1b46e33df9a7d8ea62501b8393810a8
Instruction Fuzzy Hash: 47214475A00108DFCB00EFA5D984AEEBBB8FF49314F1481A9E905EB352DB319956CB51

Function 00A587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A58858
GetLastError.KERNEL32 ref: 00A58865

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0a69b7c2614105fd60edb4e0fd5b8b91ea0f82e127155fcf3dbd74fbb5707a7b
Instruction ID: 072e1e6d949b8665c675591e93a4ce1a6d127231235fd3b9c6f6c58c0016562b
Opcode Fuzzy Hash: 0a69b7c2614105fd60edb4e0fd5b8b91ea0f82e127155fcf3dbd74fbb5707a7b
Instruction Fuzzy Hash: D111BFB2404205AFE718DFA4EC85D2BB7F9FB04711B20852EF85597211EB30BC418B60

Function 00A5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A58774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A5878B
FreeSid.ADVAPI32(?), ref: 00A5879B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fcd0921e3b99274b36d8dc3fba83210fc83316ec1853dcfb24bf9a7b171ca935
Instruction ID: b204c83e963611cb2200ce7bb7550b0b04e44455c37ee972d733ccc91f4f10b6
Opcode Fuzzy Hash: fcd0921e3b99274b36d8dc3fba83210fc83316ec1853dcfb24bf9a7b171ca935
Instruction Fuzzy Hash: C9F04975A1130DBFDF00DFF4DC89AAEBBBCEF08201F1044A9A901E2181E7756A048B50

Function 00A6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6C6FB
FindClose.KERNEL32(00000000), ref: 00A6C72B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 89cc2202095861a6010628868e5ec5ec2448b557a0093eb5fe22b40266583705
Instruction ID: 37caedfded3dc5e5ce2b22688cc3a568b3599a6849dab0ff5c0adaeb0e828a26
Opcode Fuzzy Hash: 89cc2202095861a6010628868e5ec5ec2448b557a0093eb5fe22b40266583705
Instruction Fuzzy Hash: 6B115E726006049FDB10EF29D845A6AF7E9FF85325F00C51DF9A9D7391DB30A805CB81

Function 00A6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A79468,?,00A8FB84,?), ref: 00A6A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A79468,?,00A8FB84,?), ref: 00A6A0A9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f0174ccd57318e3f0013ab4c672291057a21e442e2f8e0a56fb0aea439710554
Instruction ID: d4bc41c2efd771b2aabe41eae0c376c75adbe15d8453ad8d829c695d1ee713c1
Opcode Fuzzy Hash: f0174ccd57318e3f0013ab4c672291057a21e442e2f8e0a56fb0aea439710554
Instruction Fuzzy Hash: EEF0823550522DABDB21AFA4DC49FEA776CFF18361F004165F919D6181DA309940CFA1

Function 00A581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A58309), ref: 00A581E0
CloseHandle.KERNEL32(?,?,00A58309), ref: 00A581F2

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 40d67a82863912fb6c729c9119670308cc58bc25f73677dd447e89836ff31c9f
Instruction ID: f0cc22e7de36b89779d593aa3bbb5111bb38fa08f132739ca5830e624375c0cd
Opcode Fuzzy Hash: 40d67a82863912fb6c729c9119670308cc58bc25f73677dd447e89836ff31c9f
Instruction Fuzzy Hash: 1CE0B672011621AEE7256BA4FC09D777BAAEB043117258929B8A684471DB62AC91DB10

Function 00A2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A28D57,?,?,?,00000001), ref: 00A2A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A2A163

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 31cb72239b3dc3d549f974b5aff16b6336e1320d4b6e9aecb3a759da0ac17f5d
Instruction ID: 22caca5c2f486c7ea32260c7156a938e7d8be9afed4e1f482f90472f4ff5fe46
Opcode Fuzzy Hash: 31cb72239b3dc3d549f974b5aff16b6336e1320d4b6e9aecb3a759da0ac17f5d
Instruction Fuzzy Hash: 2AB0923125430AAFCA006BD1EC09B883F68EB46AA2F404020F61D88060CB6254528B91

Function 00A2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d52cd04561c6143ab6ff8ead6619821955b57fcebe5949a12bd2bdf6863aa29
Instruction ID: e6ea981e62ec860ac104a374850ba1cd1743a63227819859626466fbe1c56387
Opcode Fuzzy Hash: 1d52cd04561c6143ab6ff8ead6619821955b57fcebe5949a12bd2bdf6863aa29
Instruction Fuzzy Hash: 37320421E29F514DD7239639D83233AA299AFB73C4F15D737E81AB5AA5EF28C4C34100

Function 00A3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4251ba26dec6bcd84ad9c9225a16031c38f7e043c0e5984504e0810d870b30dc
Instruction ID: 6b8c3c62beb732f8846e29e6a512bb12f0744e1bf07a65b3ed876cddbcf6cd03
Opcode Fuzzy Hash: 4251ba26dec6bcd84ad9c9225a16031c38f7e043c0e5984504e0810d870b30dc
Instruction Fuzzy Hash: 5EB1EE30E2AF514DD72396798831336BA9CAFBB2C5F51D71BFC2674D22EB2185834281

Function 00A68889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00A6889B

Part of subcall function 00A2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A68F6E,00000000,?,?,?,?,00A6911F,00000000,?), ref: 00A25213
Part of subcall function 00A2520A: __aulldiv.LIBCMT ref: 00A25233

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: a8ca19be87535616f9a7c683fb54c01486bc44393c3bbe86c84a03751b356038
Instruction ID: d99fbb1d7db16dd1eb5b2661ebc897a7d802d222ebee18cd4c6b0bd0c350c9f3
Opcode Fuzzy Hash: a8ca19be87535616f9a7c683fb54c01486bc44393c3bbe86c84a03751b356038
Instruction Fuzzy Hash: 6921AF726256108BC729CF69D841A92B3E5EBA5311B698F6CD0F6CB2C0CA34A905CB54

Function 00A64C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A64C4A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 9d0066b49cb6526ee735e1c2f37de764327adba06c4ccee3931feed897c64073
Instruction ID: c68d22c21e4ef793cc0a1f9a5e90dbabfeda833d368b1a139a0dd8f64d039daf
Opcode Fuzzy Hash: 9d0066b49cb6526ee735e1c2f37de764327adba06c4ccee3931feed897c64073
Instruction Fuzzy Hash: 67D05EA116521A38FE1C07209E1FFBB0138E308782FD081497101CA2C1EC805C405130

Function 00A587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A58389), ref: 00A587D1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 6e7b35bc7365ab8ee2f6b7bfa5618e773b554013a07bb055affb0d6899d08630
Instruction ID: f76a77f4e1d118acf59242c39d05c299a39571aa4e14523c572defaeaa7074e5
Opcode Fuzzy Hash: 6e7b35bc7365ab8ee2f6b7bfa5618e773b554013a07bb055affb0d6899d08630
Instruction Fuzzy Hash: 53D05E3226050EAFEF018EA4DC01EAE3B79EB04B01F408111FE15D50A1C775D835AB60

Function 00A2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A2A12A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2403dcb90956ec22b1a2be1c3122163547d23c4bc0c984ec319bf87d7332196
Instruction ID: bb559b27c7664074462c2c9a679654fece345ee83831b82ccc01761b7febd847
Opcode Fuzzy Hash: c2403dcb90956ec22b1a2be1c3122163547d23c4bc0c984ec319bf87d7332196
Instruction Fuzzy Hash: 31A0113000020EAB8A002B82EC08888BFACEA022A0B008020F80C880228B32A8228A80

Function 00A18808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5531599e2e9738e052ee299a364ca63d9a2537593381df7aab9de1f0ddebc4b2
Instruction ID: 4808fc293596ccf43b4d9432bf0d2dd9a5c9b6601aec3209e3dcf653edc7d418
Opcode Fuzzy Hash: 5531599e2e9738e052ee299a364ca63d9a2537593381df7aab9de1f0ddebc4b2
Instruction Fuzzy Hash: 74221130E04506CBDF288B74C4A47FCBBB2BF01385F29816ADA568B592DB789DD5CB41

Function 00A221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 46854c399bc99124b91351dcec89c64c72c16fd3396e4702ac1282e084048fd0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AFC182322451B34ADB2D873DA43413EBAA19EA27B131A077DD8B3CB1D4EE24D965D720

Function 00A225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1aca0f3d43c28f3659e313fdc069d01a2c355bc11d2218121c400f185e9d439c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 29C151322091B34ADF2D473E947423EBAA19EA27B131B077DD4B2DB1D5EE20C965D720

Function 00A21D90 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 0fdd65daff45bd2e4e2370a329d1fde6ab3a172f74fd62a77ad05c5d3f103309
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 17C181322491B34ADF2D473EA43413EBAA19EB27B131B077DD8B2DB1D4EE10C925D620

Function 00A21978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 8f33fc9607a0749ba24061f90360cd144717e08dcd4cac4a121de1fc8278c8d9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 6BC18F362491B349DF2D473EA47413EBAA19EB27B131B077DD4B2CB1D4EE20C966D620

Function 00D876B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 72b52b27fcae05518d00afaa0a74dc448cd9cdbb5563e530b66daf5825bb4dd1
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2441A471D1051CDBCF48CFADC991AAEBBF1AF88201F648299D516AB345D730AB41DB50

Function 00D87540 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 5bc8ae94f844bbf94a7c9859007b40193389f374d84c57fffc7e8533d4f8e37b
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 4D019278A05109EFCB48EF98C5909AEF7B5FB48310F6085D9E819A7301E730EE41DB90

Function 00D875A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 5c9efd08a06ee57be4b725be65d1c1379c9bb43a57f25447f9b1d2d00b53bea2
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 0B019278A04109EFCB44EF98C5909AEFBB5FB48310F208699E819A7701E730EE41DB90

Function 00D85EF0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286720704.0000000000D84000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D84000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d84000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00A77806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A7785B
DeleteObject.GDI32(00000000), ref: 00A7786D
DestroyWindow.USER32 ref: 00A7787B
GetDesktopWindow.USER32 ref: 00A77895
GetWindowRect.USER32(00000000), ref: 00A7789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77A35
GetClientRect.USER32(00000000,?), ref: 00A77A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A77A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77ABB
GlobalLock.KERNEL32(00000000), ref: 00A77AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77AD3
GlobalUnlock.KERNEL32(00000000), ref: 00A77ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77AE3
GlobalFree.KERNEL32(00000000), ref: 00A77AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A92CAC,00000000), ref: 00A77B16
GlobalFree.KERNEL32(00000000), ref: 00A77B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A77B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A77B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77D7A

Strings

AutoIt v3, xrefs: 00A77A2D
, xrefs: 00A77D00
DISPLAY, xrefs: 00A77BDD
static, xrefs: 00A77A75, 00A77BCC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: bb9fb498b769bf7801c5624837f5030e93da3ab711df23895b530cc7635a0096
Instruction ID: 9e9c334acfa02724b5feed68f38dff41768eed74decfbef2af8be8df57cda572
Opcode Fuzzy Hash: bb9fb498b769bf7801c5624837f5030e93da3ab711df23895b530cc7635a0096
Instruction Fuzzy Hash: 36025B71A00119EFDB14DFA4DD89EAE7BB9FF49310F108168F915AB2A1D730AD42CB60

Function 00A8356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A8F910), ref: 00A83627
IsWindowVisible.USER32(?), ref: 00A8364B

Strings

GETSELECTED, xrefs: 00A838A3
TABLEFT, xrefs: 00A83687
ISENABLED, xrefs: 00A8366B
GETCURRENTLINE, xrefs: 00A838ED
GETCURRENTCOL, xrefs: 00A83928
GETLINE, xrefs: 00A8399B
ISVISIBLE, xrefs: 00A83637
UNCHECK, xrefs: 00A83883
GETCURRENTSELECTION, xrefs: 00A837E3
DELSTRING, xrefs: 00A83749
HIDEDROPDOWN, xrefs: 00A83700
SHOWDROPDOWN, xrefs: 00A836E0
CHECK, xrefs: 00A8386D
GETLINECOUNT, xrefs: 00A838C6
EDITPASTE, xrefs: 00A8395F
FINDSTRING, xrefs: 00A83776
ADDSTRING, xrefs: 00A83716
CURRENTTAB, xrefs: 00A836BD
SELECTSTRING, xrefs: 00A83806
SENDCOMMANDID, xrefs: 00A839DA
ISCHECKED, xrefs: 00A83839
SETCURRENTSELECTION, xrefs: 00A837B6
TABRIGHT, xrefs: 00A8369D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2f32498c35807407b5ece88785846023d033faaaaf8ede2906f8ea4eb26e4098
Instruction ID: 851bacaf034a7a626d18d76726ce7883304dcefb92b28e419984a854afa9a886
Opcode Fuzzy Hash: 2f32498c35807407b5ece88785846023d033faaaaf8ede2906f8ea4eb26e4098
Instruction Fuzzy Hash: B1D16C712042019FCF04FF14C6A1AAFBBA5AF95794F544468F8825B3A3DB35EE4ACB41

Function 00A8A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A8A630
GetSysColorBrush.USER32(0000000F), ref: 00A8A661
GetSysColor.USER32(0000000F), ref: 00A8A66D
SetBkColor.GDI32(?,000000FF), ref: 00A8A687
SelectObject.GDI32(?,00000000), ref: 00A8A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00A8A6C1
GetSysColor.USER32(00000010), ref: 00A8A6C9
CreateSolidBrush.GDI32(00000000), ref: 00A8A6D0
FrameRect.USER32(?,?,00000000), ref: 00A8A6DF
DeleteObject.GDI32(00000000), ref: 00A8A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00A8A731
FillRect.USER32(?,?,00000000), ref: 00A8A763
GetWindowLongW.USER32(?,000000F0), ref: 00A8A78E

Part of subcall function 00A8A8CA: GetSysColor.USER32(00000012), ref: 00A8A903
Part of subcall function 00A8A8CA: SetTextColor.GDI32(?,?), ref: 00A8A907
Part of subcall function 00A8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00A8A91D
Part of subcall function 00A8A8CA: GetSysColor.USER32(0000000F), ref: 00A8A928
Part of subcall function 00A8A8CA: GetSysColor.USER32(00000011), ref: 00A8A945
Part of subcall function 00A8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A8A953
Part of subcall function 00A8A8CA: SelectObject.GDI32(?,00000000), ref: 00A8A964
Part of subcall function 00A8A8CA: SetBkColor.GDI32(?,00000000), ref: 00A8A96D
Part of subcall function 00A8A8CA: SelectObject.GDI32(?,?), ref: 00A8A97A
Part of subcall function 00A8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00A8A999
Part of subcall function 00A8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A8A9B0
Part of subcall function 00A8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00A8A9C5
Part of subcall function 00A8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8A9ED

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ccc408fde0147e20cd2ec56fb778ee1336bc7d9e64e07dc34a9d1d90568ea663
Instruction ID: d3bf237628938f45440d3c6ad93c75b8bf68bef81c3ff1f2efc5efd57dbc8334
Opcode Fuzzy Hash: ccc408fde0147e20cd2ec56fb778ee1336bc7d9e64e07dc34a9d1d90568ea663
Instruction Fuzzy Hash: 4A915B72408302AFD710EFA4DC08A5B7BB9FB89321F144B2AF962D61A1D771D946CB52

Function 00A02C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00A02CA2
DeleteObject.GDI32(00000000), ref: 00A02CE8
DeleteObject.GDI32(00000000), ref: 00A02CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00A02CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00A02D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A3C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A3C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A3C89D

Part of subcall function 00A01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A02036,?,00000000,?,?,?,?,00A016CB,00000000,?), ref: 00A01B9A

SendMessageW.USER32(?,00001053), ref: 00A3C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A3C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A3C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A3C912

Strings

0, xrefs: 00A3C731

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c9a0443d99e09d1623d2ad4a1f58ce154aa1a1181bc4aebe82f0b8cf8b33e263
Instruction ID: b66947cd18ea28c833aa53ccf60275202102312e0c9ee85fe70f8ef9d17737d1
Opcode Fuzzy Hash: c9a0443d99e09d1623d2ad4a1f58ce154aa1a1181bc4aebe82f0b8cf8b33e263
Instruction Fuzzy Hash: C9129C30600206EFDB25CF24D988BA9BBE5BF44324F544569F895EB2A2C731EC52CB91

Function 00A774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A7759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A77633
GetClientRect.USER32(00000000,?), ref: 00A7763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A77683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A77692
GetStockObject.GDI32(00000011), ref: 00A776A2
SelectObject.GDI32(00000000,00000000), ref: 00A776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A776BF
DeleteDC.GDI32(00000000), ref: 00A776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A7770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A77746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A7775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A7776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A7779B
GetStockObject.GDI32(00000011), ref: 00A777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A777BB

Strings

msctls_progress32, xrefs: 00A7773C
AutoIt v3, xrefs: 00A7762B
DISPLAY, xrefs: 00A77688
static, xrefs: 00A7767D, 00A77795

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fb74aedb7574074a900b4378963453178b7bc1182b94703d2e9ec415174e307f
Instruction ID: b92b6adc9ec79f1ce673dc67a0ecb992b7e5cb46e658030ff2e4b570e8782603
Opcode Fuzzy Hash: fb74aedb7574074a900b4378963453178b7bc1182b94703d2e9ec415174e307f
Instruction Fuzzy Hash: 5BA18FB1A40609BFEB14DBA4DC4AFAF7BB9EB04710F008214FA15A72E1D770AD41CB64

Function 00A6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6AD1E
GetDriveTypeW.KERNEL32(?,00A8FAC0,?,\\.\,00A8F910), ref: 00A6ADFB
SetErrorMode.KERNEL32(00000000,00A8FAC0,?,\\.\,00A8F910), ref: 00A6AF59

Strings

SCSI, xrefs: 00A6AEC6
RAID, xrefs: 00A6AEF7
ATA, xrefs: 00A6AED4
MMC, xrefs: 00A6AF1A
USB, xrefs: 00A6AEF0
Fibre, xrefs: 00A6AEE9
1394, xrefs: 00A6AEDB
Removable, xrefs: 00A6AE4D
RAMDisk, xrefs: 00A6AE25
CDROM, xrefs: 00A6AE2F
SSD, xrefs: 00A6AE86
Fixed, xrefs: 00A6AE43
SSA, xrefs: 00A6AEE2
SATA, xrefs: 00A6AF0C
Unknown, xrefs: 00A6AE1B, 00A6AEBF
FileBackedVirtual, xrefs: 00A6AF28
iSCSI, xrefs: 00A6AEFE
Virtual, xrefs: 00A6AF21
SAS, xrefs: 00A6AF05
PhysicalDrive, xrefs: 00A6ADA7
ATAPI, xrefs: 00A6AECD
Network, xrefs: 00A6AE39
\\.\, xrefs: 00A6AD70

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: dcb5472039f328c5ba473c3d8058e1ede5ee26c390864bd631abc2e209acea93
Instruction ID: 57a4c67eec487331ef44e300fc5d2e4e8577a903e2e8710972795ed2f3b8dbcf
Opcode Fuzzy Hash: dcb5472039f328c5ba473c3d8058e1ede5ee26c390864bd631abc2e209acea93
Instruction Fuzzy Hash: 395174B0644209EBCB10EB64C992CBD73B9FF29740B20885AE407B72D2DA759D42DF53

Function 00A068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A06931
__wcsnicmp.LIBCMT ref: 00A06949
__wcsnicmp.LIBCMT ref: 00A06961
__wcsnicmp.LIBCMT ref: 00A06979
__wcsnicmp.LIBCMT ref: 00A06991
__wcsnicmp.LIBCMT ref: 00A069A9
__wcsnicmp.LIBCMT ref: 00A069C1
__wcsnicmp.LIBCMT ref: 00A069D5
__wcsnicmp.LIBCMT ref: 00A06A16
__wcsnicmp.LIBCMT ref: 00A06A2A
__wcsnicmp.LIBCMT ref: 00A06A3E
__wcsnicmp.LIBCMT ref: 00A06A52

Strings

#ce, xrefs: 00A06A4C
Cannot parse #include, xrefs: 00A3E3F0
#pragma compile, xrefs: 00A0692B
Unterminated group of comments, xrefs: 00A3E403
#cs, xrefs: 00A069CF, 00A06A24
#comments-end, xrefs: 00A06A38
#include, xrefs: 00A069A3
#OnAutoItStartRegister, xrefs: 00A06973
#requireadmin, xrefs: 00A0695B
Bad directive syntax error, xrefs: 00A3E31A
#notrayicon, xrefs: 00A06943
#include-once, xrefs: 00A0698B
#comments-start, xrefs: 00A069BB, 00A06A10

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ab8b55f4ce6b9c9f00f7366b54e3696a971c351bee7c60f26482598cd2e7dcb9
Instruction ID: d0d3df3ec3cce5b1cbec48885d7d229ad9d40feee3b0a92247e788d3bb2f83d0
Opcode Fuzzy Hash: ab8b55f4ce6b9c9f00f7366b54e3696a971c351bee7c60f26482598cd2e7dcb9
Instruction Fuzzy Hash: 7381F2B170021ABEDF20FB64FD42FAA37A8AF05744F044424F905AA1D2EB70DA65C6A1

Function 00A89A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A89AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A89B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A89BA7

Strings

0, xrefs: 00A89BE4

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: a1b0202905f129c33cd522971f5b1fb9879c496e5621c7703f42dd3635147e1e
Instruction ID: a90728c3bac98d583f5083c6ab719eb57b3635b033480c3d44d983585a41d06a
Opcode Fuzzy Hash: a1b0202905f129c33cd522971f5b1fb9879c496e5621c7703f42dd3635147e1e
Instruction Fuzzy Hash: DE02DB70104301AFE729EF24C888BBBBBE5FF49304F08862DF999962A1D735D945CB52

Function 00A8A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A8A903
SetTextColor.GDI32(?,?), ref: 00A8A907
GetSysColorBrush.USER32(0000000F), ref: 00A8A91D
GetSysColor.USER32(0000000F), ref: 00A8A928
CreateSolidBrush.GDI32(?), ref: 00A8A92D
GetSysColor.USER32(00000011), ref: 00A8A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A8A953
SelectObject.GDI32(?,00000000), ref: 00A8A964
SetBkColor.GDI32(?,00000000), ref: 00A8A96D
SelectObject.GDI32(?,?), ref: 00A8A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00A8A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A8A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A8A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A8AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00A8AA32
DrawFocusRect.USER32(?,?), ref: 00A8AA3D
GetSysColor.USER32(00000011), ref: 00A8AA4B
SetTextColor.GDI32(?,00000000), ref: 00A8AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A8AA67
SelectObject.GDI32(?,00A8A5FA), ref: 00A8AA7E
DeleteObject.GDI32(?), ref: 00A8AA89
SelectObject.GDI32(?,?), ref: 00A8AA8F
DeleteObject.GDI32(?), ref: 00A8AA94
SetTextColor.GDI32(?,?), ref: 00A8AA9A
SetBkColor.GDI32(?,?), ref: 00A8AAA4

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 106d9dab6d23a65d4d9ce1321ce47bafd4ad8c5dfa5687d8ec187b37e263ed5a
Instruction ID: e621a3bc7de52ccda6f550e29345e46311536fe7eb16d0a242c1df3bb353e359
Opcode Fuzzy Hash: 106d9dab6d23a65d4d9ce1321ce47bafd4ad8c5dfa5687d8ec187b37e263ed5a
Instruction Fuzzy Hash: 48512D71901209EFDB11EFE4DC48EAE7B79FB08320F214626FA11AB2A1D7759941DB90

Function 00A889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A88AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A88AD2
CharNextW.USER32(0000014E), ref: 00A88B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A88B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A88B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A88B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A88B86
SetWindowTextW.USER32(?,0000014E), ref: 00A88BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A88BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A88C1F
_memset.LIBCMT ref: 00A88C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A88C8D
_memset.LIBCMT ref: 00A88CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A88D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A88D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00A88E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00A88E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A88E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A88EB4
DrawMenuBar.USER32(?), ref: 00A88EC3
SetWindowTextW.USER32(?,0000014E), ref: 00A88EEB

Strings

0, xrefs: 00A88E55

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 33799f176cdd9c66f3e8fb60ef306e78485f2edea9aeb25d9c2bc3ef9f2147bb
Instruction ID: 8e5540bbff7ea9bfdf0d36acf4f217c07c371754e5ed277df3b4bf5b08d12f43
Opcode Fuzzy Hash: 33799f176cdd9c66f3e8fb60ef306e78485f2edea9aeb25d9c2bc3ef9f2147bb
Instruction Fuzzy Hash: 06E17074900219AFDF20EFA4CC84EEE7BB9EF05750F508166FA15AA190DF789981DF60

Function 00A8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A849CA
GetDesktopWindow.USER32 ref: 00A849DF
GetWindowRect.USER32(00000000), ref: 00A849E6
GetWindowLongW.USER32(?,000000F0), ref: 00A84A48
DestroyWindow.USER32(?), ref: 00A84A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A84A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A84ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A84AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00A84AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A84B09
IsWindowVisible.USER32(?), ref: 00A84B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A84B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A84B58
GetWindowRect.USER32(?,?), ref: 00A84B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00A84B96
GetMonitorInfoW.USER32(00000000,?), ref: 00A84BB0
CopyRect.USER32(?,?), ref: 00A84BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00A84C32

Strings

(, xrefs: 00A84BA3
tooltips_class32, xrefs: 00A84A96
0, xrefs: 00A84975

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5cf9a51b9dedbed8b05783cd22c3f31b0bd40bd4bce7ee9b431576ceb5bb69e4
Instruction ID: 9e8567edc1fe3754780eb6c12abe2369009c63af16779e3571e403785147347f
Opcode Fuzzy Hash: 5cf9a51b9dedbed8b05783cd22c3f31b0bd40bd4bce7ee9b431576ceb5bb69e4
Instruction Fuzzy Hash: FCB16971604342AFDB04EF64D948B6BBBE4FF88314F008A1DF999AB2A1D771E805CB55

Function 00A6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A644D2
_wcscpy.LIBCMT ref: 00A64500
_wcscmp.LIBCMT ref: 00A6450B
_wcscat.LIBCMT ref: 00A64521
_wcsstr.LIBCMT ref: 00A6452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A64548
_wcscat.LIBCMT ref: 00A64591
_wcscat.LIBCMT ref: 00A64598
_wcsncpy.LIBCMT ref: 00A645C3

Strings

%u.%u.%u.%u, xrefs: 00A64626
DefaultLangCodepage, xrefs: 00A645AB
\VarFileInfo\Translation, xrefs: 00A64540
StringFileInfo\, xrefs: 00A6451B
04090000, xrefs: 00A6457E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 1099b3b2f6843cd034e1a38889273754987811aad6ce25a57f802932e5a7cb06
Instruction ID: 67b6bb01d95beba233a58d7958d49dd92b3226823119bdcecf5e7b97f10784cf
Opcode Fuzzy Hash: 1099b3b2f6843cd034e1a38889273754987811aad6ce25a57f802932e5a7cb06
Instruction Fuzzy Hash: 0F41D4329002157FEB15BB78ED47EBF777CEF46710F04047AF905A6182EA349A0197A5

Function 00A027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A028BC
GetSystemMetrics.USER32(00000007), ref: 00A028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A028EF
GetSystemMetrics.USER32(00000008), ref: 00A028F7
GetSystemMetrics.USER32(00000004), ref: 00A0291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A02939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A02949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A0297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A02990
GetClientRect.USER32(00000000,000000FF), ref: 00A029AE
GetStockObject.GDI32(00000011), ref: 00A029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A029D5

Part of subcall function 00A02344: GetCursorPos.USER32(?), ref: 00A02357
Part of subcall function 00A02344: ScreenToClient.USER32(00AC57B0,?), ref: 00A02374
Part of subcall function 00A02344: GetAsyncKeyState.USER32(00000001), ref: 00A02399
Part of subcall function 00A02344: GetAsyncKeyState.USER32(00000002), ref: 00A023A7

SetTimer.USER32(00000000,00000000,00000028,00A01256), ref: 00A029FC

Strings

AutoIt v3 GUI, xrefs: 00A02974

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2b88b35763c85a9b26ff684e415afef13b5702e7984c80ed631eefd64b59a1b2
Instruction ID: 1dc179196e32d873084bcb4a556c0f81f2141de2e9f5ba61ba17d5b486a5f1d1
Opcode Fuzzy Hash: 2b88b35763c85a9b26ff684e415afef13b5702e7984c80ed631eefd64b59a1b2
Instruction Fuzzy Hash: 36B15C75A0020AEFDB14DFA8DD49BAE7BB4FB08314F114229FA15E72E0DB74A851DB50

Function 00A5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A5A47A
__swprintf.LIBCMT ref: 00A5A51B
_wcscmp.LIBCMT ref: 00A5A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A5A583
_wcscmp.LIBCMT ref: 00A5A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00A5A5F6
GetDlgCtrlID.USER32(?), ref: 00A5A648
GetWindowRect.USER32(?,?), ref: 00A5A67E
GetParent.USER32(?), ref: 00A5A69C
ScreenToClient.USER32(00000000), ref: 00A5A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00A5A71D
_wcscmp.LIBCMT ref: 00A5A731
GetWindowTextW.USER32(?,?,00000400), ref: 00A5A757
_wcscmp.LIBCMT ref: 00A5A76B

Part of subcall function 00A2362C: _iswctype.LIBCMT ref: 00A23634

Strings

%s%u, xrefs: 00A5A515

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 09b3fdbed99e4f416840c3f89d9857c213d0e523484cf007b1980c6653ec60d1
Instruction ID: 782b917b802ed13b3d1a3b7cebee3375d9a43857379f4eefb497cd32ea0cbbfd
Opcode Fuzzy Hash: 09b3fdbed99e4f416840c3f89d9857c213d0e523484cf007b1980c6653ec60d1
Instruction Fuzzy Hash: 4EA1D271304206AFDB14DF64C884FAAB7E8FF58352F048629FD99D2190DB30E959CB92

Function 00A5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A5AF18
_wcscmp.LIBCMT ref: 00A5AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A5AF51
CharUpperBuffW.USER32(?,00000000), ref: 00A5AF6E
_wcscmp.LIBCMT ref: 00A5AF8C
_wcsstr.LIBCMT ref: 00A5AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A5AFD5
_wcscmp.LIBCMT ref: 00A5AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A5B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A5B055
_wcscmp.LIBCMT ref: 00A5B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00A5B08D
GetWindowRect.USER32(00000004,?), ref: 00A5B0F6

Strings

@, xrefs: 00A5AEF9
ThumbnailClass, xrefs: 00A5AFE0, 00A5B060

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 7e7cfd02f732e4cdd880fdcedb5fcc70b43d9c61616e4f93b926860141484132
Instruction ID: 71859786257627dec76bb798a725db8e8550eabba36ad113d0d493c9cad11986
Opcode Fuzzy Hash: 7e7cfd02f732e4cdd880fdcedb5fcc70b43d9c61616e4f93b926860141484132
Instruction Fuzzy Hash: 4C81E17111820A9FDB04DF14C981FAA77E8FF54316F04866AFD858A092DB34DD4DCBA1

Function 00A5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A5AC33

Strings

CLASSNAME=, xrefs: 00A5AC70
LAST, xrefs: 00A5ABF8
ACTIVE, xrefs: 00A5AC0E
[ACTIVE, xrefs: 00A5AC20
HANDLE=, xrefs: 00A5AC2C
REGEXP=, xrefs: 00A5AC48
[CLASS:, xrefs: 00A5AC83
ALL, xrefs: 00A5ACC7
[REGEXPTITLE:, xrefs: 00A5AC5B
[ALL, xrefs: 00A5ACD9
[HANDLE:, xrefs: 00A5AC3F
[LAST, xrefs: 00A5ACE0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 12e820b736643fc9f17dacb0d2d6469dd19da14b5ca32942d973096048facae3
Instruction ID: 62231ab05a3f7b70fba5d5d8f4b8e9add19e60702be6646ec8ed2da69ba07e8f
Opcode Fuzzy Hash: 12e820b736643fc9f17dacb0d2d6469dd19da14b5ca32942d973096048facae3
Instruction Fuzzy Hash: 90315871A48209BADB14FBA4EF43EEE77687F20751F600529F846710D2EF716F089652

Function 00A74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00A75013
LoadCursorW.USER32(00000000,00007F00), ref: 00A7501E
LoadCursorW.USER32(00000000,00007F03), ref: 00A75029
LoadCursorW.USER32(00000000,00007F8B), ref: 00A75034
LoadCursorW.USER32(00000000,00007F01), ref: 00A7503F
LoadCursorW.USER32(00000000,00007F81), ref: 00A7504A
LoadCursorW.USER32(00000000,00007F88), ref: 00A75055
LoadCursorW.USER32(00000000,00007F80), ref: 00A75060
LoadCursorW.USER32(00000000,00007F86), ref: 00A7506B
LoadCursorW.USER32(00000000,00007F83), ref: 00A75076
LoadCursorW.USER32(00000000,00007F85), ref: 00A75081
LoadCursorW.USER32(00000000,00007F82), ref: 00A7508C
LoadCursorW.USER32(00000000,00007F84), ref: 00A75097
LoadCursorW.USER32(00000000,00007F04), ref: 00A750A2
LoadCursorW.USER32(00000000,00007F02), ref: 00A750AD
LoadCursorW.USER32(00000000,00007F89), ref: 00A750B8
GetCursorInfo.USER32(?), ref: 00A750C8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 1128ab06e6c255295d71d31644c906a705560959022eb40185993c8a6a2473e4
Instruction ID: f805f165c16045021b479568c918cf0686450f5c23d0e2bc233949502441a8bd
Opcode Fuzzy Hash: 1128ab06e6c255295d71d31644c906a705560959022eb40185993c8a6a2473e4
Instruction Fuzzy Hash: D431F4B1D4831E6ADF109FB69C8995FBFE8FF04750F50852AA50DE7280DA7865018F91

Function 00A8A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8A259
DestroyWindow.USER32(?,?), ref: 00A8A2D3

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A8A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A8A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8A382
DestroyWindow.USER32(00000000), ref: 00A8A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A00000,00000000), ref: 00A8A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8A3F4
GetDesktopWindow.USER32 ref: 00A8A40D
GetWindowRect.USER32(00000000), ref: 00A8A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A8A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A8A444

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

Strings

tooltips_class32, xrefs: 00A8A346, 00A8A3D4
0, xrefs: 00A8A26F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 9f1f2b1a21187033d7b5af9fe04d86476a12f2608f0645a72e39d4ec20f6ff08
Instruction ID: 5006b1c5239fa8ffe0d264d660de0ab1c03b381d3a0e9e1cd365c1f4c6dbcd2d
Opcode Fuzzy Hash: 9f1f2b1a21187033d7b5af9fe04d86476a12f2608f0645a72e39d4ec20f6ff08
Instruction Fuzzy Hash: 4271DF70541345AFEB21DF68CC48F6A7BE5FB99300F04492EF9868B2A0D770E946DB52

Function 00A8C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DragQueryPoint.SHELL32(?,?), ref: 00A8C627

Part of subcall function 00A8AB37: ClientToScreen.USER32(?,?), ref: 00A8AB60
Part of subcall function 00A8AB37: GetWindowRect.USER32(?,?), ref: 00A8ABD6
Part of subcall function 00A8AB37: PtInRect.USER32(?,?,00A8C014), ref: 00A8ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00A8C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A8C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A8C6BE
_wcscat.LIBCMT ref: 00A8C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A8C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00A8C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A8C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00A8C757
DragFinish.SHELL32(?), ref: 00A8C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A8C851

Strings

@GUI_DROPID, xrefs: 00A8C77E
@GUI_DRAGFILE, xrefs: 00A8C800
@GUI_DRAGID, xrefs: 00A8C7C9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: d4e3a78a0da2e8503d28db437fbc49db67b54f2d24f748f0219510dce8595949
Instruction ID: f1099980d959d7d17b25a719f352568f09bf9ea5e342f0c0fa4643c3c03b605a
Opcode Fuzzy Hash: d4e3a78a0da2e8503d28db437fbc49db67b54f2d24f748f0219510dce8595949
Instruction Fuzzy Hash: 1C618C71508305AFC701EFA4DD85DAFBBE8FF89350F00092EF591922A1DB30A949CB62

Function 00A84392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A84424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A8446F

Strings

GETSELECTED, xrefs: 00A8457F
EXPAND, xrefs: 00A84521
UNCHECK, xrefs: 00A8464B
GETTEXT, xrefs: 00A845C2
COLLAPSE, xrefs: 00A844B5
EXISTS, xrefs: 00A844D8
GETITEMCOUNT, xrefs: 00A84551
ISCHECKED, xrefs: 00A845F2
GETTOTALCOUNT, xrefs: 00A84456
CHECK, xrefs: 00A8448F
SELECT, xrefs: 00A84620

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e21f13bba303e805c01c7f2283ef3e53467349ce21dec3f2c9f9a836080c93a7
Instruction ID: 2c4b9b226665bb72cc60ce10365bc9d14498856c5694229e2028558e30961b69
Opcode Fuzzy Hash: e21f13bba303e805c01c7f2283ef3e53467349ce21dec3f2c9f9a836080c93a7
Instruction Fuzzy Hash: C0917C712043129FCB04EF24D551A6EB7E5AF99350F448868F8965B3A3DB31ED4ACB81

Function 00A8B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A8B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A891C2), ref: 00A8B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A8B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8B9C3
FreeLibrary.KERNEL32(?), ref: 00A8B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A8B9DF
DestroyIcon.USER32(?,?,?,?,?,00A891C2), ref: 00A8B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A8BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A8BA17

Part of subcall function 00A22EFD: __wcsicmp_l.LIBCMT ref: 00A22F86

Strings

.icl, xrefs: 00A8B82A
.exe, xrefs: 00A8B84A
.dll, xrefs: 00A8B86D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 90f06112a2fb7f1dc3a84c90e61e74990a05bad10f534a940539f7727e61c6a1
Instruction ID: b1ef88832b901d8de678656d2f669df7e2405940b8efbeaa8bf799cf998f3add
Opcode Fuzzy Hash: 90f06112a2fb7f1dc3a84c90e61e74990a05bad10f534a940539f7727e61c6a1
Instruction Fuzzy Hash: 92610E71910219BEEB14EFA4DC41FBE7BACFB08720F108215FA11D61C1DB74A991DBA0

Function 00A6DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A6DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A6DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A6DCF8
__wsplitpath.LIBCMT ref: 00A6DD56
_wcscat.LIBCMT ref: 00A6DD6E
_wcscat.LIBCMT ref: 00A6DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A6DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DDFC
_wcscpy.LIBCMT ref: 00A6DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A6DE47

Strings

*.*, xrefs: 00A6DE02

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 93a5042fa44685afd509ea3ea8e61ffb7a02bd875e2dec4609c6c9cd0e768c9f
Instruction ID: da0599aa033d4ea2b2e5ca11d7ebbe81ae81fc9bd03f1412f4230680ee35ea1c
Opcode Fuzzy Hash: 93a5042fa44685afd509ea3ea8e61ffb7a02bd875e2dec4609c6c9cd0e768c9f
Instruction Fuzzy Hash: 89617C726042099FCB10EF64D9449AFB3F8FF89350F04892DF98997251EB31E945CB92

Function 00A69C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00A69C7F

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A69CA0
__swprintf.LIBCMT ref: 00A69CF9
__swprintf.LIBCMT ref: 00A69D12
_wprintf.LIBCMT ref: 00A69DB9
_wprintf.LIBCMT ref: 00A69DD7

Strings

^ ERROR , xrefs: 00A69D4E
Error: , xrefs: 00A69D81
Incorrect parameters to object property !, xrefs: 00A69D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 00A69DB4
"%s" (%d) : ==> %s:, xrefs: 00A69DD2
Line %d (File "%s"):, xrefs: 00A69CF3, 00A69D0C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 592182b0edf92deca80ac4bc92a48395b7f99f75eb07bc4a3668a947091d2718
Instruction ID: 21984872922c6c2dbf0f176d8284dad071f9a1fa7a774febafaedba1d2f5174a
Opcode Fuzzy Hash: 592182b0edf92deca80ac4bc92a48395b7f99f75eb07bc4a3668a947091d2718
Instruction Fuzzy Hash: EB515C72D0060DBADF14EBE4EE46EEEB7BCAF14340F500565B505720A2EB352E59CB61

Function 00A6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

CharLowerBuffW.USER32(?,?), ref: 00A6A3CB
GetDriveTypeW.KERNEL32 ref: 00A6A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6A4C5

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Strings

set cd door , xrefs: 00A6A466
open , xrefs: 00A6A427
type cdaudio alias cd wait, xrefs: 00A6A443
open, xrefs: 00A6A3F2
wait, xrefs: 00A6A482
close cd wait, xrefs: 00A6A4B0
closed, xrefs: 00A6A3DF, 00A6A3E8
close, xrefs: 00A6A3D1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 6e6d5de5f3ff6827862981ffedffafd7089054f3dda77a61c857d4771055e7c6
Instruction ID: 9cc400ae13a1723ab11e2ae7573e864c419e99658ab4e427cb855caf3bc5055f
Opcode Fuzzy Hash: 6e6d5de5f3ff6827862981ffedffafd7089054f3dda77a61c857d4771055e7c6
Instruction Fuzzy Hash: EE512A715042099FC700EF24D99586EB7F8FF94758F10886DF89A672A2DB31AD0ACF52

Function 00A5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00A3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00A5F8DF
LoadStringW.USER32(00000000,?,00A3E029,00000001), ref: 00A5F8E8

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

GetModuleHandleW.KERNEL32(00000000,00AC5310,?,00000FFF,?,?,00A3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00A5F90A
LoadStringW.USER32(00000000,?,00A3E029,00000001), ref: 00A5F90D
__swprintf.LIBCMT ref: 00A5F95D
__swprintf.LIBCMT ref: 00A5F96E
_wprintf.LIBCMT ref: 00A5FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A5FA2E

Strings

Error: , xrefs: 00A5F9E5
%s (%d) : ==> %s: %s %s, xrefs: 00A5FA12
Line %d:, xrefs: 00A5F968
^ ERROR, xrefs: 00A5F9C3
Line %d (File "%s"):, xrefs: 00A5F957

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 1a62696a0c98945d8cf794aaf83350d73508469ed9661c1e829436fd80b1f7da
Instruction ID: f3fe904d146e91256d5c225f3f77c77453afe3315956ec1afbd32cf447bd677c
Opcode Fuzzy Hash: 1a62696a0c98945d8cf794aaf83350d73508469ed9661c1e829436fd80b1f7da
Instruction Fuzzy Hash: 2E411972D0411DAACF04FBE4EE96EEEB77CAF14341F500465B606B6092EA356F09CB61

Function 00A8BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A89207,?,?), ref: 00A8BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A89207,?,?,00000000,?), ref: 00A8BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A89207,?,?,00000000,?), ref: 00A8BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00A89207,?,?,00000000,?), ref: 00A8BA85
GlobalLock.KERNEL32(00000000), ref: 00A8BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A89207,?,?,00000000,?), ref: 00A8BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00A8BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00A89207,?,?,00000000,?), ref: 00A8BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A89207,?,?,00000000,?), ref: 00A8BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A92CAC,?), ref: 00A8BAD7
GlobalFree.KERNEL32(00000000), ref: 00A8BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00A8BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A8BB36
DeleteObject.GDI32(00000000), ref: 00A8BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A8BB74

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 8bce19f15f503ace7a722eef4112476740436ea632b9c5ff80ccda3131262f04
Instruction ID: 765be562099fa630926d21d091f9a43b89c898e716c793fde97736596746160c
Opcode Fuzzy Hash: 8bce19f15f503ace7a722eef4112476740436ea632b9c5ff80ccda3131262f04
Instruction Fuzzy Hash: 20411775600209EFDB21EFA5DC88EAABBB8FF89711F104169F905D7260D7309E02DB60

Function 00A6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00A6DA10
_wcscat.LIBCMT ref: 00A6DA28
_wcscat.LIBCMT ref: 00A6DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A6DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DA63
GetFileAttributesW.KERNEL32(?), ref: 00A6DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A6DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DAA7

Strings

*.*, xrefs: 00A6DAE6

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 24adec2d645d9b1b1db8cbd552d79e94df9807cd42afa91e944ee49eda14f136
Instruction ID: ee8154e9161de58e3b60b5ebfb994c201e2a8bbb08967515518ee5446d6e0382
Opcode Fuzzy Hash: 24adec2d645d9b1b1db8cbd552d79e94df9807cd42afa91e944ee49eda14f136
Instruction Fuzzy Hash: AA818372A043459FCB24DF64C944A6AB7F8BF89790F188C2EF889DB251E630D945CB52

Function 00A8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A8C1FC
GetFocus.USER32 ref: 00A8C20C
GetDlgCtrlID.USER32(00000000), ref: 00A8C217
_memset.LIBCMT ref: 00A8C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A8C36D
GetMenuItemCount.USER32(?), ref: 00A8C38D
GetMenuItemID.USER32(?,00000000), ref: 00A8C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A8C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A8C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A8C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A8C489

Strings

0, xrefs: 00A8C33A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 3f598e8d7d6ec18fe47624d6f2d3997727bc04e386c7738ed8a04431cb63d443
Instruction ID: 514b75535b3b85f4a10f43d7ff55a68ebc23b7c45ee63b4a3a19b45eaf189ed1
Opcode Fuzzy Hash: 3f598e8d7d6ec18fe47624d6f2d3997727bc04e386c7738ed8a04431cb63d443
Instruction Fuzzy Hash: C5818C70608301AFD710EF64D898EABBBE8FB88724F00492EF99597291D770D945CF62

Function 00A7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A7738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A7739B
CreateCompatibleDC.GDI32(?), ref: 00A773A7
SelectObject.GDI32(00000000,?), ref: 00A773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A77408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A77444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A77468
SelectObject.GDI32(00000006,?), ref: 00A77470
DeleteObject.GDI32(?), ref: 00A77479
DeleteDC.GDI32(00000006), ref: 00A77480
ReleaseDC.USER32(00000000,?), ref: 00A7748B

Strings

(, xrefs: 00A77410

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8db02898a0ecf7b00e98c4c1e071398a9a82a3ab1b37f5643fbd3ce0d8f2e77a
Instruction ID: 702976e5c6846216b398dfa1c577fa4d9a877742dec0b64440a727089a0eb81a
Opcode Fuzzy Hash: 8db02898a0ecf7b00e98c4c1e071398a9a82a3ab1b37f5643fbd3ce0d8f2e77a
Instruction Fuzzy Hash: 9C514775904309EFCB14CFA8DC84EAEBBB9EF48310F14C529F99AAB211D731A941CB50

Function 00A06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00A20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A06B0C,?,00008000), ref: 00A20973

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A06BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A06CFA

Part of subcall function 00A0586D: _wcscpy.LIBCMT ref: 00A058A5

Part of subcall function 00A2363D: _iswctype.LIBCMT ref: 00A23645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A3E421
AU3!, xrefs: 00A06B61
Unterminated string, xrefs: 00A3E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00A3E496
Bad directive syntax error, xrefs: 00A3E79D
Error opening the file, xrefs: 00A3E43D, 00A3E4B8
EA06, xrefs: 00A3E452

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 94cec6e11e8c96c697d681593f9e928c549e0a2be4223c9dc89eae7d0bd528ae
Instruction ID: a408ee6ac414ac54190f96038a94fbe737575443a68a9ff909b16978cb38bdb2
Opcode Fuzzy Hash: 94cec6e11e8c96c697d681593f9e928c549e0a2be4223c9dc89eae7d0bd528ae
Instruction Fuzzy Hash: 3D029D305083459FC724EF24E991AAFBBF5BF98314F14482DF486972A2DB30E949CB52

Function 00A62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00A62DDD
GetMenuItemCount.USER32(00AC5890), ref: 00A62E66
DeleteMenu.USER32(00AC5890,00000005,00000000,000000F5,?,?), ref: 00A62EF6
DeleteMenu.USER32(00AC5890,00000004,00000000), ref: 00A62EFE
DeleteMenu.USER32(00AC5890,00000006,00000000), ref: 00A62F06
DeleteMenu.USER32(00AC5890,00000003,00000000), ref: 00A62F0E
GetMenuItemCount.USER32(00AC5890), ref: 00A62F16
SetMenuItemInfoW.USER32(00AC5890,00000004,00000000,00000030), ref: 00A62F4C
GetCursorPos.USER32(?), ref: 00A62F56
SetForegroundWindow.USER32(00000000), ref: 00A62F5F
TrackPopupMenuEx.USER32(00AC5890,00000000,?,00000000,00000000,00000000), ref: 00A62F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A62F7E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 3e196e934bdb9ff7b8892feaa8b680e228d8e3e5736aa7a9953495503e2b87b0
Instruction ID: 90c3b7768b9382e1c249d36890e27fbe03817aafe185229eb6dadd5535a81f48
Opcode Fuzzy Hash: 3e196e934bdb9ff7b8892feaa8b680e228d8e3e5736aa7a9953495503e2b87b0
Instruction Fuzzy Hash: 7E71F670601A06BFEB259F64DC49FAABF74FF04754F100226F625AA1E0C7765C60D791

Function 00A577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

_memset.LIBCMT ref: 00A5786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A57902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A5792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A57935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A5793A

Strings

SOFTWARE\Classes\, xrefs: 00A5780C
\CLSID, xrefs: 00A57822
\IPC$, xrefs: 00A57882

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 40009a08ec1b3e879de260375d3d80b63ed8abe6bd247ac7cd2e85b09a02ca67
Instruction ID: be4ffff080f1f1087425c0b5211189fb4cda96e35a6214f9b3345d75254d47e6
Opcode Fuzzy Hash: 40009a08ec1b3e879de260375d3d80b63ed8abe6bd247ac7cd2e85b09a02ca67
Instruction Fuzzy Hash: DF410872C1422DAEDF11EFA4EC45DEEB778BF04310F004429E905B21A1EA306D49CBA0

Function 00A80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 00A80EEE
HKCU, xrefs: 00A80F21
HKCR, xrefs: 00A80ED9
HKEY_CURRENT_USER, xrefs: 00A80F10
HKCC, xrefs: 00A80EFF
HKU, xrefs: 00A80F43
HKEY_USERS, xrefs: 00A80F32
HKEY_CLASSES_ROOT, xrefs: 00A80EC4
HKEY_LOCAL_MACHINE, xrefs: 00A80E9A
HKLM, xrefs: 00A80EAF

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 1b6a712bb4cb89c740181e6594008b089984493aba053cb951a3e6b4db839028
Instruction ID: 3418d2ef39acc6b81ce721039358930baf48c09f138e3000f4dd895a214ce2d1
Opcode Fuzzy Hash: 1b6a712bb4cb89c740181e6594008b089984493aba053cb951a3e6b4db839028
Instruction Fuzzy Hash: 1C415A3150025A8BCF60EF14EAA5EEF3764BF11384F548464FE655B292DB31AD1ECBA0

Function 00A5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A3E2A0,00000010,?,Bad directive syntax error,00A8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A5F7C2
LoadStringW.USER32(00000000,?,00A3E2A0,00000010), ref: 00A5F7C9

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

_wprintf.LIBCMT ref: 00A5F7FC
__swprintf.LIBCMT ref: 00A5F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A5F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00A5F7F7
Error: , xrefs: 00A5F85B
., xrefs: 00A5F873
Line %d:, xrefs: 00A5F818
Line %d (File "%s"):, xrefs: 00A5F833

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: f2dea6656650364aa06dd301ffd0099afef90671fbaa46c2731ac9f03232dc97
Instruction ID: f9d9bb9bf5b445e09b5745906a71510986f4d83538ed7f451094603fff517f11
Opcode Fuzzy Hash: f2dea6656650364aa06dd301ffd0099afef90671fbaa46c2731ac9f03232dc97
Instruction Fuzzy Hash: DB21593290021EBFCF11EFA4DD0AEEE7779BF18300F040865F515660A2EA35AA28DB50

Function 00A652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Part of subcall function 00A07924: _memmove.LIBCMT ref: 00A079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A65330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A65346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A65357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A65369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A6537A

Strings

status PlayMe mode, xrefs: 00A6532B
alias PlayMe, xrefs: 00A65309
open , xrefs: 00A652DF
play PlayMe wait, xrefs: 00A65364
close PlayMe, xrefs: 00A65341, 00A6536E
play PlayMe, xrefs: 00A65375

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c074b1e22ff643f982cfb129182f7d6d3434b44951d799aa61f05b3eb16057d6
Instruction ID: 2849f9046dc7827471593b5f3280060498c04fbc1965e4afe23b87444104eb6e
Opcode Fuzzy Hash: c074b1e22ff643f982cfb129182f7d6d3434b44951d799aa61f05b3eb16057d6
Instruction Fuzzy Hash: F6115B21E5016D79D720ABB5DC5ADFFABBCFB91B84F100829B401A61D2EEA01D45C6A0

Function 00A646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A646D2
gethostname.WSOCK32(?,00000100), ref: 00A646EC
gethostbyname.WSOCK32(?), ref: 00A646F9
_wcscpy.LIBCMT ref: 00A64721
_memmove.LIBCMT ref: 00A64734
inet_ntoa.WSOCK32(?), ref: 00A6473F
_strcat.LIBCMT ref: 00A6474D
_wcscpy.LIBCMT ref: 00A64764
WSACleanup.WSOCK32 ref: 00A64772
_wcscpy.LIBCMT ref: 00A64780

Strings

0.0.0.0, xrefs: 00A6471B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 0f54c8676954153213404538e2705733166cdd4f926460ac24435bc6a3948c47
Instruction ID: 843d183e33443db41123df72cb7ba8cebeb2e0a003a7bf74a5997a63e97e3562
Opcode Fuzzy Hash: 0f54c8676954153213404538e2705733166cdd4f926460ac24435bc6a3948c47
Instruction Fuzzy Hash: 1711E431900115BFDB20AB74AC4AEEA77BCEF06711F0401B6F44596091FF748AC28B50

Function 00A64F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A64F7A

Part of subcall function 00A2049F: timeGetTime.WINMM(?,75A4B400,00A10E7B), ref: 00A204A3

Sleep.KERNEL32(0000000A), ref: 00A64FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00A64FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A64FEC
SetActiveWindow.USER32 ref: 00A6500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A65019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A65038
Sleep.KERNEL32(000000FA), ref: 00A65043
IsWindow.USER32 ref: 00A6504F
EndDialog.USER32(00000000), ref: 00A65060

Strings

BUTTON, xrefs: 00A64FDE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1fe1dd351e302e91049b657c405feffce355bb1f5734d2fff2b4630c400d3fe5
Instruction ID: a56ce121961daef1ba13d9ac4a52fb58a924f94d41bb241799b5d231962f3d8d
Opcode Fuzzy Hash: 1fe1dd351e302e91049b657c405feffce355bb1f5734d2fff2b4630c400d3fe5
Instruction Fuzzy Hash: 20216A7460460ABFEB10DFB0ED89E263BB9EF48745F261038F103821B1DB719D528B62

Function 00A6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

CoInitialize.OLE32(00000000), ref: 00A6D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A6D67D
SHGetDesktopFolder.SHELL32(?), ref: 00A6D691
CoCreateInstance.OLE32(00A92D7C,00000000,00000001,00AB8C1C,?), ref: 00A6D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A6D74C
CoTaskMemFree.OLE32(?,?), ref: 00A6D7A4
_memset.LIBCMT ref: 00A6D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00A6D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A6D840
CoTaskMemFree.OLE32(00000000), ref: 00A6D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A6D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00A6D880

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 03d313f4e0e7f35892530af1211ed9b5f35ab20409c2f86a72171f17114a35dc
Instruction ID: 32a60ad2f97e653569cf0690151af9da8ce7ef5473b65150b77ccc58c95b4199
Opcode Fuzzy Hash: 03d313f4e0e7f35892530af1211ed9b5f35ab20409c2f86a72171f17114a35dc
Instruction Fuzzy Hash: 8AB10B75A00109AFDB04DFA4C988DAEBBB9FF49354F148469F909EB261DB30ED45CB50

Function 00A5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A5C283
GetWindowRect.USER32(00000000,?), ref: 00A5C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A5C2F3
GetDlgItem.USER32(?,00000002), ref: 00A5C2FE
GetWindowRect.USER32(00000000,?), ref: 00A5C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A5C364
GetDlgItem.USER32(?,000003E9), ref: 00A5C372
GetWindowRect.USER32(00000000,?), ref: 00A5C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A5C3C6
GetDlgItem.USER32(?,000003EA), ref: 00A5C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A5C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00A5C3FE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f5da2e1b7d4b9b7ad9182f439c321140c72096c7936cddbedf8f9c13b19bc12f
Instruction ID: 67ac2d825f36c179cad9910ce0f5a09e445236cf4874d93cf1d4cebd4c7fd9cf
Opcode Fuzzy Hash: f5da2e1b7d4b9b7ad9182f439c321140c72096c7936cddbedf8f9c13b19bc12f
Instruction Fuzzy Hash: 78515F71B00205AFDB18CFA9DD89AAEBBB6FB88321F14813DF915D6294D7709D458B10

Function 00A0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A02036,?,00000000,?,?,?,?,00A016CB,00000000,?), ref: 00A01B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A020D3
KillTimer.USER32(-00000001,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A0216E
DestroyAcceleratorTable.USER32(00000000), ref: 00A3BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A3BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A3BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A3BD0A
DeleteObject.GDI32(00000000), ref: 00A3BD1C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 178a47a782db06805ba0f26cd724f2bacf0764cdae6fc295e638868861301c99
Instruction ID: 69d2c01fb5c760e0250c878fc4e1f1c991db03ffe67fb188442f5727a3fde8d9
Opcode Fuzzy Hash: 178a47a782db06805ba0f26cd724f2bacf0764cdae6fc295e638868861301c99
Instruction Fuzzy Hash: A5616831910B09DFDB35DF64E948B2AB7F2FB44312F508529F5429A9A0C770BC92EB90

Function 00A021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

GetSysColor.USER32(0000000F), ref: 00A021D3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 56116f3f45322ae6bfbb9896d0a97b46ba5551d652359d16f468e04dc6a185b5
Instruction ID: 6a206c4d57e6ebc057e123d620b1850af632e2d24400a1269e8711c69be7d5b2
Opcode Fuzzy Hash: 56116f3f45322ae6bfbb9896d0a97b46ba5551d652359d16f468e04dc6a185b5
Instruction Fuzzy Hash: E1416431500644AFDB259FA8EC8CBF93766EB4A321F244365FE658A1E5C7318C82DB61

Function 00A6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A8F910), ref: 00A6A90B
GetDriveTypeW.KERNEL32(00000061,00AB89A0,00000061), ref: 00A6A9D5
_wcscpy.LIBCMT ref: 00A6A9FF

Strings

ramdisk, xrefs: 00A6A97F
all, xrefs: 00A6A911
network, xrefs: 00A6A969
fixed, xrefs: 00A6A953
unknown, xrefs: 00A6A996
cdrom, xrefs: 00A6A927
removable, xrefs: 00A6A93D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 0fc7d9914f054f721c69cf0cc6b742dbfa6828eb85c2cec94fa79638424a087c
Instruction ID: 780398d30dca908c64d962d8a990b5df4238c05486fbb933b162b8f5b2752b1e
Opcode Fuzzy Hash: 0fc7d9914f054f721c69cf0cc6b742dbfa6828eb85c2cec94fa79638424a087c
Instruction Fuzzy Hash: A6517E32508301AFC700EF14DA92AAFB7B9FFA4344F54482DF595672E2DB319909CA53

Function 00A09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A09862
__swprintf.LIBCMT ref: 00A098AC
__i64tow.LIBCMT ref: 00A3F5E6

Strings

False, xrefs: 00A3F5AE
%.15g, xrefs: 00A098A6
True, xrefs: 00A3F5A7
0x%p, xrefs: 00A3F5C8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 308f5c06dfb45da1911413000ece89a1c05e6da8bd0f911d2898ea7786a339ba
Instruction ID: 57f67049472b3587066950c84b25d6f38c06cfcd0b3b39c24350470bdc236192
Opcode Fuzzy Hash: 308f5c06dfb45da1911413000ece89a1c05e6da8bd0f911d2898ea7786a339ba
Instruction Fuzzy Hash: B941B571914209AFEB24DF78E946E7A73F9FF05300F20487EF549D6292EA3599458B10

Function 00A87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8716A
CreateMenu.USER32 ref: 00A87185
SetMenu.USER32(?,00000000), ref: 00A87194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A87221
IsMenu.USER32(?), ref: 00A87237
CreatePopupMenu.USER32 ref: 00A87241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A8726E
DrawMenuBar.USER32 ref: 00A87276

Strings

F, xrefs: 00A87262
0, xrefs: 00A87160

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4b258479a78cbc5ce14261624d2e08107551cb830e27dbad46c0b14fc444a9fe
Instruction ID: 9ecad6efd07977b390b898d29c0821c38107f5bdc511c1dfe807656140ee4c37
Opcode Fuzzy Hash: 4b258479a78cbc5ce14261624d2e08107551cb830e27dbad46c0b14fc444a9fe
Instruction Fuzzy Hash: E8415A74A01205EFDB10EFA4D988EDA7BB5FF49310F240028F955A7361E731A920CF90

Function 00A874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A8755E
CreateCompatibleDC.GDI32(00000000), ref: 00A87565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A87578
SelectObject.GDI32(00000000,00000000), ref: 00A87580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A8758B
DeleteDC.GDI32(00000000), ref: 00A87594
GetWindowLongW.USER32(?,000000EC), ref: 00A8759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A875BE

Strings

static, xrefs: 00A874F6

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: de19a89e7eff6a05117834be11b355ede1db82852975b3d624ae1eb96668a421
Instruction ID: f1219feeeb79302041262157e8ed2785c0e947a4f21921214d26ddd492130d84
Opcode Fuzzy Hash: de19a89e7eff6a05117834be11b355ede1db82852975b3d624ae1eb96668a421
Instruction Fuzzy Hash: EE316B32504215BFDF16AFA4DC08FDB3B69FF09360F210224FA15A61A0D731D822DBA4

Function 00A26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A26E3E

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

__gmtime64_s.LIBCMT ref: 00A26ED7
__gmtime64_s.LIBCMT ref: 00A26F0D
__gmtime64_s.LIBCMT ref: 00A26F2A
__allrem.LIBCMT ref: 00A26F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A26F9C
__allrem.LIBCMT ref: 00A26FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A26FD1
__allrem.LIBCMT ref: 00A26FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A27006
__invoke_watson.LIBCMT ref: 00A27077

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 06b5522d3c2f480902ac81a8f9951936de2b447702a986824f2a5c4cd0766fc1
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: D9710676A05726ABDB14EF7CED41B6AB7B8AF04360F144239F514D7281E770EE048790

Function 00A62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62542
GetMenuItemInfoW.USER32(00AC5890,000000FF,00000000,00000030), ref: 00A625A3
SetMenuItemInfoW.USER32(00AC5890,00000004,00000000,00000030), ref: 00A625D9
Sleep.KERNEL32(000001F4), ref: 00A625EB
GetMenuItemCount.USER32(?), ref: 00A6262F
GetMenuItemID.USER32(?,00000000), ref: 00A6264B
GetMenuItemID.USER32(?,-00000001), ref: 00A62675
GetMenuItemID.USER32(?,?), ref: 00A626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A62700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A62714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A62735

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: eab44fab442469941fdad880a89a384f24076c678156a6968b142c886cd67350
Instruction ID: d1411216dca1db0280c0564446973ff50bafd5cc4de19cc5436639033b2f7d2e
Opcode Fuzzy Hash: eab44fab442469941fdad880a89a384f24076c678156a6968b142c886cd67350
Instruction Fuzzy Hash: 1C61A3B4900A4AAFDB21CFA4DD84FFE7BB8EB45344F140169F842A7291D735AD06DB21

Function 00A86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A86FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A86FA8
GetWindowLongW.USER32(?,000000F0), ref: 00A86FCC
_memset.LIBCMT ref: 00A86FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A86FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A87067

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c5678019396344a8884e1f051edd00a20e7e75ee268b19bd7bde72dc71ce141d
Instruction ID: 9ed82280419ffc6736cfe7e73bb91cf00ed4ce7f5b45921d7bae01c5915ee56f
Opcode Fuzzy Hash: c5678019396344a8884e1f051edd00a20e7e75ee268b19bd7bde72dc71ce141d
Instruction Fuzzy Hash: 98615B75900208AFDB11EFA4CD85FEE77F8EB09710F244169FA14AB2A1D771AD41DBA0

Function 00A56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A56BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00A56C18
VariantInit.OLEAUT32(?), ref: 00A56C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A56C4A
VariantCopy.OLEAUT32(?,?), ref: 00A56C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A56CB1
VariantClear.OLEAUT32(?), ref: 00A56CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A56CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A56CDC
VariantClear.OLEAUT32(?), ref: 00A56CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A56CF9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 90b90e69d715befb8f23a67b65de85af5f54e19df5326a699306757d499cf404
Instruction ID: 807cc003290880a0368ab7563d72a4e5bd809e9c801573cf370ea977ac3a7846
Opcode Fuzzy Hash: 90b90e69d715befb8f23a67b65de85af5f54e19df5326a699306757d499cf404
Instruction Fuzzy Hash: A8414275A00119AFCF00DFA8D9449AEBBB9FF08355F408069ED55E7361DB30A94ACF90

Function 00A75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A75793
inet_addr.WSOCK32(?,?,?), ref: 00A757D8
gethostbyname.WSOCK32(?), ref: 00A757E4
IcmpCreateFile.IPHLPAPI ref: 00A757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A75862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A75878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A758ED
WSACleanup.WSOCK32 ref: 00A758F3

Strings

Ping, xrefs: 00A75816

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 36c3c6b951037c31eb7c29379f04e2a368eac8c119498f31e5c5632fbfb4c45f
Instruction ID: 4388f0fa542b314df42753b97b6a3ad114184fff12a31119661b4bab8c184a43
Opcode Fuzzy Hash: 36c3c6b951037c31eb7c29379f04e2a368eac8c119498f31e5c5632fbfb4c45f
Instruction Fuzzy Hash: F8518D31A006019FDB10EF64DD49B2A7BE4EF48720F04C969F99ADB2A1DB70E805DB42

Function 00A6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A6B546
GetLastError.KERNEL32 ref: 00A6B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00A6B5BD

Strings

NOTREADY, xrefs: 00A6B57C
INVALID, xrefs: 00A6B58F
READONLY, xrefs: 00A6B588
READY, xrefs: 00A6B596
UNKNOWN, xrefs: 00A6B575

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 835fa0fba1d1da9c9b991fa8ee896889e61f84ac259c0c96b4e3d81d63b5bcfe
Instruction ID: 7e8f5d82d858ef79ecb4fa8afda5fb97a84bdc2f510843e47258ffb53bf7c51a
Opcode Fuzzy Hash: 835fa0fba1d1da9c9b991fa8ee896889e61f84ac259c0c96b4e3d81d63b5bcfe
Instruction Fuzzy Hash: 1E317475A00209EFCB00EFA8D985EEE77B8FF49310F144165E607D7292DB719A82CB61

Function 00A58F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A59014
GetDlgCtrlID.USER32 ref: 00A5901F
GetParent.USER32 ref: 00A5903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A5903E
GetDlgCtrlID.USER32(?), ref: 00A59047
GetParent.USER32(?), ref: 00A59063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A59066

Strings

ComboBox, xrefs: 00A58F9C
ListBox, xrefs: 00A58FD1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 62910ad205d00bf2babc61a8dc8ab9e648e858cc7cf1c002132887b157ee9e76
Instruction ID: cc1fd51b9051018a4bbe0a61c672441d2600a969938f239b4e0ad6d04f796b7b
Opcode Fuzzy Hash: 62910ad205d00bf2babc61a8dc8ab9e648e858cc7cf1c002132887b157ee9e76
Instruction Fuzzy Hash: 8B21AE70A00109BFDF04ABA0CC85EFEBBB8EF49311F104625B921972E1EB755829DB20

Function 00A5907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A590FD
GetDlgCtrlID.USER32 ref: 00A59108
GetParent.USER32 ref: 00A59124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A59127
GetDlgCtrlID.USER32(?), ref: 00A59130
GetParent.USER32(?), ref: 00A5914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A5914F

Strings

ComboBox, xrefs: 00A59087
ListBox, xrefs: 00A590BC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2106943032d8fec5a0d0fdc92b088e66136877a0db274ed6a274bedd6f058573
Instruction ID: a27ad2e305acb82805d1a4a77a8965a57ce9cc802a86b59673a1ab5895c2919f
Opcode Fuzzy Hash: 2106943032d8fec5a0d0fdc92b088e66136877a0db274ed6a274bedd6f058573
Instruction Fuzzy Hash: B421A174A00109BFDF01ABA4DC85EFEBBB8FF54301F104125B911972A2EB755869DF20

Function 00A59163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A5916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00A59184
_wcscmp.LIBCMT ref: 00A59196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A59211

Strings

largeicons, xrefs: 00A591A5
details, xrefs: 00A591BF
smallicons, xrefs: 00A591D9
list, xrefs: 00A591F3
SHELLDLL_DefView, xrefs: 00A59190

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 690e2230fa109756bddeabaf91a5bf456cc8aecca5556c6509b128cc33cc0fdb
Instruction ID: efcbaa4b4726b1cbd042bc7a1f0cbee96e309f31425d6636c0737f2f77e9f184
Opcode Fuzzy Hash: 690e2230fa109756bddeabaf91a5bf456cc8aecca5556c6509b128cc33cc0fdb
Instruction Fuzzy Hash: 2111A736248317F9FA112628EC06DEF3B9CBB15721F200526FD14E94D2FFB158556694

Function 00A788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A788D7
CoInitialize.OLE32(00000000), ref: 00A78904
CoUninitialize.OLE32 ref: 00A7890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00A78A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A78B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A92C0C), ref: 00A78B6F
CoGetObject.OLE32(?,00000000,00A92C0C,?), ref: 00A78B92
SetErrorMode.KERNEL32(00000000), ref: 00A78BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A78C25
VariantClear.OLEAUT32(?), ref: 00A78C35

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2ed0fef003faae843f5822b14ff03c2643ff85cec7bdf27fe086195055797923
Instruction ID: fb8e9b363c9055aa749279a68a001fee8dd2dedceaa261f617e47ac61863e753
Opcode Fuzzy Hash: 2ed0fef003faae843f5822b14ff03c2643ff85cec7bdf27fe086195055797923
Instruction Fuzzy Hash: A7C116B1608305AFD700DF68C88892BB7E9FF89748F00895DF9899B251DB75ED06CB52

Function 00A67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00A67A6C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: a69de957ce2f3fd9974a3887526ff3c92cb1fa368d4badeed747c62c57a3739b
Instruction ID: a232b37a1e0fbbc9b897720e623c9763d7b7ca4541d82babc847bde5174877c2
Opcode Fuzzy Hash: a69de957ce2f3fd9974a3887526ff3c92cb1fa368d4badeed747c62c57a3739b
Instruction Fuzzy Hash: E7B1D17591421A9FDB00DFA8D884BBEB7F4FF09329F204429E951E7291D734E941CBA0

Function 00A611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A61204
GetWindowThreadProcessId.USER32(00000000), ref: 00A6120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A60268,?,00000001), ref: 00A6121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A60268,?,00000001), ref: 00A61245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A60268,?,00000001), ref: 00A61257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A6129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A612BC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: abac9d891b627a0b52d5fb261207035f30f6f4ef452bea753de81cca44a1bb37
Instruction ID: 90cdaa83f85b2ee7f934d3d3d582afda9eb8650facb26fc588dd1d5fd1d4674c
Opcode Fuzzy Hash: abac9d891b627a0b52d5fb261207035f30f6f4ef452bea753de81cca44a1bb37
Instruction Fuzzy Hash: 1131A0B5600208BFDB10DFA5EC98FAA7BB9EF55315F154239FD00D61A0D7749D418BA0

Function 00A3BDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A02231
SetTextColor.GDI32(?,000000FF), ref: 00A0223B
SetBkMode.GDI32(?,00000001), ref: 00A02250
GetStockObject.GDI32(00000005), ref: 00A02258
GetClientRect.USER32(?), ref: 00A3BDBB
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A3BDD2
GetWindowDC.USER32(?), ref: 00A3BDDE
GetPixel.GDI32(00000000,?,?), ref: 00A3BDED
ReleaseDC.USER32(?,00000000), ref: 00A3BDFF
GetSysColor.USER32(00000005), ref: 00A3BE1D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: a7ca7bc17dc5284136ac941e9b03d7a91d90a4851f516756815784a5b70e0f8f
Instruction ID: 8600c64818279291e50f411ad3014b4c14a6667d32a84e5a78995741c92bde88
Opcode Fuzzy Hash: a7ca7bc17dc5284136ac941e9b03d7a91d90a4851f516756815784a5b70e0f8f
Instruction Fuzzy Hash: D021E731540246EFDB21ABE4EC4DBE97B62EB19321F204275FA25950F1DB314952DB11

Function 00A0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A0FAA6
OleUninitialize.OLE32(?,00000000), ref: 00A0FB45
UnregisterHotKey.USER32(?), ref: 00A0FC9C
DestroyWindow.USER32(?), ref: 00A445D6
FreeLibrary.KERNEL32(?), ref: 00A4463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A44668

Strings

close all, xrefs: 00A0FAA1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 78d972dfaea7e5e9e40699b5938326b02aa395ad478b7b093c1ae8be5cff89b1
Instruction ID: edadb43d1a393390d33796db9809fdc15a9ee62e5281f94c5efcaec28e8f2b96
Opcode Fuzzy Hash: 78d972dfaea7e5e9e40699b5938326b02aa395ad478b7b093c1ae8be5cff89b1
Instruction Fuzzy Hash: 47A19134701216CFDB28EF14D695B69F3A4BF49700F5542ADE80AAB292DB30EC16CF50

Function 00A5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A5A439), ref: 00A5A377

Strings

INSTANCE, xrefs: 00A5A285
REGEXPCLASS, xrefs: 00A5A13C
CLASS, xrefs: 00A5A0F6
NAME, xrefs: 00A5A1A9
TEXT, xrefs: 00A5A2AE
CLASSNN, xrefs: 00A5A119

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8a675f063ad9e4a4cf8f33e508e9cc2fd0229f7618cec0ae9e6c78981bc64747
Instruction ID: 163367ab96109fc3c0a73fb76e37c66ca93e2008cbc0258a70002e73b656ccab
Opcode Fuzzy Hash: 8a675f063ad9e4a4cf8f33e508e9cc2fd0229f7618cec0ae9e6c78981bc64747
Instruction Fuzzy Hash: 8C91E631B00606ABCB08DFA4D582BEDFB78BF14351F508229EC49A7192DF31699DCB91

Function 00A02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A02EAE

Part of subcall function 00A01DB3: GetClientRect.USER32(?,?), ref: 00A01DDC
Part of subcall function 00A01DB3: GetWindowRect.USER32(?,?), ref: 00A01E1D
Part of subcall function 00A01DB3: ScreenToClient.USER32(?,?), ref: 00A01E45

GetDC.USER32 ref: 00A3CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A3CD45
SelectObject.GDI32(00000000,00000000), ref: 00A3CD53
SelectObject.GDI32(00000000,00000000), ref: 00A3CD68
ReleaseDC.USER32(?,00000000), ref: 00A3CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A3CDFB

Strings

U, xrefs: 00A3CCD0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2204a3f734de1633851501ca51e55676c700d26435bfd9c81aa9d6be49487771
Instruction ID: 01a23c375211903370881ce675567a325a71ec15f2da35913ef3b73188238612
Opcode Fuzzy Hash: 2204a3f734de1633851501ca51e55676c700d26435bfd9c81aa9d6be49487771
Instruction Fuzzy Hash: D571DF31900209DFCF21DF64DC84AAA7FB5FF48360F24427AFD55AA2A6D7319881DB60

Function 00A71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A71A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A71A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A71ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A71AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A71AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A71B10
InternetCloseHandle.WININET(00000000), ref: 00A71B57

Part of subcall function 00A72483: GetLastError.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A72498
Part of subcall function 00A72483: SetEvent.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A724AD

Strings

, xrefs: 00A71B01

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 6a515ffddf332a9c136f4f3907cd1f70576939f8ca036f9ab4008dc050df4971
Instruction ID: a306d49888d6b11f4398d87dcc562c4d4a5119a88f8f81757cd00948c0218e90
Opcode Fuzzy Hash: 6a515ffddf332a9c136f4f3907cd1f70576939f8ca036f9ab4008dc050df4971
Instruction Fuzzy Hash: 4E416EB1601219BFEB119F54CC89FFB7BACEF48354F10C12AFA099A141E7749E459BA0

Function 00A78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A8F910), ref: 00A78D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A8F910), ref: 00A78D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A78ED6
SysFreeString.OLEAUT32(?), ref: 00A78F00

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: c73aa0e29533b6cc01215bb9e2f837a083374abdf5f54df92b9a8a7a4d64c5a3
Instruction ID: 9f312469c2fee15b5fadc47d507a99256ca7e6461f563a25d9b0d78ede00aaa5
Opcode Fuzzy Hash: c73aa0e29533b6cc01215bb9e2f837a083374abdf5f54df92b9a8a7a4d64c5a3
Instruction Fuzzy Hash: F6F11671A00209AFCB14DF94CC88EAEB7B9FF49315F10C499F909AB251DB35AE46CB51

Function 00A7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A7FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A7FA7C
CloseHandle.KERNEL32(?), ref: 00A7FAAB
CloseHandle.KERNEL32(?), ref: 00A7FB22

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 39e9470101d11730a69c8f6a66ab205dd9e360884ce58bb840d429b5dca84e63
Instruction ID: 7ca4bf14aad094487cc2fefc957825e728046900e99a3ba7f0c9bff308587b58
Opcode Fuzzy Hash: 39e9470101d11730a69c8f6a66ab205dd9e360884ce58bb840d429b5dca84e63
Instruction Fuzzy Hash: ECE1BD316042019FCB14EF24D981B6ABBE5FF89354F14C96DF8999B2A2CB30DD45CB52

Function 00A64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A63697,?), ref: 00A6468B

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A63697,?), ref: 00A646A4

Part of subcall function 00A64A31: GetFileAttributesW.KERNEL32(?,00A6370B), ref: 00A64A32

lstrcmpiW.KERNEL32(?,?), ref: 00A64D40
_wcscmp.LIBCMT ref: 00A64D5A
MoveFileW.KERNEL32(?,?), ref: 00A64D75

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 791edbee65c3fd5cc8f31bcae3fec9a585091962f33a06db76565560d1a06a35
Instruction ID: 9c68d5e55b4bbfb8389796cdc716fbdd926347795d52b81d1224b09065b476bf
Opcode Fuzzy Hash: 791edbee65c3fd5cc8f31bcae3fec9a585091962f33a06db76565560d1a06a35
Instruction Fuzzy Hash: 7F5175B24083459FC724EBA4D9819DFB3ECAF89750F00092EF689C3151EF34A188C766

Function 00A88645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A886FF

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6a2e2a9898283d29c7936894e511f863aaed1cfcb26ae9a25edc0541798e5a34
Instruction ID: a20c7cec8010dbe7d8d26511fb4925eb3afa084813e366292081761275c511bb
Opcode Fuzzy Hash: 6a2e2a9898283d29c7936894e511f863aaed1cfcb26ae9a25edc0541798e5a34
Instruction Fuzzy Hash: CE519030900244BEEF20EB68DC89FAD7BB4FB05760FA04225F951E61E1DF79A980DB50

Function 00A02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A3C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A3C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A3C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A3C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A3C370
DestroyIcon.USER32(00000000), ref: 00A3C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A3C39C
DestroyIcon.USER32(?), ref: 00A3C3AB

Part of subcall function 00A8A4AF: DeleteObject.GDI32(00000000), ref: 00A8A4E8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 03bd860120c4a4a8b4bd3f621521f6a7beffc73cda6f22db2deee934ed554682
Instruction ID: a770e01d2b7a32e018c3bd1b3ac60a95dd01730ffd3dd816e218ecfb87c3807d
Opcode Fuzzy Hash: 03bd860120c4a4a8b4bd3f621521f6a7beffc73cda6f22db2deee934ed554682
Instruction Fuzzy Hash: 29513A70A00309AFDB24DFA4DC49FAA7BB5EB59720F104529F902AB2D0D770ED91DB50

Function 00A5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A5A84C
Part of subcall function 00A5A82C: GetCurrentThreadId.KERNEL32 ref: 00A5A853
Part of subcall function 00A5A82C: AttachThreadInput.USER32(00000000,?,00A59683,?,00000001), ref: 00A5A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A5968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00A596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A596FB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a0f4076ee7463f4aa2a7647e8d4420445ba03252aa64a58282a1b982eec548f9
Instruction ID: 6854e7ae6a26cc15a8e064cdf762b7ee13fa3adb9d45e055a4e3792771e72f43
Opcode Fuzzy Hash: a0f4076ee7463f4aa2a7647e8d4420445ba03252aa64a58282a1b982eec548f9
Instruction Fuzzy Hash: AF11E1B1A10219BEF610AFA0DC89F6A3B2DEB4C751F100525F744AB0A0C9F25C11DBA4

Function 00A58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A5853C,00000B00,?,?), ref: 00A5892A
HeapAlloc.KERNEL32(00000000,?,00A5853C,00000B00,?,?), ref: 00A58931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A5853C,00000B00,?,?), ref: 00A58946
GetCurrentProcess.KERNEL32(?,00000000,?,00A5853C,00000B00,?,?), ref: 00A5894E
DuplicateHandle.KERNEL32(00000000,?,00A5853C,00000B00,?,?), ref: 00A58951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A5853C,00000B00,?,?), ref: 00A58961
GetCurrentProcess.KERNEL32(00A5853C,00000000,?,00A5853C,00000B00,?,?), ref: 00A58969
DuplicateHandle.KERNEL32(00000000,?,00A5853C,00000B00,?,?), ref: 00A5896C
CreateThread.KERNEL32(00000000,00000000,00A58992,00000000,00000000,00000000), ref: 00A58986

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f80557296649daadfd65860eaee88bbeca3f082653f7c0ad6b9c84d65b116224
Instruction ID: a92b3947d312b30baade0837da8dff416b385a6e1df5549b6af5c3b24b8c0acf
Opcode Fuzzy Hash: f80557296649daadfd65860eaee88bbeca3f082653f7c0ad6b9c84d65b116224
Instruction Fuzzy Hash: F901A4B5240309FFE610EBA5DC8DF6B7BACEB89711F408521FB05DB2A1DA7498118B20

Function 00A79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A79BA4, 00A79EC8
Not an Object type, xrefs: 00A79B7B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 016965eeba0fab1a5c523f417ba42c117fe3261ff1b5d5f84933d9c447406a43
Instruction ID: 3bff5eb5cb487aca188824badb9a4c5405070bb1b644114c2140d71546443dac
Opcode Fuzzy Hash: 016965eeba0fab1a5c523f417ba42c117fe3261ff1b5d5f84933d9c447406a43
Instruction Fuzzy Hash: 01C16171A0021AAFDF10DF98DD85AAFB7F5FB48314F14C46AE909AB281E7709D45CB90

Function 00A79113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A79167
VariantInit.OLEAUT32(?), ref: 00A79238
VariantInit.OLEAUT32(?), ref: 00A79339
VariantClear.OLEAUT32(?), ref: 00A79343
VariantClear.OLEAUT32(?), ref: 00A793A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00A7931C
Null Object assignment in FOR..IN loop, xrefs: 00A791C8, 00A792F6, 00A793AE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 5382b4903fe51358c511db19b7031c703f8d4411dcef7dea77d90e2c6081e5bc
Instruction ID: 7ecbb5e7ecdd6d96d424e25d015f366d3dc0da08a8c58cf521d2767d7d5cd411
Opcode Fuzzy Hash: 5382b4903fe51358c511db19b7031c703f8d4411dcef7dea77d90e2c6081e5bc
Instruction Fuzzy Hash: C7916871A00219ABDF24DFA5CC48FAFBBB8EF45710F10C55AF919AB281D7709945CBA0

Function 00A7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00A5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?,?,00A57455), ref: 00A57127
Part of subcall function 00A5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57142
Part of subcall function 00A5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57150
Part of subcall function 00A5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?), ref: 00A57160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A79806
_memset.LIBCMT ref: 00A79813
_memset.LIBCMT ref: 00A79956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00A79982
CoTaskMemFree.OLE32(?), ref: 00A7998D

Strings

NULL Pointer assignment, xrefs: 00A799DB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 63255d9cce5c8647ae5dfc0fcf78dbb4963f622eeac23cbe9d8d9171afb80eb2
Instruction ID: ee8982901775fda794f00839b942200e1131a54d1ced31bdf51431cafc6fceaa
Opcode Fuzzy Hash: 63255d9cce5c8647ae5dfc0fcf78dbb4963f622eeac23cbe9d8d9171afb80eb2
Instruction Fuzzy Hash: FF912771D00229ABDB10DFA4DD41EDEBBB9AF08350F10816AF519A7291EB719A44CFA0

Function 00A86D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A86E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A86E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A86E52
_wcscat.LIBCMT ref: 00A86EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A86EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A86EF2

Strings

SysListView32, xrefs: 00A86DF6

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: c719c904601cb011d5f431eee654f1b85823b64d31b95958b1ce1237f98d6d2c
Instruction ID: 5ef511805aa48a79a01b7919771c45eaf2f92193ebfbbcc8bc365ef6aecf1682
Opcode Fuzzy Hash: c719c904601cb011d5f431eee654f1b85823b64d31b95958b1ce1237f98d6d2c
Instruction Fuzzy Hash: 8141A171A00349AFEB21EFA4CC85BEE77B8EF08350F10092AF584E7291D6719D858B60

Function 00A7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00A63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00A63C7A
Part of subcall function 00A63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00A63C88
Part of subcall function 00A63C55: CloseHandle.KERNEL32(00000000), ref: 00A63D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7E9A4
GetLastError.KERNEL32 ref: 00A7E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A7EA63
GetLastError.KERNEL32(00000000), ref: 00A7EA6E
CloseHandle.KERNEL32(00000000), ref: 00A7EAA3

Strings

SeDebugPrivilege, xrefs: 00A7E9C2

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3ce972839fedf48cf78fa4f3ae59a61855d9d17c7cdb29d6f26868ed89d47a7a
Instruction ID: 889a8167432797ff23c0d3c198ac9a2e1fe1ba32621331c58522a6cd502c6953
Opcode Fuzzy Hash: 3ce972839fedf48cf78fa4f3ae59a61855d9d17c7cdb29d6f26868ed89d47a7a
Instruction Fuzzy Hash: 7E41A9712002019FDB10EF64DD95F6EB7A5BF88355F04C458F9069B2C2DB74A849CB91

Function 00A62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A63033

Strings

blank, xrefs: 00A62FB5
stop, xrefs: 00A63004
question, xrefs: 00A62FEC
warning, xrefs: 00A6301C
info, xrefs: 00A62FD4

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0f3adb24ac58a9614eb34a018a12133e430f6926613c81247b8cb9cc2f6ba94c
Instruction ID: c90acb2f6f0dae99b16e61470861f7992bc8fbb1d8d148665bf7e3ed08e515a6
Opcode Fuzzy Hash: 0f3adb24ac58a9614eb34a018a12133e430f6926613c81247b8cb9cc2f6ba94c
Instruction Fuzzy Hash: D9112B32348347BEEB249B5CDC42DAF7BBCDF15320B21002AFA0066182DB745F4557A0

Function 00A642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A64312
LoadStringW.USER32(00000000), ref: 00A64319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A6432F
LoadStringW.USER32(00000000), ref: 00A64336
_wprintf.LIBCMT ref: 00A6435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A64357

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: a441ee3f7e8d571940925e6b8060974bb08aac3b954a96f299aa2549e165c0cb
Instruction ID: 88abf14db1b8ba27d626ebec64da1ac5f8797a1f7c5b6a1331b03bd03326186d
Opcode Fuzzy Hash: a441ee3f7e8d571940925e6b8060974bb08aac3b954a96f299aa2549e165c0cb
Instruction Fuzzy Hash: A1014FF6900209BFE711E7E4DD89EE6776CEB08300F0005B1B749E6051EA745E854B70

Function 00A8D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

GetSystemMetrics.USER32(0000000F), ref: 00A8D47C
GetSystemMetrics.USER32(0000000F), ref: 00A8D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A8D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A8D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A8D716
ShowWindow.USER32(00000003,00000000), ref: 00A8D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00A8D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A8D77D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5531751ba970534d1ee207f9640c6c158bef89f8b331525bd8b05c0370f91709
Instruction ID: e456419c36fc2def0efcfc479dade678e20db6985621c503c3188863e03686ba
Opcode Fuzzy Hash: 5531751ba970534d1ee207f9640c6c158bef89f8b331525bd8b05c0370f91709
Instruction Fuzzy Hash: 0FB17B71A00219EFDF18DF68C985BAD7BB1BF04711F188179EC58AB295E734A990CB50

Function 00A02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000), ref: 00A02ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00A02B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000), ref: 00A3C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000), ref: 00A3C286

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b0cca81ff9ea1d6cfdac8e229ba1e7c4298373d91d0fc217f7db7c763585e77a
Instruction ID: 95e685bd26e1b311d72a0d45ee1180a0757eadd05fac999c6e30275e2e9bc908
Opcode Fuzzy Hash: b0cca81ff9ea1d6cfdac8e229ba1e7c4298373d91d0fc217f7db7c763585e77a
Instruction Fuzzy Hash: 94413B307047C89FDB359B78AC9CB6B7BA2BB85354F24881DF047925E0CA75A886D720

Function 00A670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A670DD

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A67114
EnterCriticalSection.KERNEL32(?), ref: 00A67130
_memmove.LIBCMT ref: 00A6717E
_memmove.LIBCMT ref: 00A6719B
LeaveCriticalSection.KERNEL32(?), ref: 00A671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A671DE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b557691292936393891dd2fdaa9764f241021da654237fc131e2d91c58be454c
Instruction ID: abee2ea2a04d2e6d4399b3f80dc0e33e00507be7c9c4c4a99fcaf8281daa6f4d
Opcode Fuzzy Hash: b557691292936393891dd2fdaa9764f241021da654237fc131e2d91c58be454c
Instruction Fuzzy Hash: AA318D71900215EFDB00EFA8DD85EAEB779EF45710F1441B5E904AB256EB309E51CBA0

Function 00A861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A861EB
GetDC.USER32(00000000), ref: 00A861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A861FE
ReleaseDC.USER32(00000000,00000000), ref: 00A8620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A86246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A86257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00A86291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A862B1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 87a5d8e1718dabb4ce3e18fcede91f4b3ecf29eb5da0d77ee248e3d7b8a2fb20
Instruction ID: 1d732ee712d1e17824ed4ec49bb68c70757fed48cdd5ccf3be881dda448600cc
Opcode Fuzzy Hash: 87a5d8e1718dabb4ce3e18fcede91f4b3ecf29eb5da0d77ee248e3d7b8a2fb20
Instruction Fuzzy Hash: F0317C72201210BFEF119F50CC8AFEA3BA9EF49765F044165FE089A292D7759C52CB74

Function 00A5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A5BBC4
_memcmp.LIBCMT ref: 00A5BBE6
_memcmp.LIBCMT ref: 00A5BBFE
_memcmp.LIBCMT ref: 00A5BC11
_memcmp.LIBCMT ref: 00A5BC2B
_memcmp.LIBCMT ref: 00A5BC3E
_memcmp.LIBCMT ref: 00A5BC56
_memcmp.LIBCMT ref: 00A5BC71

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4b160ec226a94fda7963ba2090a64c4f6abe709e11b13a0663e291947951dee6
Instruction ID: 33d2c3b1d13ebbdbe05c019248efb87a1d5ac512260267a8688b74e210c15eba
Opcode Fuzzy Hash: 4b160ec226a94fda7963ba2090a64c4f6abe709e11b13a0663e291947951dee6
Instruction Fuzzy Hash: 8321B0B17112157BAA047715AE42FFB73ACBE2434BB054420FD089A647EB74DE1982B5

Function 00A6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

_wcstok.LIBCMT ref: 00A6EC94
_wcscpy.LIBCMT ref: 00A6ED23
_memset.LIBCMT ref: 00A6ED56

Strings

X, xrefs: 00A6ED93

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7c1c2e0654877a5cf6d124ca34399266aa2222c9cfc80e51bbb08e05bcb9e481
Instruction ID: 16aeb9cc958dce3a91cae00e00b6e7fb434c9e0364aea3da2a2a1a30b4c38445
Opcode Fuzzy Hash: 7c1c2e0654877a5cf6d124ca34399266aa2222c9cfc80e51bbb08e05bcb9e481
Instruction Fuzzy Hash: 65C15C759083059FC754EF68D981A6AB7F4FF85310F00892DF8999B2A2DB30EC45CB82

Function 00A76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A76C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A76C21
WSAGetLastError.WSOCK32(00000000), ref: 00A76C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00A76CEA
inet_ntoa.WSOCK32(?), ref: 00A76CA7

Part of subcall function 00A5A7E9: _strlen.LIBCMT ref: 00A5A7F3
Part of subcall function 00A5A7E9: _memmove.LIBCMT ref: 00A5A815

_strlen.LIBCMT ref: 00A76D44
_memmove.LIBCMT ref: 00A76DAD

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 133366fda6be3627758cdda329519c8101b8b3622cb4e0552c26134cc9f5523d
Instruction ID: 834ef2880a0ee332b8590d21f301f521ed92259b8f0fb631ffc205b89a850a09
Opcode Fuzzy Hash: 133366fda6be3627758cdda329519c8101b8b3622cb4e0552c26134cc9f5523d
Instruction Fuzzy Hash: C981F071204B04AFD720EF24DD82F6BB7A8AF85714F10CA18F9499B2D2DA70AD05CB91

Function 00A01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfab6285dabf8cec08c9381ab51cbadf1211166db976c636289f7ae59ceccf6
Instruction ID: 6f2f6b2f425824562357cce3d661001ab7751b3f758b31e8d35c759380ea265d
Opcode Fuzzy Hash: 7bfab6285dabf8cec08c9381ab51cbadf1211166db976c636289f7ae59ceccf6
Instruction Fuzzy Hash: E0715A70900109EFCB04DF98DC89AFEBB79FF85314F248159F915AA2A1C735AA51CFA0

Function 00A8B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00B74AE0), ref: 00A8B3EB
IsWindowEnabled.USER32(00B74AE0), ref: 00A8B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A8B4DB
SendMessageW.USER32(00B74AE0,000000B0,?,?), ref: 00A8B512
IsDlgButtonChecked.USER32(?,?), ref: 00A8B54F
GetWindowLongW.USER32(00B74AE0,000000EC), ref: 00A8B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A8B589

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 66bb39244fcd331c0c0ddb07ac0e57424f2732ae4ab17f4966f2a3946551a452
Instruction ID: 02e29a8862d26195c2d8ca62013a55e834080f1633ec65b93a27d8b229f95bd6
Opcode Fuzzy Hash: 66bb39244fcd331c0c0ddb07ac0e57424f2732ae4ab17f4966f2a3946551a452
Instruction Fuzzy Hash: E771B234A10704EFEB24EFA4C895FBA7BB5FF09300F144569F946972A2C731A991DB60

Function 00A7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7F448
_memset.LIBCMT ref: 00A7F511
ShellExecuteExW.SHELL32(?), ref: 00A7F556

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

GetProcessId.KERNEL32(00000000), ref: 00A7F5CD
CloseHandle.KERNEL32(00000000), ref: 00A7F5FC

Strings

@, xrefs: 00A7F525

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 521262356c6de440aa3ac8ab8bbab21ebe4b7625c3af7f78a04cfaab4b830e40
Instruction ID: dadb1d3df2059af2c5b04314af97cf157145e07b84cbe381af41e44e4bf92e90
Opcode Fuzzy Hash: 521262356c6de440aa3ac8ab8bbab21ebe4b7625c3af7f78a04cfaab4b830e40
Instruction Fuzzy Hash: 1E6180B5A00619DFCB14DFA4D9859AEBBF5FF49310F14C069E859AB391CB30AE41CB90

Function 00A60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A60F8C
GetKeyboardState.USER32(?), ref: 00A60FA1
SetKeyboardState.USER32(?), ref: 00A61002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A61030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A6104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A61095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A610B8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d7537a88d65c412f24c795e6970cd399b0c8ee0a192bf6a76e6c36dc5022d807
Instruction ID: 5a7f3f97aa5ec5e6859d7ad7fd86456345b3ea4db6b08def8d595590eb28e4f5
Opcode Fuzzy Hash: d7537a88d65c412f24c795e6970cd399b0c8ee0a192bf6a76e6c36dc5022d807
Instruction Fuzzy Hash: 8951E1A06047D63DFB3643348C15BBBBEB96B06304F0C8989E1D4868D2D2A9ECD9D751

Function 00A60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A60DA5
GetKeyboardState.USER32(?), ref: 00A60DBA
SetKeyboardState.USER32(?), ref: 00A60E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A60E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A60E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A60EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A60EC9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2f9e9cc204f23f39191577bf82c2f53409d244ed0ecb62d8161f8df32beefc17
Instruction ID: 988ac547c61e2b4bee939c9ed2cc66c45602f56ce77fb5320599877903ecc38b
Opcode Fuzzy Hash: 2f9e9cc204f23f39191577bf82c2f53409d244ed0ecb62d8161f8df32beefc17
Instruction Fuzzy Hash: 1151E1A05487E57DFB3683748C55FBBBFB9AB06300F088989E1D4468C2D396ACD9D760

Function 00A655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A6560A
_wcsncpy.LIBCMT ref: 00A6563F
_wcsncpy.LIBCMT ref: 00A65671
_wcsncpy.LIBCMT ref: 00A656A4
_wcsncpy.LIBCMT ref: 00A656E6
_wcsncpy.LIBCMT ref: 00A65720
_wcsncpy.LIBCMT ref: 00A6574F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 361792a7c7bff3e17004e80817e6aaea8c5abc1469a71cde38054c6feb41482b
Instruction ID: 5b45d5e984332dfaa04df28a1724bfe1e42b91cee9b4d9f65f6421addc6b438a
Opcode Fuzzy Hash: 361792a7c7bff3e17004e80817e6aaea8c5abc1469a71cde38054c6feb41482b
Instruction Fuzzy Hash: 33416566C1062476CB11EBB8DC46ACFB7B89F05310F508966F518E3221FB34A695C7A6

Function 00A63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A63697,?), ref: 00A6468B

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A63697,?), ref: 00A646A4

lstrcmpiW.KERNEL32(?,?), ref: 00A636B7
_wcscmp.LIBCMT ref: 00A636D3
MoveFileW.KERNEL32(?,?), ref: 00A636EB
_wcscat.LIBCMT ref: 00A63733
SHFileOperationW.SHELL32(?), ref: 00A6379F

Strings

\*.*, xrefs: 00A6372D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 21b33fd7c47995579d341ecc741a14abab1c5c32e64d759e94e282f5dfc7fdde
Instruction ID: ce4466fc1c4c1df2113e49bf10272e037d380e838dd43d15b260df4392fdfe1c
Opcode Fuzzy Hash: 21b33fd7c47995579d341ecc741a14abab1c5c32e64d759e94e282f5dfc7fdde
Instruction Fuzzy Hash: E0416172508345AECB52EF64D541ADFB7F8EF89380F40092EB49AC3251EA34D68AC752

Function 00A87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A87351
IsMenu.USER32(?), ref: 00A87369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A873B1
DrawMenuBar.USER32 ref: 00A873C4

Strings

0, xrefs: 00A8729E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: e840d3edfd1fc9f9071e15ed4a089f9a38c2196c9a6574403b148d9e9d23036b
Instruction ID: 922d996967d50f9eb053eadf14d8face9f3b16545d90be454dfbb8df171d4c50
Opcode Fuzzy Hash: e840d3edfd1fc9f9071e15ed4a089f9a38c2196c9a6574403b148d9e9d23036b
Instruction Fuzzy Hash: 2B411675A04209AFDB20EFA0D884E9EBBB8FB05350F248529FD15AB260D730ED50EB51

Function 00A80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A80FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A80FFE
FreeLibrary.KERNEL32(00000000), ref: 00A810B5

Part of subcall function 00A80FA5: RegCloseKey.ADVAPI32(?), ref: 00A8101B
Part of subcall function 00A80FA5: FreeLibrary.KERNEL32(?), ref: 00A8106D
Part of subcall function 00A80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A81090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A81058

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 17b0d7c6dbf0e7dd1eb3ffd8020515128fc50abb8b2b3b91dee90250a0c5048e
Instruction ID: ee0f38b26d6fe511c46cd32db12e636e58d62c5c30d13bdc281c9028fe2d1800
Opcode Fuzzy Hash: 17b0d7c6dbf0e7dd1eb3ffd8020515128fc50abb8b2b3b91dee90250a0c5048e
Instruction Fuzzy Hash: E7310A71901109BFDB15EB90DC89EFFB7BCEF08300F10416AE501E2151EA749E8A9BA1

Function 00A862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A862EC
GetWindowLongW.USER32(00B74AE0,000000F0), ref: 00A8631F
GetWindowLongW.USER32(00B74AE0,000000F0), ref: 00A86354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A86386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A863DB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9fe4d60aedb8e856cc521689238b4a4dc256a70987c5f79f973aade2a71c9c44
Instruction ID: cc4f274cbe60bc988671042b2f89665b8d483b4a53591dc6ea7d17c25355c409
Opcode Fuzzy Hash: 9fe4d60aedb8e856cc521689238b4a4dc256a70987c5f79f973aade2a71c9c44
Instruction Fuzzy Hash: 993105306442519FEB21EFA8DC85F5537E1FB5A714F1901A4F501DF2B1CB71A881EB51

Function 00A5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DB54
SysAllocString.OLEAUT32(00000000), ref: 00A5DB57
SysAllocString.OLEAUT32(?), ref: 00A5DB75
SysFreeString.OLEAUT32(?), ref: 00A5DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00A5DBA3
SysAllocString.OLEAUT32(?), ref: 00A5DBB1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9431e739cdfbb26c54e626f1e3b65033fa06c52b5406d538f80c82cb5eb34ffc
Instruction ID: 18e7e285bed2313be2b5440d122f799f846b738e9bfac39b4e9f8fa1bbad4308
Opcode Fuzzy Hash: 9431e739cdfbb26c54e626f1e3b65033fa06c52b5406d538f80c82cb5eb34ffc
Instruction Fuzzy Hash: DF219236600219AFEF20DFE8DC88CBB73ADFB09361B128526FD54DB251D6709C458760

Function 00A76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A77DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A761C6
WSAGetLastError.WSOCK32(00000000), ref: 00A761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A7620E
connect.WSOCK32(00000000,?,00000010), ref: 00A76217
WSAGetLastError.WSOCK32 ref: 00A76221
closesocket.WSOCK32(00000000), ref: 00A7624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A76263

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1ad8914fb5112725fe557a91f4274836bca57f61d29bc47437b6064229bafe5a
Instruction ID: c4ef295d0008eb1e6013bf792021d790cb181d2fdbdc91c8c413e4fe80f7f65c
Opcode Fuzzy Hash: 1ad8914fb5112725fe557a91f4274836bca57f61d29bc47437b6064229bafe5a
Instruction Fuzzy Hash: D031A471600508AFDF10AF64DC85BBE7BACEB45710F04C069FD09A7292DB70AC458BA1

Function 00A5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A5F671
__wcsnicmp.LIBCMT ref: 00A5F692
__wcsnicmp.LIBCMT ref: 00A5F6AC

Strings

#OnAutoItStartRegister, xrefs: 00A5F6A6
#requireadmin, xrefs: 00A5F68C
#notrayicon, xrefs: 00A5F669

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 2786ff849d48c855d4a1fc52e78251ed4bda9c4a24614b1f0b384e5606a040bb
Instruction ID: d60b0baef2df02c31a5177accd1902df56aa5a648e39a8dd0eacb9251361edcb
Opcode Fuzzy Hash: 2786ff849d48c855d4a1fc52e78251ed4bda9c4a24614b1f0b384e5606a040bb
Instruction Fuzzy Hash: AB2134722042617EDA20AB38AD02FA773E8FF59341F104439FD4686491EB70AD89D395

Function 00A5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DC2F
SysAllocString.OLEAUT32(00000000), ref: 00A5DC32
SysAllocString.OLEAUT32 ref: 00A5DC53
SysFreeString.OLEAUT32 ref: 00A5DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00A5DC76
SysAllocString.OLEAUT32(?), ref: 00A5DC84

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7bd13198b6453784599ad6204510cb20114128024850d8117ba0e8c0bf217577
Instruction ID: 7d3306ed456d736c13c922bb6127132cc4eb57ea05c224b0d4af375994f1e360
Opcode Fuzzy Hash: 7bd13198b6453784599ad6204510cb20114128024850d8117ba0e8c0bf217577
Instruction Fuzzy Hash: 41215E35604205AF9B20DBF8DC88DAA77ACFB08361B108126FD14DB261DAB09C45C764

Function 00A875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A01D73
Part of subcall function 00A01D35: GetStockObject.GDI32(00000011), ref: 00A01D87
Part of subcall function 00A01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A01D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A87632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A8763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A8764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A87659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A87665

Strings

Msctls_Progress32, xrefs: 00A87603

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2b499fc5e07f733e00566aae10180ab473e32ffb7ea68841d06b0ca8b15afcb2
Instruction ID: e2fe0d3fc815a06c4e7f4da104a7b76ae779b47c74874ef57fe447363db6602e
Opcode Fuzzy Hash: 2b499fc5e07f733e00566aae10180ab473e32ffb7ea68841d06b0ca8b15afcb2
Instruction Fuzzy Hash: F811B6B1110119BFEF159F64CC85EEB7F6DEF08798F114125B604A20A0D772DC21DBA4

Function 00A29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00A29AE6

Part of subcall function 00A23187: EncodePointer.KERNEL32(00000000), ref: 00A2318A
Part of subcall function 00A23187: __initp_misc_winsig.LIBCMT ref: 00A231A5
Part of subcall function 00A23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A29EA0
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A29EB4
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A29EC7
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A29EDA
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A29EED
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A29F00
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A29F13
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A29F26
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A29F39
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A29F4C
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A29F5F
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A29F72
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A29F85
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A29F98
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A29FAB
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A29FBE

__mtinitlocks.LIBCMT ref: 00A29AEB
__mtterm.LIBCMT ref: 00A29AF4

Part of subcall function 00A29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A29AF9,00A27CD0,00ABA0B8,00000014), ref: 00A29C56
Part of subcall function 00A29B5C: _free.LIBCMT ref: 00A29C5D
Part of subcall function 00A29B5C: DeleteCriticalSection.KERNEL32(00ABEC00,?,?,00A29AF9,00A27CD0,00ABA0B8,00000014), ref: 00A29C7F

__calloc_crt.LIBCMT ref: 00A29B19
__initptd.LIBCMT ref: 00A29B3B
GetCurrentThreadId.KERNEL32 ref: 00A29B42

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 1e6f5933e3f7686ff0e294c18731a638f914ffb70bea7c63158daab30ab64a0d
Instruction ID: a2617c835adb0719d60eb6c56d8adae65dde54ab4285ef259878c2152a554292
Opcode Fuzzy Hash: 1e6f5933e3f7686ff0e294c18731a638f914ffb70bea7c63158daab30ab64a0d
Instruction Fuzzy Hash: BBF0903251A7316AFA34B7BCBD0768B6694EF02F70F200A39F464D51D2EF61844245A4

Function 00A2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A23F85), ref: 00A24085
GetProcAddress.KERNEL32(00000000), ref: 00A2408C
EncodePointer.KERNEL32(00000000), ref: 00A24097
DecodePointer.KERNEL32(00A23F85), ref: 00A240B2

Strings

combase.dll, xrefs: 00A24080
RoUninitialize, xrefs: 00A24074

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b095bf4ea913eb5c40a847c0e894ed1fb3606f5111aca7dd30735049d06e245f
Instruction ID: be35329c5805487f277eb2a05ebb36c80e1deb2378f6dfbd9a1cec9e341938d3
Opcode Fuzzy Hash: b095bf4ea913eb5c40a847c0e894ed1fb3606f5111aca7dd30735049d06e245f
Instruction Fuzzy Hash: C2E0B671685311EFEF10EFE2ED0DF853AA5BB04742F158625F621E50A0CBBA4642DB14

Function 00A01DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A01DDC
GetWindowRect.USER32(?,?), ref: 00A01E1D
ScreenToClient.USER32(?,?), ref: 00A01E45
GetClientRect.USER32(?,?), ref: 00A01F74
GetWindowRect.USER32(?,?), ref: 00A01F8D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1945b6444c134954a365ef4a0d1c5f928d8304cf7cc82655c5c8d2b2e1c84b6a
Instruction ID: be0de2e5c37c131c407347c3398267002672936894ba9f553af7e3997c7177a4
Opcode Fuzzy Hash: 1945b6444c134954a365ef4a0d1c5f928d8304cf7cc82655c5c8d2b2e1c84b6a
Instruction Fuzzy Hash: A8B13C79A0024ADBDF10CFA8C5847EEB7B1FF08314F14956AED59DB294DB30A950CB64

Function 00A664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A6660B
_memmove.LIBCMT ref: 00A66546

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

_memmove.LIBCMT ref: 00A665B9
_memmove.LIBCMT ref: 00A666A0
_memmove.LIBCMT ref: 00A666B9
_memmove.LIBCMT ref: 00A666D5

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction ID: 0a1bed82d289a3d17eee400d3544fd92582dc9f75c4e9ac379e49da5ddbea62a
Opcode Fuzzy Hash: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction Fuzzy Hash: 67617C7090025A9BCF05EF64EE82EFE37B9AF05308F058529FD566B293DB34A945CB50

Function 00A801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A80320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A80349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8038C
RegCloseKey.ADVAPI32(00000000), ref: 00A80399

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 40de75a9cf108d60f7dce12e3708230e69373d07152f7e8f933c02eba8022dbd
Instruction ID: fd0f6aa5c6f6e013567826bb98063f33835df8d9a48a9b3817c3c161e3af8c25
Opcode Fuzzy Hash: 40de75a9cf108d60f7dce12e3708230e69373d07152f7e8f933c02eba8022dbd
Instruction Fuzzy Hash: BF514931508204AFCB10EF64D985EAFBBE9FF85314F04491DF5958B2A2EB31E909CB52

Function 00A85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A857FB
GetMenuItemCount.USER32(00000000), ref: 00A85832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A8585A
GetMenuItemID.USER32(?,?), ref: 00A858C9
GetSubMenu.USER32(?,?), ref: 00A858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A85928

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 00dc58d3f423098c86f2ec269972c6c2492fcbd1f940eb2dc37ed61ee9533bf4
Instruction ID: 8449ad29a9e488bf46d908dad9ff2732f44a6a86669a6e496935d4a23dad3ad1
Opcode Fuzzy Hash: 00dc58d3f423098c86f2ec269972c6c2492fcbd1f940eb2dc37ed61ee9533bf4
Instruction Fuzzy Hash: 20516E35E00615EFCF11EFA4D945AAEB7B5EF48310F104066EC41BB351DB34AE419B90

Function 00A5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A5EF06
VariantClear.OLEAUT32(00000013), ref: 00A5EF78
VariantClear.OLEAUT32(00000000), ref: 00A5EFD3
_memmove.LIBCMT ref: 00A5EFFD
VariantClear.OLEAUT32(?), ref: 00A5F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A5F078

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 25bbb3be7c5046b7d7de47cbee00961107c877878bb330e60361e6e3f8290de0
Instruction ID: 931c6adafd47d5e6bf2b1304dbc0e4a2f703f01e31092df5c311a2bf385c717e
Opcode Fuzzy Hash: 25bbb3be7c5046b7d7de47cbee00961107c877878bb330e60361e6e3f8290de0
Instruction Fuzzy Hash: 4F5166B5A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED59DB341E734E915CFA0

Function 00A6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A622A3
IsMenu.USER32(00000000), ref: 00A622C3
CreatePopupMenu.USER32 ref: 00A622F7
GetMenuItemCount.USER32(000000FF), ref: 00A62355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A62386

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 90e4ae234ab231924f4b64d106c30989802d34533de95d10b1ff88a7cc7243b4
Instruction ID: a0dad188e8f7f38946e8fd4f6674d5fa6589b93196808d62e3d4c6576f02cf3d
Opcode Fuzzy Hash: 90e4ae234ab231924f4b64d106c30989802d34533de95d10b1ff88a7cc7243b4
Instruction Fuzzy Hash: CB51BB70A00A4AEFDF25CF68C988BAEBBF5FF05314F104129E811AB290E3748944CB51

Function 00A01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A0179A
GetWindowRect.USER32(?,?), ref: 00A017FE
ScreenToClient.USER32(?,?), ref: 00A0181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A0182C
EndPaint.USER32(?,?), ref: 00A01876

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0ff72616d3c9876727f74abf895c2f7bc08d7c3049ac39c92a092fab5b24ac27
Instruction ID: 156f14cd2a0a633dabde8aa8eea3ad20738b0cf888210e1c89062eb6f8749b93
Opcode Fuzzy Hash: 0ff72616d3c9876727f74abf895c2f7bc08d7c3049ac39c92a092fab5b24ac27
Instruction Fuzzy Hash: E341AD30500705AFD710DF64DC84FBA7BF8EB49724F044629FAA48B2E1D730A94ADB62

Function 00A8B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00AC57B0,00000000,00B74AE0,?,?,00AC57B0,?,00A8B5A8,?,?), ref: 00A8B712
EnableWindow.USER32(00000000,00000000), ref: 00A8B736
ShowWindow.USER32(00AC57B0,00000000,00B74AE0,?,?,00AC57B0,?,00A8B5A8,?,?), ref: 00A8B796
ShowWindow.USER32(00000000,00000004,?,00A8B5A8,?,?), ref: 00A8B7A8
EnableWindow.USER32(00000000,00000001), ref: 00A8B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A8B7EF

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7146519c7fd9a4a0e332a455327782abc4c930d4980fb7ac339f6e1c53e617cc
Instruction ID: bcbe5a5668ab713524636cfd5c73268e75d06f646c41421d30d4b96f486ba3dd
Opcode Fuzzy Hash: 7146519c7fd9a4a0e332a455327782abc4c930d4980fb7ac339f6e1c53e617cc
Instruction Fuzzy Hash: 80418F34602341AFDB22EF24C499B957FE1FF49310F5841B9F9489F6A2C731A856CB60

Function 00A7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A74E41,?,?,00000000,00000001), ref: 00A770AC

Part of subcall function 00A739A0: GetWindowRect.USER32(?,?), ref: 00A739B3

GetDesktopWindow.USER32 ref: 00A770D6
GetWindowRect.USER32(00000000), ref: 00A770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A7710F

Part of subcall function 00A65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

GetCursorPos.USER32(?), ref: 00A7713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A77199

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: aafb60ed35602272de26514e354dae50124543867ff68194db734fdb03b73e8c
Instruction ID: 0ee47d6d96f06bdb826e25664dce606240e0216690bcec76bf39f149351843df
Opcode Fuzzy Hash: aafb60ed35602272de26514e354dae50124543867ff68194db734fdb03b73e8c
Instruction Fuzzy Hash: D331C372505306AFD720DF64DC49A9FB7A9FF88314F004A29F58997191DB30EA05CB92

Function 00A58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A580C0
Part of subcall function 00A580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A580CA
Part of subcall function 00A580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A580D9
Part of subcall function 00A580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A580E0
Part of subcall function 00A580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A580F6

GetLengthSid.ADVAPI32(?,00000000,00A5842F), ref: 00A588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A588D6
HeapAlloc.KERNEL32(00000000), ref: 00A588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A588F6
GetProcessHeap.KERNEL32(00000000,00000000,00A5842F), ref: 00A5890A
HeapFree.KERNEL32(00000000), ref: 00A58911

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 78ec00018f9b096689cff1eb70c5c375103434a563f476f055c305d6d52fec5b
Instruction ID: 151fa2a0b8108b734bfc460ab9b2a856df5d52fe44034b7d9ec4ed0164ece627
Opcode Fuzzy Hash: 78ec00018f9b096689cff1eb70c5c375103434a563f476f055c305d6d52fec5b
Instruction Fuzzy Hash: 3E11AF31501209FFDB10DFE4DC09BBEB778FB44316F104128E845A7210DB3AA919DB60

Function 00A585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A585E2
OpenProcessToken.ADVAPI32(00000000), ref: 00A585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A585F8
CloseHandle.KERNEL32(00000004), ref: 00A58603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A58632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A58646

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 37f413bf5e257567cdcd7b970e432301dec7bb779a23eb5b55ff4bee88ea57d8
Instruction ID: f3bc62d3590abacd8c0c026356b95822b30ad9cb8a5beb74632a634bdc8d24d9
Opcode Fuzzy Hash: 37f413bf5e257567cdcd7b970e432301dec7bb779a23eb5b55ff4bee88ea57d8
Instruction Fuzzy Hash: 9011597250124AAFDF01CFA4ED49BEE7BA9FF08305F144064FE04A2160D7768E65EB60

Function 00A5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A5B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A5B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A5B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00A5B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A5B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00A5B7FE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 332141c2926e9a0e6ad2f938f73417639dd391999e7c2b6c8963cc96bde8a2cf
Instruction ID: 00fba6698e066a3a1590d5479cb57a7a521766e23317afe91af533ab8b71fc60
Opcode Fuzzy Hash: 332141c2926e9a0e6ad2f938f73417639dd391999e7c2b6c8963cc96bde8a2cf
Instruction Fuzzy Hash: 23018475E00209BFEF109BE69D49A5EBFB8EB48312F004175FE04A7291D6309C11CFA0

Function 00A20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A20193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A2019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A201C1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ff883d040a5fa2806003882158101a4625f64463f21d5ae519240e43555a2066
Instruction ID: ddbfd63445d74f59e6cf7224e01a5f1b7faa2f6708cd823b8d1136530b66c8f9
Opcode Fuzzy Hash: ff883d040a5fa2806003882158101a4625f64463f21d5ae519240e43555a2066
Instruction Fuzzy Hash: D7016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 00A653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A6540F
GetWindowThreadProcessId.USER32(?,?), ref: 00A6541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A65437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6543E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3c920697bb9e8c6aa521461ddf6ce2f21e4e78e72d8f20bcd3c97988409ab208
Instruction ID: 4a2474a2bdea3987286a6d299e0105840de1ecb0a6909dd14cca0415857aca6b
Opcode Fuzzy Hash: 3c920697bb9e8c6aa521461ddf6ce2f21e4e78e72d8f20bcd3c97988409ab208
Instruction Fuzzy Hash: C2F06231240159BFD3209BE29C0DEAB7A7CEFC6B11F000279FA04D1050E6A41A0287B5

Function 00A67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A67243
EnterCriticalSection.KERNEL32(?,?,00A10EE4,?,?), ref: 00A67254
TerminateThread.KERNEL32(00000000,000001F6,?,00A10EE4,?,?), ref: 00A67261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A10EE4,?,?), ref: 00A6726E

Part of subcall function 00A66C35: CloseHandle.KERNEL32(00000000,?,00A6727B,?,00A10EE4,?,?), ref: 00A66C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A67281
LeaveCriticalSection.KERNEL32(?,?,00A10EE4,?,?), ref: 00A67288

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d2fa659e501fbc51c04d302f24a9795d95cc7a1cae2cc9ede51bd6b44d6701c9
Instruction ID: da30938aeaa9a39feeb8d676012d1853a70094fe3826ca80ef0e7815c211a7f0
Opcode Fuzzy Hash: d2fa659e501fbc51c04d302f24a9795d95cc7a1cae2cc9ede51bd6b44d6701c9
Instruction Fuzzy Hash: 75F08276540613EFD7115BA4ED4C9DF7739FF45702B100631F603A10A0EB7A5812CB50

Function 00A58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A5899D
UnloadUserProfile.USERENV(?,?), ref: 00A589A9
CloseHandle.KERNEL32(?), ref: 00A589B2
CloseHandle.KERNEL32(?), ref: 00A589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00A589C3
HeapFree.KERNEL32(00000000), ref: 00A589CA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cfd790ac15d675f40321c961b382cc60cef92a08bc2e1e0f33bc78045b030102
Instruction ID: e25650ebfe12a7133cfcbe9080a8cfa6bb7dfd46aab6f2115f1796290891127a
Opcode Fuzzy Hash: cfd790ac15d675f40321c961b382cc60cef92a08bc2e1e0f33bc78045b030102
Instruction Fuzzy Hash: A3E05276104506FFDA019FE5EC0C95ABB69FB89762B508631F329C5474CB329462DB50

Function 00A785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A78613
CharUpperBuffW.USER32(?,?), ref: 00A78722
VariantClear.OLEAUT32(?), ref: 00A7889A

Part of subcall function 00A67562: VariantInit.OLEAUT32(00000000), ref: 00A675A2
Part of subcall function 00A67562: VariantCopy.OLEAUT32(00000000,?), ref: 00A675AB
Part of subcall function 00A67562: VariantClear.OLEAUT32(00000000), ref: 00A675B7

Strings

AUTOIT.ERROR, xrefs: 00A78728
Incorrect Parameter format, xrefs: 00A7864B, 00A7880D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 26aa5bac21db59228a4721b48c083e353a5577f27b491e63abe4a905c0e5d560
Instruction ID: 66b6d2ca20eb979c7a6b31eb132caf119f43d723d02c30881d0faf90344211f2
Opcode Fuzzy Hash: 26aa5bac21db59228a4721b48c083e353a5577f27b491e63abe4a905c0e5d560
Instruction Fuzzy Hash: 89915B716043059FC710DF24C98495BB7E4EF89754F14C96EF88A8B3A2DB34E905CB52

Function 00A62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

_memset.LIBCMT ref: 00A62B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A62BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A62C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A62C97

Strings

0, xrefs: 00A62B73

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 5e8d03a083a0081f9961925c7c600c6370904a20044ae5e1a11e2d4a673b7274
Instruction ID: 33413c54ea7535929a95353a085e42b5fa9693b0ea4b5a08365599ce6c4fa89d
Opcode Fuzzy Hash: 5e8d03a083a0081f9961925c7c600c6370904a20044ae5e1a11e2d4a673b7274
Instruction Fuzzy Hash: 6351CA71608B019ED7249F28D845B6FBBF8EF99350F040A2DF895D6291DB70DC449B92

Function 00A5D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A5D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A5D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A5D69D

Strings

DllGetClassObject, xrefs: 00A5D610

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a873cce329c35397bd95b595a32a955106010b5e03131ed24c9c23a169e736d5
Instruction ID: d76fe9b4e1e14d6c582c157d7a892379bc7e7a95ee86446302511c24d42d4d87
Opcode Fuzzy Hash: a873cce329c35397bd95b595a32a955106010b5e03131ed24c9c23a169e736d5
Instruction Fuzzy Hash: DF41AEB1600204EFDF24DF64C884A9A7BB9FF48312F1581A9ED09DF205D7B0D949CBA0

Function 00A62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00A62822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AC5890,00000000), ref: 00A6286B

Strings

0, xrefs: 00A627B5

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: dfefd0c71843d81093896ba5e6c83b280faec5b022a9cd71e97a02eaa3bd470f
Instruction ID: 5b59352a8c95504200c0ce959e1a549f8ab5e3b161ae2bc390e53d7cf1cfa707
Opcode Fuzzy Hash: dfefd0c71843d81093896ba5e6c83b280faec5b022a9cd71e97a02eaa3bd470f
Instruction Fuzzy Hash: 4941AD706047019FD724DF28CC84B6ABBF8EF85314F144A2DF9A59B2D1DB30A805CB62

Function 00A7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A7D7C5

Part of subcall function 00A0784B: _memmove.LIBCMT ref: 00A07899

Strings

stdcall, xrefs: 00A7D847
winapi, xrefs: 00A7D836
cdecl, xrefs: 00A7D81C
none, xrefs: 00A7D8A0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3b49035e8a93e85abb583cab234ad35d352190feb5b71fca1e522f823a43521c
Instruction ID: 472a28dddea0fd066d02f009029f8eb807963045ef505e78282b81335b1c3a30
Opcode Fuzzy Hash: 3b49035e8a93e85abb583cab234ad35d352190feb5b71fca1e522f823a43521c
Instruction Fuzzy Hash: 94316E71904619AFCF00EF68DD919EEB3B5FF04320B10C629E869976D2DB71A905CB80

Function 00A58E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A58F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A58F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A58F57

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Strings

ComboBox, xrefs: 00A58E9E
ListBox, xrefs: 00A58ED3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: cc2e2f7e1adcd50895a474b5af9dd57a524c70af58e2f209f423f56e74c1b532
Instruction ID: 7eb36e034fa915415e822fad14b67e3e957b85b69fd6063d3a82467ff8e27797
Opcode Fuzzy Hash: cc2e2f7e1adcd50895a474b5af9dd57a524c70af58e2f209f423f56e74c1b532
Instruction Fuzzy Hash: 88210171A00108BEDB14ABB0DC86CFFB779EF09360B104629F825A71E1DF39584E9A20

Function 00A7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A71872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A718A2
InternetCloseHandle.WININET(00000000), ref: 00A718E9

Part of subcall function 00A72483: GetLastError.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A72498
Part of subcall function 00A72483: SetEvent.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A724AD

Strings

, xrefs: 00A71893

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: bdb33f3a92634abc43a4870771c5b8b63f7c775abe3b608401c52931ba35c020
Instruction ID: 7ee097ea223410fdc212ee77be9606ab75df0678d09071f1a6080afce0c06c85
Opcode Fuzzy Hash: bdb33f3a92634abc43a4870771c5b8b63f7c775abe3b608401c52931ba35c020
Instruction Fuzzy Hash: 522180B1600208BFEB119F68DC85FBB77EDEB48744F10C12AF54996140DA249D0557A1

Function 00A863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A01D73
Part of subcall function 00A01D35: GetStockObject.GDI32(00000011), ref: 00A01D87
Part of subcall function 00A01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A01D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A86461
LoadLibraryW.KERNEL32(?), ref: 00A86468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A8647D
DestroyWindow.USER32(?), ref: 00A86485

Strings

SysAnimate32, xrefs: 00A8643C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ab0c1e7611f09af2f53b4ad21d4445dfac664e53acff73e069f18b41618a3f71
Instruction ID: d48e58b7057d0c9f76870302e62a38e8b9a7ea3c276490d5404bda7e1e0f6006
Opcode Fuzzy Hash: ab0c1e7611f09af2f53b4ad21d4445dfac664e53acff73e069f18b41618a3f71
Instruction Fuzzy Hash: 94219D71210205BFFF10AFA4DD80EBF37ADEB58324F208629FA20961A0D731DC919760

Function 00A66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A66DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A66DEF
GetStdHandle.KERNEL32(0000000C), ref: 00A66E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A66E3B

Strings

nul, xrefs: 00A66E36

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2b7b97ccf11e34724124e7ab4d1ddf0eef9c926f72d152d9e7b362c20dab0927
Instruction ID: 3c44b09c5c93f8555ff6877828b68196073eeb4e15d826d5aecdd5ef4af6f650
Opcode Fuzzy Hash: 2b7b97ccf11e34724124e7ab4d1ddf0eef9c926f72d152d9e7b362c20dab0927
Instruction Fuzzy Hash: 1C21AF7460060AEFDB209F69DC05A9A7BF8FF44720F204A29FDA0D72D0EB719951CB50

Function 00A66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A66E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A66EBB
GetStdHandle.KERNEL32(000000F6), ref: 00A66ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A66F06

Strings

nul, xrefs: 00A66F01

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: be6a96d74dde937501e33ea9266acf81ae14c6decb7b0db15609fcb6b9760c48
Instruction ID: e99026c52debc4d32ed42d6e411acd2abc5abbdf4eb6ad17d9998aaefee6fff3
Opcode Fuzzy Hash: be6a96d74dde937501e33ea9266acf81ae14c6decb7b0db15609fcb6b9760c48
Instruction Fuzzy Hash: 29217F79600706AFDB209F69DC44AAA77B8EF55720F200B19FDA1D72D0EB71A851CB50

Function 00A6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A6ACA8
__swprintf.LIBCMT ref: 00A6ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A8F910), ref: 00A6ACFF

Strings

%lu, xrefs: 00A6ACBB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2550262d2af7b0da9d79c8fb72e7bcae903b0bb7514a958512e2ea7b91d7a14c
Instruction ID: e66fa66a4d2f1b3ba0fcef1550fb1ffbd52949771a909b3e945f1b6f5f49428e
Opcode Fuzzy Hash: 2550262d2af7b0da9d79c8fb72e7bcae903b0bb7514a958512e2ea7b91d7a14c
Instruction Fuzzy Hash: B8217431A00109AFCB10DFA4DA45DEF77B8FF49714B004469F905AB252DA31EA51CB61

Function 00A61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A61B19

Strings

KEYS, xrefs: 00A61B30
APPEND, xrefs: 00A61B52
EXISTS, xrefs: 00A61B41
REMOVE, xrefs: 00A61B1F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 57f57bfb29e85a0ed5c0fe75149332cb47614f5fad539cd7a37ee630dd217324
Instruction ID: 1a8f5308c7dae8cfd5d1ed1e5fff50dd0f41c82adcfcb52a05b2fc7905195537
Opcode Fuzzy Hash: 57f57bfb29e85a0ed5c0fe75149332cb47614f5fad539cd7a37ee630dd217324
Instruction Fuzzy Hash: EB1184309001198FCF00EFA8E9918FEB7B8FF25744B944575D815A7292EB325D06CF50

Function 00A7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A7EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A7EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A7ED6A
CloseHandle.KERNEL32(?), ref: 00A7EDEB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: df78dc2f44ad30de991d120fefbf171f1fbcda7ea9afa23df2cf26242411b199
Instruction ID: 858edef33fd2d3f1f33437a06e542828a66e537c6beabbb8ed7e52028281cec6
Opcode Fuzzy Hash: df78dc2f44ad30de991d120fefbf171f1fbcda7ea9afa23df2cf26242411b199
Instruction Fuzzy Hash: 6B816CB16007009FD720EF28D986B2AB7E5AF88710F04C95DF999DB3D2DAB0AC458B51

Function 00A80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A80183
RegCloseKey.ADVAPI32(?,?), ref: 00A801AF
RegCloseKey.ADVAPI32(00000000), ref: 00A801BC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4bfe10e527a30e9823097027d02acb5f0189014d1c6e3a4ef4acf5a8cb1ebc65
Instruction ID: 1015bec0531ecdd2fe624b31db098969ffcf5e76635fc4d34044d63639a826f0
Opcode Fuzzy Hash: 4bfe10e527a30e9823097027d02acb5f0189014d1c6e3a4ef4acf5a8cb1ebc65
Instruction Fuzzy Hash: 72515A71608208AFD704EF68D985E6BB7F9FF84314F40892DF595872A2DB31E909CB52

Function 00A7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A7D927
GetProcAddress.KERNEL32(00000000,?), ref: 00A7D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A7D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00A7DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A7DA21

Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A67896,?,?,00000000), ref: 00A05A2C
Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A67896,?,?,00000000,?,?), ref: 00A05A50

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: eee8f8670c7cddbef71ec0ee9ec3db55e45421b47b38b4c41c6de44563804eb3
Instruction ID: 1720fae1c7be011e09733e8a5a5fa81efd2dc45a624e91d2d481bb50193d6885
Opcode Fuzzy Hash: eee8f8670c7cddbef71ec0ee9ec3db55e45421b47b38b4c41c6de44563804eb3
Instruction Fuzzy Hash: 5D511775A00209DFCB00EFA8D9849AEBBF9FF09320B14C165E959AB352D731AD45CF91

Function 00A6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A6E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A6E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A6E687

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A6E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A6E6B4

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0e96e85773d5d8af385bed4b0b6c6a3c294d7078f80d12bf3d7a1cf097a2ad55
Instruction ID: 70c528616a9a554fe4f918c5ec46ebaca918b9ce2c4bdd4c4df45227f66c6436
Opcode Fuzzy Hash: 0e96e85773d5d8af385bed4b0b6c6a3c294d7078f80d12bf3d7a1cf097a2ad55
Instruction Fuzzy Hash: 3C510D79A00109DFCB01EF64D981AAEBBF5EF09314F1480A5E849AB3A2DB31ED15DF51

Function 00A8A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b354af5906d1d983ae32d8575421b6a77ac3e2804ce999defa34b16f6710268e
Instruction ID: 0492d346af0614e523071c2368f8e53a4234edf9c1dd1d7f05b60bde90969297
Opcode Fuzzy Hash: b354af5906d1d983ae32d8575421b6a77ac3e2804ce999defa34b16f6710268e
Instruction Fuzzy Hash: 4041C335E04104AFE710EF68CC4CFA9BBB4EB29310F150266F856A72E1C730AD52DB51

Function 00A02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A02357
ScreenToClient.USER32(00AC57B0,?), ref: 00A02374
GetAsyncKeyState.USER32(00000001), ref: 00A02399
GetAsyncKeyState.USER32(00000002), ref: 00A023A7

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e424c7ff8bc0ecb904cfd6e2cdc2954ecc9c3f2ff5198cb20e42ec5786c43dbf
Instruction ID: 60b50e06ad6dfecb7249a83498c05b3fbc0093c1388b8356f7cb105630063d38
Opcode Fuzzy Hash: e424c7ff8bc0ecb904cfd6e2cdc2954ecc9c3f2ff5198cb20e42ec5786c43dbf
Instruction Fuzzy Hash: 68417D35604219FFDF199FA8DC48AE9FB75BB05364F20431AF829A62E0C7349950DBA1

Function 00A563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00A56433
TranslateMessage.USER32(?), ref: 00A5645C
DispatchMessageW.USER32(?), ref: 00A56466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A56475

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 557dd202b64159b7d99647e438e68325d461260b3b0b27c474b805fd95cd66e5
Instruction ID: 6216f8f5ca5fc4d6a46dab1b1a18e86c6a24e051103aac2c2378d9107c06eeff
Opcode Fuzzy Hash: 557dd202b64159b7d99647e438e68325d461260b3b0b27c474b805fd95cd66e5
Instruction Fuzzy Hash: B7319E71A00646AEDB64CFB0D944FA67BF8BB01312F940565F821C71A1E735A8CEDB60

Function 00A58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A58A30
PostMessageW.USER32(?,00000201,00000001), ref: 00A58ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A58AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00A58AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A58AF8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8906c7f7316a5bd5c5568c462319872d104a2c2ada44a252e6da2b8498cfd72c
Instruction ID: b092c51ba6f88e67592105145941718d27c18effb5bf6282e2496719452d627c
Opcode Fuzzy Hash: 8906c7f7316a5bd5c5568c462319872d104a2c2ada44a252e6da2b8498cfd72c
Instruction Fuzzy Hash: BE31DF71500219EFDF14CFA8D94CA9E3BB5FB04316F11822AFA24E71D1C7B49918CB90

Function 00A5B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A5B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A5B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A5B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A5B27F
_wcsstr.LIBCMT ref: 00A5B289

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 13d9fe9c6ca20d70e8a4df0045cacf5d0366db83996f6122c5f5de2374af5fb7
Instruction ID: e6cc8b9d1a5d963d47eab9f382fcc28189e16b46aae3ee2cf262888fa8406e0d
Opcode Fuzzy Hash: 13d9fe9c6ca20d70e8a4df0045cacf5d0366db83996f6122c5f5de2374af5fb7
Instruction Fuzzy Hash: D8212532214201BEEB159B79AC09EBF7BA8EF49712F104139FC04CA1A1EF718C419370

Function 00A8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

GetWindowLongW.USER32(?,000000F0), ref: 00A8B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A8B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A8B1CF
GetSystemMetrics.USER32(00000004), ref: 00A8B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A70E90,00000000), ref: 00A8B216

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: cb869f80e38136db84ce1221fe74e809db15aa3ef728d18c44230788de872d88
Instruction ID: cc56a80d737682433b57be222adad50beeb3be99fb1e104d7c5cfd5ce24a487b
Opcode Fuzzy Hash: cb869f80e38136db84ce1221fe74e809db15aa3ef728d18c44230788de872d88
Instruction Fuzzy Hash: BC218371920656AFCB14AF78DC18A6A7BA4FB05361F154738FD32D71E0E7309851DBA0

Function 00A59307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A59320

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A59352
__itow.LIBCMT ref: 00A5936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A59392
__itow.LIBCMT ref: 00A593A3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6d8079f1fe0662e4260b086913b16886f74e9350529e99288056f7cde832b80d
Instruction ID: 58dbc7c9d791a59a1b82248fa70e393cbd14ef9e802ed55785961833099c1b31
Opcode Fuzzy Hash: 6d8079f1fe0662e4260b086913b16886f74e9350529e99288056f7cde832b80d
Instruction Fuzzy Hash: 2D21F531B00208FBDB10ABA49D89EAF3BA8FB49721F144029FD09DF1C1D6B0DD599791

Function 00A75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A75A6E
GetForegroundWindow.USER32 ref: 00A75A85
GetDC.USER32(00000000), ref: 00A75AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00A75ACD
ReleaseDC.USER32(00000000,00000003), ref: 00A75B08

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0ead22fae53ad85c466913410fcda188ae9bc937a720c777c0c76f3f40772df4
Instruction ID: 1ac47df95dd8a960173ab900129d1c3e773bc68425901e7c608110fd59e18a38
Opcode Fuzzy Hash: 0ead22fae53ad85c466913410fcda188ae9bc937a720c777c0c76f3f40772df4
Instruction Fuzzy Hash: 77219375A00204AFDB14EFA5DD88A9ABBF9EF48350F14C579F849D7362DA70AD01CB90

Function 00A012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A0134D
SelectObject.GDI32(?,00000000), ref: 00A0135C
BeginPath.GDI32(?), ref: 00A01373
SelectObject.GDI32(?,00000000), ref: 00A0139C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 58ed2caf9d83165755630681770568815d12bfffe52048f8345be722595e9286
Instruction ID: 6a2ecee456436ea098ff798edde2dbe0f5cecd7bda3da65e49e3e86d8487167c
Opcode Fuzzy Hash: 58ed2caf9d83165755630681770568815d12bfffe52048f8345be722595e9286
Instruction Fuzzy Hash: CA214A30C00709EFDB10DFA5EC09BA97BB8EB00361F554226F8109A1E0D770A892EB92

Function 00A5BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A5BCB3
_memcmp.LIBCMT ref: 00A5BCD1
_memcmp.LIBCMT ref: 00A5BCE4
_memcmp.LIBCMT ref: 00A5BCFC
_memcmp.LIBCMT ref: 00A5BD14

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8d2bd788629e61bb9a0f26cb666a05866e42ad7bb8386f864258a4812106ec0d
Instruction ID: 1f4e8a1568a8142dba270bdaae31fced22a6ca49333a028639fcdd9f1c5c48a7
Opcode Fuzzy Hash: 8d2bd788629e61bb9a0f26cb666a05866e42ad7bb8386f864258a4812106ec0d
Instruction Fuzzy Hash: F50192B27101197BD6046B15AE42FBBB3ACFE2438AB144421FD1996243EB70DE1482B4

Function 00A64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A64ABA
__beginthreadex.LIBCMT ref: 00A64AD8
MessageBoxW.USER32(?,?,?,?), ref: 00A64AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A64B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A64B0A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ef3aee51c76868ba89f6bfe4137b1178afd88721fbe4fd3c2435baefb669a1ae
Instruction ID: df170ee9b523e15b6de1bcb6c92869c1847ac639e096fc1108a5aa699f2ce122
Opcode Fuzzy Hash: ef3aee51c76868ba89f6bfe4137b1178afd88721fbe4fd3c2435baefb669a1ae
Instruction Fuzzy Hash: 8011E176904219BFC701DBF8EC08ADB7BBCEB49320F154269F925D3250D675994587A0

Function 00A58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A5821E
GetLastError.KERNEL32(?,00A57CE2,?,?,?), ref: 00A58228
GetProcessHeap.KERNEL32(00000008,?,?,00A57CE2,?,?,?), ref: 00A58237
HeapAlloc.KERNEL32(00000000,?,00A57CE2,?,?,?), ref: 00A5823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A58255

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b479acc5c917bd0ceb5d72de34f5659c2ca68e2e8cc54ed277363025659be4ce
Instruction ID: da9494c4749468b7e7f3d631e9f0768ac430a09f186ae282d0cd595964281ebd
Opcode Fuzzy Hash: b479acc5c917bd0ceb5d72de34f5659c2ca68e2e8cc54ed277363025659be4ce
Instruction Fuzzy Hash: B3016971200205BFDB208FA6DC88DAB7FACFF9A755B500539FD19D2220DA318C15CB60

Function 00A5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?,?,00A57455), ref: 00A57127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?), ref: 00A57160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A5716C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0a9d04bd6fd3881ff1ea5fad0b8ae6aed91f159562c347c7f1b2d2350e434df8
Instruction ID: e3ffca702dd4ce8941377672b948d7e6e737d1573275cf02652a997b4ba8b247
Opcode Fuzzy Hash: 0a9d04bd6fd3881ff1ea5fad0b8ae6aed91f159562c347c7f1b2d2350e434df8
Instruction Fuzzy Hash: 15017C72601615AFDB118FA5EC44AAE7BADFB44792F140264FD04E2220DB31DD459BA0

Function 00A65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A65260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A6526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A65276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A65280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 00e1349f4fc7423cea064b8fed53ffaad1f94e2f57bc6e1bfefa9a02dd3e77cd
Instruction ID: dce39dcb1719cb5c6bec7afb4cbf43a357891639f92c5a558fe52642c9eee99a
Opcode Fuzzy Hash: 00e1349f4fc7423cea064b8fed53ffaad1f94e2f57bc6e1bfefa9a02dd3e77cd
Instruction Fuzzy Hash: D2011771D01A2ADBCF00EFF5EC999EDBB78BB09711F400556EA45F2144CB30555187A1

Function 00A5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A58121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A5812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58157

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6825ef2b602889a8a413cff3e153a5ca0f6866c7a8950bed2cf6696c50a69436
Instruction ID: 5ebb55a90ed506c2e0d515cec28856c746ea9e8805c7306b4d55db756ce60595
Opcode Fuzzy Hash: 6825ef2b602889a8a413cff3e153a5ca0f6866c7a8950bed2cf6696c50a69436
Instruction Fuzzy Hash: A4F0AF70200305AFEB114FA5EC88E673BACFF49755B100125FA45D6150DA749806DB60

Function 00A5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A5C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A5C20E
MessageBeep.USER32(00000000), ref: 00A5C226
KillTimer.USER32(?,0000040A), ref: 00A5C242
EndDialog.USER32(?,00000001), ref: 00A5C25C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 50e83ce93fdb6e551406b08965a220655ed1bbc17845406a789e7d29f253b1c0
Instruction ID: de9a592cacd203a6b8a248f97a9955018f6afd9bcc83d03bb18efb0e55e11133
Opcode Fuzzy Hash: 50e83ce93fdb6e551406b08965a220655ed1bbc17845406a789e7d29f253b1c0
Instruction Fuzzy Hash: 9B018B305047059FEB20AB94ED4EFDA7778FF10716F000669F982E14E1EBF469999B50

Function 00A013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A013BF
StrokeAndFillPath.GDI32(?,?,00A3B888,00000000,?), ref: 00A013DB
SelectObject.GDI32(?,00000000), ref: 00A013EE
DeleteObject.GDI32 ref: 00A01401
StrokePath.GDI32(?), ref: 00A0141C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1113c180c58fa5aadfd1f4e9b32426a3bcc437f0ccf96436764346b854d1e9bd
Instruction ID: 9669070f01f1de14e1ccc340d186be380cd1393c3e79cb89371e093cafc9ddfa
Opcode Fuzzy Hash: 1113c180c58fa5aadfd1f4e9b32426a3bcc437f0ccf96436764346b854d1e9bd
Instruction Fuzzy Hash: 97F0C434404A09EFDB11DFA6EC4CB983FB5AB11326F198224F429890F1DB3599A6EF51

Function 00A6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A6C432
CoCreateInstance.OLE32(00A92D6C,00000000,00000001,00A92BDC,?), ref: 00A6C44A

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

CoUninitialize.OLE32 ref: 00A6C6B7

Strings

.lnk, xrefs: 00A6C3C6, 00A6C3EE, 00A6C3F8

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2a412e1c4f638533ffc3f127efb23ad723a0ee26c1b2cf1eb42b3e3633eaa2d5
Instruction ID: d45959cf00f4800df79274e6039a2c7fb9b281cbf6ce32e24f2b3808849ca47b
Opcode Fuzzy Hash: 2a412e1c4f638533ffc3f127efb23ad723a0ee26c1b2cf1eb42b3e3633eaa2d5
Instruction Fuzzy Hash: CFA14BB1104209AFD700EF64D991EAFB7E8FF89354F00491DF59587192EB71EA09CB52

Function 00A12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A07A51: _memmove.LIBCMT ref: 00A07AAB

__swprintf.LIBCMT ref: 00A12ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A12D66

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a275118e2cd6a476541c5b837f63b63b7498744fc7e9db3baa4f7ff5a2c2e5db
Instruction ID: 8ca82fddb78725d265a11d0d4d4ec264d0bbdebf3c172bb53abf4cede64af280
Opcode Fuzzy Hash: a275118e2cd6a476541c5b837f63b63b7498744fc7e9db3baa4f7ff5a2c2e5db
Instruction Fuzzy Hash: 20917D715082159FCB14EF28EA85DAFB7B8EF85750F00491DF4859B2E2EA30ED85CB52

Function 00A6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

CoInitialize.OLE32(00000000), ref: 00A6B9BB
CoCreateInstance.OLE32(00A92D6C,00000000,00000001,00A92BDC,?), ref: 00A6B9D4
CoUninitialize.OLE32 ref: 00A6B9F1

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

Strings

.lnk, xrefs: 00A6B99D, 00A6B9AB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 124e37d6c555f6a7e7512a4bf2cce3576d46b37aab9aee0aa0a449d2dec54705
Instruction ID: 058059e975f4c16c55caf750be3c0d16cce9fbaef11e6f53f09a0c8e7bee99bd
Opcode Fuzzy Hash: 124e37d6c555f6a7e7512a4bf2cce3576d46b37aab9aee0aa0a449d2dec54705
Instruction Fuzzy Hash: 1DA114756042059FCB10DF14C984D6ABBF9FF89314F148998F8999B3A2CB31ED86CB91

Function 00A2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A250AD

Part of subcall function 00A300F0: __87except.LIBCMT ref: 00A3012B

Strings

pow, xrefs: 00A25085, 00A250A2

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 830650f68329af35813429cfdc09d1da17aa45cbc344d5dbea3710d6dd61a02a
Instruction ID: 7eec3f1d3c02480992e277a5f99a4600a33e089e7a576c34bcb0c0eb4ef0a06a
Opcode Fuzzy Hash: 830650f68329af35813429cfdc09d1da17aa45cbc344d5dbea3710d6dd61a02a
Instruction Fuzzy Hash: 37517D71E1C5019ADB11B77CDE21BBF2BA0BB40700F208A79F4D5862A9DE348DD4DB86

Function 00A16192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A16248
_memmove.LIBCMT ref: 00A162E4
_memset.LIBCMT ref: 00A16308

Strings

ERCP, xrefs: 00A161B3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 13a702f9e96ab5d9479df803b5297bd58ef22f9f8121b9dbc4dfdc48bf747429
Instruction ID: 49afdf227f34995e5c3a0910b227cfd64615fb338f4f01cdac72758602479f79
Opcode Fuzzy Hash: 13a702f9e96ab5d9479df803b5297bd58ef22f9f8121b9dbc4dfdc48bf747429
Instruction Fuzzy Hash: 6D517071900715DBDB24CF65C981BEBB7F4AF08314F20456EE95ADB251E770AA84CB50

Function 00A597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A59296,?,?,00000034,00000800,?,00000034), ref: 00A614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A5983F

Part of subcall function 00A61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00A614B1

Part of subcall function 00A613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00A61409
Part of subcall function 00A613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A5925A,00000034,?,?,00001004,00000000,00000000), ref: 00A61419
Part of subcall function 00A613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A5925A,00000034,?,?,00001004,00000000,00000000), ref: 00A6142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A598F9

Strings

@, xrefs: 00A59911

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5a4073796d15ea2d3537dd72825ee8b58bfb9553dba85e5c4e709bb965bf5f72
Instruction ID: ec9f580eaaa1056781cbe4cd5638d983ac120078bdd9d8da4d20850d9c0f3ef5
Opcode Fuzzy Hash: 5a4073796d15ea2d3537dd72825ee8b58bfb9553dba85e5c4e709bb965bf5f72
Instruction Fuzzy Hash: 70416F7690021CBFCB10DFA4CD85ADEBBB8EB09300F144199FA55B7191DA706E89CBA0

Function 00A87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A8F910,00000000,?,?,?,?), ref: 00A879DF
GetWindowLongW.USER32 ref: 00A879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A87A0C

Strings

SysTreeView32, xrefs: 00A879B1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c6f4f68c247bf695b95a330276b7e3fe253b22c9a44c59202634465b9774e708
Instruction ID: b22d00911ce7abbde76b7dac63aa88bb2d7239275f3a05f2ecbcb930378d3440
Opcode Fuzzy Hash: c6f4f68c247bf695b95a330276b7e3fe253b22c9a44c59202634465b9774e708
Instruction Fuzzy Hash: FA31BE3120460AAFDB15AF78DC45BEB77A9FB09324F204725F875A32E0D731E9919B50

Function 00A873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A87461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A87475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A87499

Strings

SysMonthCal32, xrefs: 00A8742C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 82f1b809d20dfa5afe1f58ccdf906c82e42a4140b87e6e303b595a8b5357a019
Instruction ID: d6672705d21c3b128de26b6166c86ed07c8c58c72b609708015996e256820549
Opcode Fuzzy Hash: 82f1b809d20dfa5afe1f58ccdf906c82e42a4140b87e6e303b595a8b5357a019
Instruction Fuzzy Hash: C8218D32500219ABDF15DFA4DC46FEE3B69EB48724F210214FA156B190DA75E8919BA0

Function 00A87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A87C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A87C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A87C5F

Strings

msctls_updown32, xrefs: 00A87BC4

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 726fb353c656093b9164b49246bf627d2affb8b90f58f8da16f441df73d4ff1e
Instruction ID: cb3f204bb8face7a5f70120b1a59071679442ca9ea40ee33cafa549fb74e5739
Opcode Fuzzy Hash: 726fb353c656093b9164b49246bf627d2affb8b90f58f8da16f441df73d4ff1e
Instruction Fuzzy Hash: 9D219DB5604209AFDB10EF68DCC5DAB37EDEF5A354B240459FA019B3A1CB31EC518BA0

Function 00A86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A86D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A86D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A86D70

Strings

Listbox, xrefs: 00A86D08

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9e8c74b5c4a9e14323fc0bf50d66944385267bb8b0c8ea4272ceaec4443d8e83
Instruction ID: f6cd837439c79906118f7d5228245b6169bdf4667efecea0552fe7ada85d3f37
Opcode Fuzzy Hash: 9e8c74b5c4a9e14323fc0bf50d66944385267bb8b0c8ea4272ceaec4443d8e83
Instruction Fuzzy Hash: 8821C672610118BFEF129F54DC45FFB3BBAEF89750F118128F9459B1A0C671AC5287A0

Function 00A8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A87772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A87787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A87794

Strings

msctls_trackbar32, xrefs: 00A87749

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1f303e9bd2816e892d1bad21742ee619729c507375378ad7df03f6e4d5bd9333
Instruction ID: 88f687c41208f2e86f8c6e1a06e0b7be8ecc0fd8ce788297682a3cd88a89adae
Opcode Fuzzy Hash: 1f303e9bd2816e892d1bad21742ee619729c507375378ad7df03f6e4d5bd9333
Instruction Fuzzy Hash: 74112732200208BEEF10AF60CC01FDB7768EF88B54F110528F64192090D271E851CB20

Function 00A04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04B83,?), ref: 00A04C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A04C50
kernel32.dll, xrefs: 00A04C3F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 197e5fe0021adaddeebfcd13f1629d43ab2012cfe88d94503207309f6332ffc0
Instruction ID: e0401dccc69bf2374fd96492dd009b673cf1fb376c0679291aeee6ffad9e14b7
Opcode Fuzzy Hash: 197e5fe0021adaddeebfcd13f1629d43ab2012cfe88d94503207309f6332ffc0
Instruction Fuzzy Hash: 05D01770A10713DFEB209F71E90C64A76E8BF09752B118D3E9696D61A4E670D8C0CB60

Function 00A04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04BD0,?,00A04DEF,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A04C1D
kernel32.dll, xrefs: 00A04C0C

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f778917e07bed1f48dc4a89df4eed007aeefa961feb4951780077b395e5c27c4
Instruction ID: 758b2130a83520a6ef08c498e4adb6f61bfb0facf16438a30fdc03798058ff53
Opcode Fuzzy Hash: f778917e07bed1f48dc4a89df4eed007aeefa961feb4951780077b395e5c27c4
Instruction Fuzzy Hash: DCD01270511713DFD720AFB1D90C64AB6D5FF09752B118D3A9585D6190E6B0D481C750

Function 00A80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A81039), ref: 00A80DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A80E07

Strings

RegDeleteKeyExW, xrefs: 00A80E01
advapi32.dll, xrefs: 00A80DF0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 40da59849d664b6edee2d04a7ae890cbf4cf937f63311b9c6ef475ca8f3f50f1
Instruction ID: b167636545faf98667191b756b1a973574bfd95d5cf626a760530fe2608befd5
Opcode Fuzzy Hash: 40da59849d664b6edee2d04a7ae890cbf4cf937f63311b9c6ef475ca8f3f50f1
Instruction Fuzzy Hash: C9D0C730540323DFC320AFB0C808AC372E8BF14342F008D3E96C2C2150E6B4D894CB00

Function 00A790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A78CF4,?,00A8F910), ref: 00A790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A79100

Strings

GetModuleHandleExW, xrefs: 00A790FA
kernel32.dll, xrefs: 00A790E9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 72bcade08ac583412b7949a88d20d211d90ff48b2c2b3d01c681c1569b77857a
Instruction ID: bc7208f6688ddea49442e40fcbe593756d80fc0d3319dda353bb1d81d33ebb0c
Opcode Fuzzy Hash: 72bcade08ac583412b7949a88d20d211d90ff48b2c2b3d01c681c1569b77857a
Instruction Fuzzy Hash: A6D0C730650313DFCB20DF78CC0C20372E8AF00351F02CD3A948AC2190EA70C890CB90

Function 00A41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A41718
__swprintf.LIBCMT ref: 00A41749

Strings

WIN_XPe, xrefs: 00A41788
%.3d, xrefs: 00A41723

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dedd3989be68014ac663f9e3cd1014e49fd5e16fde1cbcae7b61c65f0492ff34
Instruction ID: cd68aa0867e3be1fbd2d6f3a613f672f82560898d7eb72819c7ec7cee6ff874e
Opcode Fuzzy Hash: dedd3989be68014ac663f9e3cd1014e49fd5e16fde1cbcae7b61c65f0492ff34
Instruction Fuzzy Hash: BAD0177A844119FBCB509B90A9888FA73BCAB49311F200562B512A2080E22A9BD4EE21

Function 00A5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757235ea6afed1163ba2442d5a259462144ee4e212bbabbe65e896cce98375a7
Instruction ID: e9574d85ec20079508a4896fc9303d3daa02d0e80fa0d24f5aa7b916135b36db
Opcode Fuzzy Hash: 757235ea6afed1163ba2442d5a259462144ee4e212bbabbe65e896cce98375a7
Instruction Fuzzy Hash: 1FC16C74A04216EFCB14CFA8D884EAEBBB9FF48715B148598EC05EB251D730ED85DB90

Function 00A7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A7E0BE
CharLowerBuffW.USER32(?,?), ref: 00A7E101

Part of subcall function 00A7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A7D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A7E301
_memmove.LIBCMT ref: 00A7E314

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: a9d8aaa250a65d280630f0a9f941a63dac99082668f58e16e308e65804c94129
Instruction ID: 49c32cda29aa25a35e63950410687172ef6d814332720b50099b188884f9df65
Opcode Fuzzy Hash: a9d8aaa250a65d280630f0a9f941a63dac99082668f58e16e308e65804c94129
Instruction Fuzzy Hash: 6BC13971A083119FC714DF28C88196ABBE4FF89714F14C96EF8999B352D731E946CB81

Function 00A78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A780C3
CoUninitialize.OLE32 ref: 00A780CE

Part of subcall function 00A5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5D5D4

VariantInit.OLEAUT32(?), ref: 00A780D9
VariantClear.OLEAUT32(?), ref: 00A783AA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f13fe8d70ed13e89ebcbcaa4a40cddcd1dcd012128dd6bd9556d5c97172a0fa3
Instruction ID: 148e8eaff0094ee1fe365450295212b4124e717cf208c5b4df8c876bf147858b
Opcode Fuzzy Hash: f13fe8d70ed13e89ebcbcaa4a40cddcd1dcd012128dd6bd9556d5c97172a0fa3
Instruction Fuzzy Hash: 9EA168756047059FDB00DF68C985B2AB7E4BF89364F04C459F99A9B3A2CB34ED05CB82

Function 00A57530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A92C7C,?), ref: 00A576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A92C7C,?), ref: 00A57702
CLSIDFromProgID.OLE32(?,?,00000000,00A8FB80,000000FF,?,00000000,00000800,00000000,?,00A92C7C,?), ref: 00A57727
_memcmp.LIBCMT ref: 00A57748

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 233b3fa859969fe8a2c9e1714d3a9bf4b0f648756fd0a1fec6adc8a8c2fd2f92
Instruction ID: fe89bb252b126623a2a02c44d8555deeef10de33527995d039c0c2d8f7055b9f
Opcode Fuzzy Hash: 233b3fa859969fe8a2c9e1714d3a9bf4b0f648756fd0a1fec6adc8a8c2fd2f92
Instruction Fuzzy Hash: 5981EC75A00109EFCB04DFA4D984EEEB7B9FF89315F204558E905BB250DB71AE4ACB60

Function 00A5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A5688E
SysAllocString.OLEAUT32(00000000), ref: 00A56937
VariantCopy.OLEAUT32 ref: 00A56966
VariantClear.OLEAUT32(?), ref: 00A5698D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: e977a4277c0a209a7eb6942f252d23332566a884cd506b7e794edcc3e74370ea
Instruction ID: 3abf11e5ccdbc5a5aeca43ee88e6d3f968abc5e6e11bdf4056c716e9533c6b36
Opcode Fuzzy Hash: e977a4277c0a209a7eb6942f252d23332566a884cd506b7e794edcc3e74370ea
Instruction Fuzzy Hash: 3451D3747003029EDF24EF65D891A3AB3F5BF55351FA0C81FEA96EB292DA30D8488700

Function 00A897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B7E490,?), ref: 00A89863
ScreenToClient.USER32(00000002,00000002), ref: 00A89896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A89903

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 982a764b66ba1b73d99dd53440d8499313143db9ddb87319b89426425443d701
Instruction ID: 56a7cbefd1f6bdca3a2def19ab5c8bc7786f4d693b4094534c540bdf8833058e
Opcode Fuzzy Hash: 982a764b66ba1b73d99dd53440d8499313143db9ddb87319b89426425443d701
Instruction Fuzzy Hash: 06512D34A00209AFDB10DF68D984ABE7BB5FF55360F148269F8659B2A0D731AD81CB90

Function 00A59A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A59AD2
__itow.LIBCMT ref: 00A59B03

Part of subcall function 00A59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A59DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A59B6C
__itow.LIBCMT ref: 00A59BC3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 90b15be44cece3ca813e62317fa444f38b1e762654e2fa6a0333063701beed36
Instruction ID: 320d1a7efc69b50587d6845587ca2fce81b5f90b6cd1d8f26fac6064a0bd15ff
Opcode Fuzzy Hash: 90b15be44cece3ca813e62317fa444f38b1e762654e2fa6a0333063701beed36
Instruction Fuzzy Hash: BF417E74A0020CABEF11EF54E945BEE7BB9EF44755F000069FD05AB291DB70AE49CBA1

Function 00A769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A769D1
WSAGetLastError.WSOCK32(00000000), ref: 00A769E1

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A76A45
WSAGetLastError.WSOCK32(00000000), ref: 00A76A51

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6fb648d72485d0c0d068b814c7860845c73804ec65d52da0bc7b6af6698eccdb
Instruction ID: 6bf510029c50fc6744475c47273e2a84114064971070bdf04a400d9dea835f97
Opcode Fuzzy Hash: 6fb648d72485d0c0d068b814c7860845c73804ec65d52da0bc7b6af6698eccdb
Instruction Fuzzy Hash: BF41CE75740604AFEB60AF64DD86F2A77A8AB04B50F04C158FA59AB3C3DA749D018B91

Function 00A7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A8F910), ref: 00A764A7
_strlen.LIBCMT ref: 00A764D9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: f4e7a218409313fffeb0c24ff8fbb8f30257f7862c74c4d51a57d1b01af1877d
Instruction ID: 41af8bf3d8cf935c20dec7537c8938ebb8f319422c14a02a588cd29c9c5a4f6c
Opcode Fuzzy Hash: f4e7a218409313fffeb0c24ff8fbb8f30257f7862c74c4d51a57d1b01af1877d
Instruction Fuzzy Hash: 8D41A431A00508AFCB14EBA8ED95FAEB7B9AF44310F14C165F919972D3EB30AD05DB50

Function 00A6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A6B89E
GetLastError.KERNEL32(?,00000000), ref: 00A6B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A6B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A6B915

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 314fa3ddc33e6d2510efed375ef8e1b2dcbc0d13df37a7f52391ac690690ca7e
Instruction ID: 98c3ae2ec2e4f79e75712af40081312d312aafeae6e48cedee5f4eeb6f0eec19
Opcode Fuzzy Hash: 314fa3ddc33e6d2510efed375ef8e1b2dcbc0d13df37a7f52391ac690690ca7e
Instruction Fuzzy Hash: 7F410639600615DFCB11EF15D584A5ABBF5AF4A310F09C098EC4AAB3A2CB30FD45CB91

Function 00A88851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A888DE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 895f44d6b14f601c828522e6c9b0127b9a2f3e37d17cd018e911e89fde680b03
Instruction ID: d646be904869fa911a40203f91f9ada77003650fd7100f7883d11bbe2e2b461b
Opcode Fuzzy Hash: 895f44d6b14f601c828522e6c9b0127b9a2f3e37d17cd018e911e89fde680b03
Instruction Fuzzy Hash: 1931B434A00109AFEF20BB68CC45FB977B5EB09350FE44111F955E71A1CF78E9909752

Function 00A8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A8AB60
GetWindowRect.USER32(?,?), ref: 00A8ABD6
PtInRect.USER32(?,?,00A8C014), ref: 00A8ABE6
MessageBeep.USER32(00000000), ref: 00A8AC57

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 24269df187db69464ff87500fbc197243e8901d29be12f2cdd73536850164042
Instruction ID: 1224d350ba499886ea59d9eea2278c7f27639e22cf2e0c6f8575eccf11a76dcf
Opcode Fuzzy Hash: 24269df187db69464ff87500fbc197243e8901d29be12f2cdd73536850164042
Instruction Fuzzy Hash: B8419170A00519DFEB11EF98C884F597BF5FF59310F1481AAE415DB260D730E842DB92

Function 00A60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A60B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A60B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A60BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A60BFB

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b724a7a8f0c0f7482e17175a09b4a4dd885497cd6ef8745900734b71593a2eb8
Instruction ID: 523c7641bb10dabbc615805f38a01290cb98bceb25719f39e3f6c046498a3216
Opcode Fuzzy Hash: b724a7a8f0c0f7482e17175a09b4a4dd885497cd6ef8745900734b71593a2eb8
Instruction Fuzzy Hash: D9314470A40208AEFF358B69CC05FFBBBB9EB45319F08826AE491921D1C3B58DC59761

Function 00A60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00A60C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A60C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A60CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00A60D33

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 25abce6b9e5dfdd7e0dd52d9879a9e7da8fe52582e6d4481614dd8ca0abdf66c
Instruction ID: dbcf501f7a05ecda9347531a183f83f6a73363cfb5a96acc90b5e1d6e6924e1e
Opcode Fuzzy Hash: 25abce6b9e5dfdd7e0dd52d9879a9e7da8fe52582e6d4481614dd8ca0abdf66c
Instruction Fuzzy Hash: BC312430940618AEFF348B65C814FFFBBB6EB45320F08432AE495921D1C37999D5C7A1

Function 00A361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A361FB
__isleadbyte_l.LIBCMT ref: 00A36229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A36257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A3628D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 562c6faf274dd79e06fc582f960e64c4c07e6eb239efc9889edf8615f6ebea60
Instruction ID: 45ea5eb904206159614eadc9787132bf7ff6612fd4cf3a2af3f51f083a2e910f
Opcode Fuzzy Hash: 562c6faf274dd79e06fc582f960e64c4c07e6eb239efc9889edf8615f6ebea60
Instruction Fuzzy Hash: 1931B031A04256BFDF218FA5CC48BAB7BB9FF42310F168129F864971A1DB31D960DB90

Function 00A84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A84F02

Part of subcall function 00A63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A6365B
Part of subcall function 00A63641: GetCurrentThreadId.KERNEL32 ref: 00A63662
Part of subcall function 00A63641: AttachThreadInput.USER32(00000000,?,00A65005), ref: 00A63669

GetCaretPos.USER32(?), ref: 00A84F13
ClientToScreen.USER32(00000000,?), ref: 00A84F4E
GetForegroundWindow.USER32 ref: 00A84F54

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 92eb8ad285d32cefbdcb67447952b116c96aa8db41cbd9ab53f9d247d3c81302
Instruction ID: 21d165cbc3daad396eebe7acce911d30d355f74e0ad08ea513fbddeea559e60a
Opcode Fuzzy Hash: 92eb8ad285d32cefbdcb67447952b116c96aa8db41cbd9ab53f9d247d3c81302
Instruction Fuzzy Hash: F4311072D00108AFDB00EFB5D9859EFB7F9EF98300F10806AE555E7242EA759E05CBA1

Function 00A63C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A63C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00A63C88
Process32NextW.KERNEL32(00000000,?), ref: 00A63CA8
CloseHandle.KERNEL32(00000000), ref: 00A63D52

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2f25c6dba39c993ca74cb320c27e9b61f34e4a4e9e0a29edcd7c8c11864e8d98
Instruction ID: 93ca1fd477f40576bb5e1bab86b8d1208067bd493097e87fdcda9eb9be6c608c
Opcode Fuzzy Hash: 2f25c6dba39c993ca74cb320c27e9b61f34e4a4e9e0a29edcd7c8c11864e8d98
Instruction Fuzzy Hash: 1A31B331108305DFD700EF60D985AAFBBF8EF85354F50092DF582861A1EB71AA4ACB92

Function 00A8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

GetCursorPos.USER32(?), ref: 00A8C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A3B9AB,?,?,?,?,?), ref: 00A8C4E7
GetCursorPos.USER32(?), ref: 00A8C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A3B9AB,?,?,?), ref: 00A8C56E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f5e4ea05beef4e84bce50b74cd5cb815c5eda721b5052b5d796c93e688706bb8
Instruction ID: b635cd267a61de0a1a9731d72dfdb43030d8bda25a9545e1d4de7d3dc723d3f4
Opcode Fuzzy Hash: f5e4ea05beef4e84bce50b74cd5cb815c5eda721b5052b5d796c93e688706bb8
Instruction Fuzzy Hash: 18319135600058EFCF29DF98CC58EEA7BB5EB09320F444169F9058B261C732AD91DFA4

Function 00A58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A58121
Part of subcall function 00A5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A5812B
Part of subcall function 00A5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5813A
Part of subcall function 00A5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58141
Part of subcall function 00A5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A586A3
_memcmp.LIBCMT ref: 00A586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A586FC
HeapFree.KERNEL32(00000000), ref: 00A58703

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9d43f12d025324f6059fe3bc7ae803d7336054802c0063d8a7701b4633082b77
Instruction ID: d4246035edb0e1ddcedd38672bdeb19433411098fc4e80b55f62d5474c98bc96
Opcode Fuzzy Hash: 9d43f12d025324f6059fe3bc7ae803d7336054802c0063d8a7701b4633082b77
Instruction Fuzzy Hash: B4217C71E41109EFDB10DFA4C989BEEB7B8FF44306F154059E844AB240DB34AE09CB50

Function 00A2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00A209AE

Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A67896,?,?,00000000), ref: 00A05A2C
Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A67896,?,?,00000000,?,?), ref: 00A05A50

_fprintf.LIBCMT ref: 00A209E5
OutputDebugStringW.KERNEL32(?), ref: 00A55DBB

Part of subcall function 00A24AAA: _flsall.LIBCMT ref: 00A24AC3

__setmode.LIBCMT ref: 00A20A1A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f1298b74c0fc578c2cd4385cf1176e036471a7155768b9acaeeeec32b3387e15
Instruction ID: 35943fef931035d30666250b1ff445a49324333d13ca09770d8e258f32c3d9c4
Opcode Fuzzy Hash: f1298b74c0fc578c2cd4385cf1176e036471a7155768b9acaeeeec32b3387e15
Instruction Fuzzy Hash: 5C112472A042187FDB04B7B8BC4ADBEB7BCAF49360F644165F105561C3EE20584687A1

Function 00A71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A717A3

Part of subcall function 00A7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7184C
Part of subcall function 00A7182D: InternetCloseHandle.WININET(00000000), ref: 00A718E9

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a5345e86887104664e507dcb8a4bd2c78fbb012c756d9dd094e968e8cb427fcf
Instruction ID: 0c1de1a63afd35505993145ab00d241a487678934d7a223dd078cfaa1f5a2143
Opcode Fuzzy Hash: a5345e86887104664e507dcb8a4bd2c78fbb012c756d9dd094e968e8cb427fcf
Instruction Fuzzy Hash: 8821A432200605BFEB169F64DC01FBABBE9FF48710F10C02AF91996550D771D811ABA5

Function 00A63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A8FAC0), ref: 00A63A64
GetLastError.KERNEL32 ref: 00A63A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A63A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A8FAC0), ref: 00A63ADF

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1e85c4fbca3b5236421e0165640067b642807309ed86507e5b0d84f6d855ff2f
Instruction ID: 1af1695ed73c15066fadcd386caae6f54e69dbd415bdfd6c06d86c949217ec05
Opcode Fuzzy Hash: 1e85c4fbca3b5236421e0165640067b642807309ed86507e5b0d84f6d855ff2f
Instruction Fuzzy Hash: 182182355082059FCB00EF64D9818AEB7F4AE653A4F144A1DF499C72E1D7319E47DB42

Function 00A5DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A5DCD3,?,?,?,00A5EAC6,00000000,000000EF,00000119,?,?), ref: 00A5F0CB
Part of subcall function 00A5F0BC: lstrcpyW.KERNEL32(00000000,?,?,00A5DCD3,?,?,?,00A5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A5F0F1
Part of subcall function 00A5F0BC: lstrcmpiW.KERNEL32(00000000,?,00A5DCD3,?,?,?,00A5EAC6,00000000,000000EF,00000119,?,?), ref: 00A5F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A5DCEC
lstrcpyW.KERNEL32(00000000,?,?,00A5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A5DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A5DD46

Strings

cdecl, xrefs: 00A5DD3D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: eac41b1e6cb7f48f56085c566ac747c1b69b456626ba18506f6aeb4260f8f391
Instruction ID: e39f7850a5b673a76f2e28e48d3728ab844d3aa03ebfa734f4a5a6e9769d35b7
Opcode Fuzzy Hash: eac41b1e6cb7f48f56085c566ac747c1b69b456626ba18506f6aeb4260f8f391
Instruction Fuzzy Hash: 4011A63B201305EFCB25AF64D849DBA77B9FF45310B40812AE906CB2A1EB71A855C7A1

Function 00A350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A35101

Part of subcall function 00A2571C: __FF_MSGBANNER.LIBCMT ref: 00A25733
Part of subcall function 00A2571C: __NMSG_WRITE.LIBCMT ref: 00A2573A
Part of subcall function 00A2571C: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,00000000,?,?,?,00A20DD3,?), ref: 00A2575F

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1cbb90819538f1639eb7cc50e32e9afc909e54e8d951f2998d2847173d781a09
Instruction ID: 5c25ae002a3c5b039b914cff853acefa276408bfbeddad76525bba1a31b7fcdc
Opcode Fuzzy Hash: 1cbb90819538f1639eb7cc50e32e9afc909e54e8d951f2998d2847173d781a09
Instruction Fuzzy Hash: AB11C272D01A26AFCF317FBCFD45B5E3BA8AF153A1F104A3AF9049A150DE3489419790

Function 00A76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A67896,?,?,00000000), ref: 00A05A2C
Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A67896,?,?,00000000,?,?), ref: 00A05A50

gethostbyname.WSOCK32(?,?,?), ref: 00A76399
WSAGetLastError.WSOCK32(00000000), ref: 00A763A4
_memmove.LIBCMT ref: 00A763D1
inet_ntoa.WSOCK32(?), ref: 00A763DC

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4dcb520420791d9418600615299368aca95519d4558fcab41e0e4eb9ff92eb3f
Instruction ID: f90eea7cf97152c9c0fd818b5de2d411e0e5b6a281154b7221ddf789f4ec6271
Opcode Fuzzy Hash: 4dcb520420791d9418600615299368aca95519d4558fcab41e0e4eb9ff92eb3f
Instruction Fuzzy Hash: 0B113371900109AFCF04FFA4EE46DEF77B8AF04310B548065F505A71A2DB309E15DB61

Function 00A58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A58B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A58B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A58B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A58BA4

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5f8119faa3060b4d29bdfb483d72743a086d8643eb896ef7be995e2ed17acc9
Instruction ID: 88f21628569fde54a3c7d8e7d3952bd730b57adba808bd70fc3eff92f1cb6fff
Opcode Fuzzy Hash: c5f8119faa3060b4d29bdfb483d72743a086d8643eb896ef7be995e2ed17acc9
Instruction Fuzzy Hash: 45115A79900218FFEB10DFA5CC84FADBBB8FB48710F2141A5EA00B7290DA716E11DB94

Function 00A01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,00000020,?), ref: 00A012D8
GetClientRect.USER32(?,?), ref: 00A3B5FB
GetCursorPos.USER32(?), ref: 00A3B605
ScreenToClient.USER32(?,?), ref: 00A3B610

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 3a1026a2fb0cc778ad6c7a3cee28a7018eed3d26a0eeed78b79a111fdfb91b5d
Instruction ID: 63350f6a8a424afdf0078566a6f91cf1303963f55853fb82219fb0a97764ba7a
Opcode Fuzzy Hash: 3a1026a2fb0cc778ad6c7a3cee28a7018eed3d26a0eeed78b79a111fdfb91b5d
Instruction Fuzzy Hash: 78113D3590011DEFCB04DFA4E989DEE77B8EB09300F500466F901E7180D730BA529BA5

Function 00A61142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A6115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A61184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A6118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A611C1

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e058c730d5d01adf200447953cab09b629045a86171b70dbb300a434985435ef
Instruction ID: f5ebdad6d5157469fe328d28a93ce225c73459c18b215b2d2da4d950d9622c74
Opcode Fuzzy Hash: e058c730d5d01adf200447953cab09b629045a86171b70dbb300a434985435ef
Instruction Fuzzy Hash: 65111831D0062DDBCF00DFE5D948AEEBFB8FB0A711F04465AEA45B2240CA749591CB95

Function 00A5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A5D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A5D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A5D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A5D897

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4176139eaafaff9a053f9fc6ed1531c4bde79a94040101adda6beb45b91c41fe
Instruction ID: 10df62a28f614b2fdadf8812328f259c52064c104a0c2aa22a69b9b3933162eb
Opcode Fuzzy Hash: 4176139eaafaff9a053f9fc6ed1531c4bde79a94040101adda6beb45b91c41fe
Instruction Fuzzy Hash: 13116175605305EFE330CF90EC08F93BBBCFB00B01F10856AAA16DA051D7B0E5499BA1

Function 00A36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A36FDB

Part of subcall function 00A376C2: __fltout2.LIBCMT ref: 00A376EB

__cftog_l.LIBCMT ref: 00A37001
__cftoe_l.LIBCMT ref: 00A37033

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 66641cdf2bb7be8f676e5274c5845f51c02317959ad6c7990907acbd4b4e7a3c
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: DD014CB244814ABBCF2A5F88DC42CEE3F62BB19350F588415FE1958031D736CAB1BB81

Function 00A8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A8B2E4
ScreenToClient.USER32(?,?), ref: 00A8B2FC
ScreenToClient.USER32(?,?), ref: 00A8B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A8B33B

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 16cc49551ee02f343ed6562e15e8c2dcd11da1b6306a3fb9792dcf8fdce3da13
Instruction ID: 595add61a0b9fad9cbe3bd66f6c83f31ffdf1db5eb6847baaef45e3fa7ddde35
Opcode Fuzzy Hash: 16cc49551ee02f343ed6562e15e8c2dcd11da1b6306a3fb9792dcf8fdce3da13
Instruction Fuzzy Hash: 9D114775D0024AEFDB41DF99C4449EEBBF5FF18310F104166E914E3620D735AA558F50

Function 00A8B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8B644
_memset.LIBCMT ref: 00A8B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AC6F20,00AC6F64), ref: 00A8B682
CloseHandle.KERNEL32 ref: 00A8B694

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: d157eef3c86527abc2c33c65e30bae3e1af311f5346c7be9031ace365fcafc90
Instruction ID: 2fa24a5c31be7f675073dd09fc522840420e71864ec564a0bd3591d6737c6198
Opcode Fuzzy Hash: d157eef3c86527abc2c33c65e30bae3e1af311f5346c7be9031ace365fcafc90
Instruction Fuzzy Hash: EBF05EB25403107EF610E7A5BC06FBB3A9CEB08395F014038FA08E9192D7758C0187E8

Function 00A66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A66BE6

Part of subcall function 00A676C4: _memset.LIBCMT ref: 00A676F9

_memmove.LIBCMT ref: 00A66C09
_memset.LIBCMT ref: 00A66C16
LeaveCriticalSection.KERNEL32(?), ref: 00A66C26

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: b5258232c598ea5586e35717d8cfb5158b28a009245fe4c64c62435d2b2139b0
Instruction ID: dc0e7de1c02a61a65dd9e647cf504ceca7cb8ce177a9b4e8ef5453dc7d60cf92
Opcode Fuzzy Hash: b5258232c598ea5586e35717d8cfb5158b28a009245fe4c64c62435d2b2139b0
Instruction Fuzzy Hash: CBF05E3A200110BFCF01AF95EC85E8ABB29EF45320F088061FE085E227D735E811CBB4

Function 00A02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A02231
SetTextColor.GDI32(?,000000FF), ref: 00A0223B
SetBkMode.GDI32(?,00000001), ref: 00A02250
GetStockObject.GDI32(00000005), ref: 00A02258
GetWindowDC.USER32(?,00000000), ref: 00A3BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A3BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00A3BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00A3BEC2
GetPixel.GDI32(00000000,?,?), ref: 00A3BEE2
ReleaseDC.USER32(?,00000000), ref: 00A3BEED

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: fa9ec3f9f00f392e8b974ada6afcd4587e2d262716ce4723696c6597bd61b92b
Instruction ID: 94b811f73f8e785fefd3131e205b521a92cb998f9afa46f61efca60abde5ce0b
Opcode Fuzzy Hash: fa9ec3f9f00f392e8b974ada6afcd4587e2d262716ce4723696c6597bd61b92b
Instruction Fuzzy Hash: 1DE06D32104245EEDF219FA8FC4D7D83F11EB05332F108366FB69480E187714991DB22

Function 00A58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A5871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A582E6), ref: 00A58722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A582E6), ref: 00A5872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A582E6), ref: 00A58736

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0c43d600eff07983e52d0654779bc2e5329a5118bf740a91c33080ee3a6b7dfd
Instruction ID: 2953d37f1bbd021c7116dec258d5a598029f7b7c150cea2373dbbb2f8f2c1b13
Opcode Fuzzy Hash: 0c43d600eff07983e52d0654779bc2e5329a5118bf740a91c33080ee3a6b7dfd
Instruction Fuzzy Hash: 68E086366113129FD7209FF05D0CB963BBCEF54B92F244828BA45D9050EA388446C750

Function 00A25DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00A25DAD

Part of subcall function 00A299C4: GetLastError.KERNEL32(00000000,00A20DD3,00A28B2D,00A257A3,?,?,00A20DD3,?), ref: 00A299C6
Part of subcall function 00A299C4: __calloc_crt.LIBCMT ref: 00A299E7
Part of subcall function 00A299C4: __initptd.LIBCMT ref: 00A29A09
Part of subcall function 00A299C4: GetCurrentThreadId.KERNEL32 ref: 00A29A10
Part of subcall function 00A299C4: SetLastError.KERNEL32(00000000,00A20DD3,?), ref: 00A29A28

CloseHandle.KERNEL32(?,?,00A25D8C), ref: 00A25DC1
__freeptd.LIBCMT ref: 00A25DC8
ExitThread.KERNEL32 ref: 00A25DD0

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: 9639af3eb475b419c2f3bfb861b22d0cc070c2a2b7481ac9fe1f1492dfcd92d2
Instruction ID: c846f53989ff7ea637ec1ab0a21a3dd9a4c310a1836579427b392aab2eca552a
Opcode Fuzzy Hash: 9639af3eb475b419c2f3bfb861b22d0cc070c2a2b7481ac9fe1f1492dfcd92d2
Instruction Fuzzy Hash: B8D0C771401F315BC632A778AD0D66A7650EF06B72F044638F475595F09B3058438751

Function 00A5B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A5B4BE

Strings

Container, xrefs: 00A5B43B
AutoIt3GUI, xrefs: 00A5B436

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: be88182ad87a15b20ef770aab42743d229706f8446172cf61c202c4e1e6a74c6
Instruction ID: ba8e9b4d56021450023ac8492a4b2be38ebae9d32ae3bc18b99836671be5e1ff
Opcode Fuzzy Hash: be88182ad87a15b20ef770aab42743d229706f8446172cf61c202c4e1e6a74c6
Instruction Fuzzy Hash: 7C913970610601AFDB14DF68C884A6ABBF9FF49712F20856DED46CB691EB70E845CB60

Function 00A6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

__wcsnicmp.LIBCMT ref: 00A6B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A6B0F6

Strings

LPT, xrefs: 00A6B027

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 93d7a4976978299065e95bc04dbaf64e83e84260b6b2387e2807d1e71fab0634
Instruction ID: 474e5f6c52b5a046e0c8d5a806b4d00563c6e00e89610fd4cb3e46bc46c144d0
Opcode Fuzzy Hash: 93d7a4976978299065e95bc04dbaf64e83e84260b6b2387e2807d1e71fab0634
Instruction Fuzzy Hash: CF619375A10219EFCB14DF94D991EAEB7B8EF09310F118169F916EB391D730AE84CB60

Function 00A12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A12968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A12981

Strings

@, xrefs: 00A12975

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f89107aa1ddffb8dfd97fb208187d1bfec2a713de8c2fa211e7aefc321a9b6f2
Instruction ID: 3ad021380d774021588f62560dc32285732319607a4f671150908d725969da90
Opcode Fuzzy Hash: f89107aa1ddffb8dfd97fb208187d1bfec2a713de8c2fa211e7aefc321a9b6f2
Instruction Fuzzy Hash: 5D5148724087489BD320EF54E986BAFBBE8FF85344F41885DF2D8411A2DB708529CB66

Function 00A69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A04F0B: __fread_nolock.LIBCMT ref: 00A04F29

_wcscmp.LIBCMT ref: 00A69824
_wcscmp.LIBCMT ref: 00A69837

Strings

FILE, xrefs: 00A69770

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fe9c5c8389f3384f1da4e3d28001ccb0f9e5473277daa7c6ad68a10762a5c1ec
Instruction ID: 249d6f3ff85bd418cb6787318a440ba13048af3533d8441d27f8b44f41df2e51
Opcode Fuzzy Hash: fe9c5c8389f3384f1da4e3d28001ccb0f9e5473277daa7c6ad68a10762a5c1ec
Instruction Fuzzy Hash: 4C41BA71A4021ABADF209BA4DD45FEF7BBDEF49710F000469FA04E71C1DA75A9048B61

Function 00A7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A725D4

Strings

|, xrefs: 00A725A5

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 79235f6d67e47e7b2f624b4590111d73d99bf45cc6ecddbc7121b39bfe488333
Instruction ID: fd1a7cbd5238d06ff2d571b100a5a344d68be16f218b1bf15fe3feb6dc1d566a
Opcode Fuzzy Hash: 79235f6d67e47e7b2f624b4590111d73d99bf45cc6ecddbc7121b39bfe488333
Instruction Fuzzy Hash: DB313571D00119ABCF11EFA0DD85EEEBFB8FF08340F10406AF918A6162EB315916DB60

Function 00A87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A87B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A87B76

Strings

', xrefs: 00A87ACA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ea20fa861063b63ee892662a163ee233efcab3006dcada5389456edadb5a5841
Instruction ID: 668b69f965261ea70b531593579ddacbfdd972a3e4340449989af637c0b5f334
Opcode Fuzzy Hash: ea20fa861063b63ee892662a163ee233efcab3006dcada5389456edadb5a5841
Instruction Fuzzy Hash: B8410874A0520A9FDB14DF68C985BEEBBB5FB09340F20016AE905AB391D770A951DF90

Function 00A86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A86B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A86B53

Strings

static, xrefs: 00A86AB3

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aebf0e6d580d0910983fc8fdfd73cd8b5d22153226e556593ff052752f225773
Instruction ID: cd6fb4df29df882dbe5818ea53e3c37741cf5621df26f3d89747202c688c548f
Opcode Fuzzy Hash: aebf0e6d580d0910983fc8fdfd73cd8b5d22153226e556593ff052752f225773
Instruction Fuzzy Hash: 5F318D71200604AEEB10AF64DC81BFB73B9FF48764F108619F9A5D7190DA30AC81C760

Function 00A628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A6294C

Strings

0, xrefs: 00A6290A

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 47f0bedc1fe6927835919a9a450219df3294f0abf7dbe5407f568e1d04da3503
Instruction ID: a183fcdbadbe94154b994c9cea03b920c883ca321a09ec17e86a14ddbe81dfce
Opcode Fuzzy Hash: 47f0bedc1fe6927835919a9a450219df3294f0abf7dbe5407f568e1d04da3503
Instruction Fuzzy Hash: 5231D632A00705AFEB25CF98DD85BEEBBF9EF85350F180029E985A71A1DB709944CB51

Function 00A739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00A73A66

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Strings

, $, xrefs: 00A73AA6
AUTOITCALLVARIABLE%d, xrefs: 00A73A58

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: e15ea30c36f0dee5dfc7974857a1de45d9a01a2bc78409d3f92d7a1171b73185
Instruction ID: ca4ad246f4b6be41f4d19365d2399217cf1fa9465ec19b6b82649063114d2005
Opcode Fuzzy Hash: e15ea30c36f0dee5dfc7974857a1de45d9a01a2bc78409d3f92d7a1171b73185
Instruction Fuzzy Hash: 0721BD71A0021DAECF10EF68DD82AAE77B9BF44340F408454E849AB182DB35EA45DBA5

Function 00A866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A86761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A8676C

Strings

Combobox, xrefs: 00A8672E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c0762703e5bdb18eef489b5f07b59ca32f78e1e4212e517d9c68059818f0631b
Instruction ID: a8248ed42f4a478d2090b098717b9c9efbe4d1ed2e60dc2fddd0eda20f7ec387
Opcode Fuzzy Hash: c0762703e5bdb18eef489b5f07b59ca32f78e1e4212e517d9c68059818f0631b
Instruction Fuzzy Hash: 6511B271600208AFFF15EF54DC81EEB376AEB483A8F100129F91497290D6319C5187A0

Function 00A86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A01D73
Part of subcall function 00A01D35: GetStockObject.GDI32(00000011), ref: 00A01D87
Part of subcall function 00A01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A01D91

GetWindowRect.USER32(00000000,?), ref: 00A86C71
GetSysColor.USER32(00000012), ref: 00A86C8B

Strings

static, xrefs: 00A86C4E

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d49e20403282b1d34443305db26485b501af528fc4858aeb99c119ddac03416c
Instruction ID: e0e2856ad08c910fa6111f9d485a37c6324d37a7046a3037907795e732199a42
Opcode Fuzzy Hash: d49e20403282b1d34443305db26485b501af528fc4858aeb99c119ddac03416c
Instruction Fuzzy Hash: B02129B261020AAFDF04EFB8DC45EEA7BB8FB08315F004629F995D2250D635E861DB60

Function 00A86920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A869B1

Strings

edit, xrefs: 00A86986

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6aa028654736cd51b0b911abab65472fafd6705aa4e87e9e9ae3f7d8dfcfdf00
Instruction ID: 25501da5e512ba78d5c57598cbec758c2ca45cb585fc3e24357bbdf4f0ea1bb2
Opcode Fuzzy Hash: 6aa028654736cd51b0b911abab65472fafd6705aa4e87e9e9ae3f7d8dfcfdf00
Instruction Fuzzy Hash: 17116A71510209AFFB10AF649C45AEB37A9EB053B4F604724F9A5962E0C731DC9197A0

Function 00A629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A62A41

Strings

0, xrefs: 00A62A18

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f2d3d50fbf387e878188c411138da56c6cbf4bfa6d727ab0f4f5a82a205cc4b6
Instruction ID: 11a4871c4d7d03695c5f7157b019baa4b3df39683f5fbfca4b44ebcab92e24f7
Opcode Fuzzy Hash: f2d3d50fbf387e878188c411138da56c6cbf4bfa6d727ab0f4f5a82a205cc4b6
Instruction Fuzzy Hash: FB11D072D01914ABDB30DFE8D844BEA77B8AB95384F054021EA95F7290D7B0AD0AC791

Function 00A721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A7222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A72255

Strings

<local>, xrefs: 00A7221D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5dfe692965c0c00b2ba1c0a797d49eafa1e3bdaf302ec0589050d6e8b00ea123
Instruction ID: 2dd48ebc2ac83bed80c1bcc66fe6e55c8d1cdee29b614aa57b50740772006ca1
Opcode Fuzzy Hash: 5dfe692965c0c00b2ba1c0a797d49eafa1e3bdaf302ec0589050d6e8b00ea123
Instruction Fuzzy Hash: F611A070541225BADB258F518C84FFBFBACFF1A751F10C22AF91986101D6709991D7F0

Function 00A77D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00A77DB3,?,00000000,?,?), ref: 00A7800D

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A77DB6
htons.WSOCK32(00000000,?,00000000), ref: 00A77DF3

Strings

255.255.255.255, xrefs: 00A77DCE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: e0fdfde36663f3c4afc734ed7fe7e86ca3f1963295ba11b30d562d60f1d32602
Instruction ID: 9863a26869f733e7d5dcc12e63acffbef35a72ca0574ace40d0da48f5bca0bd1
Opcode Fuzzy Hash: e0fdfde36663f3c4afc734ed7fe7e86ca3f1963295ba11b30d562d60f1d32602
Instruction Fuzzy Hash: B7118234604209ABDB20AFA4DC86FBEB364FF04320F60C55AE915572D2DA71A815CB91

Function 00A58E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A58E73

Strings

ComboBox, xrefs: 00A58E12
ListBox, xrefs: 00A58E3D

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ee10b6eea9213e320ca7ac2d37bb9b7ef8b181a7bc24e57aa0cf3d22f28c868b
Instruction ID: 41a61ef735872de2a8bce56b3e6fb462d012e296033c0a6473493068aa2322d9
Opcode Fuzzy Hash: ee10b6eea9213e320ca7ac2d37bb9b7ef8b181a7bc24e57aa0cf3d22f28c868b
Instruction Fuzzy Hash: 15019EB1A01219BBCB14EBE4DD568FE7379BF46360B540A19FC25672E2EE35980CCA50

Function 00A58CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A58D6B

Strings

ComboBox, xrefs: 00A58D0A
ListBox, xrefs: 00A58D35

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f0018eb6675864ac0bc3fef05d9f4194f0fc78c8e08ada0739bf14d781a45518
Instruction ID: b39a02d2ae2e2c4106ce8a6f759d17b90eb1cf61a0ff8a8b5be8f7acf53dac39
Opcode Fuzzy Hash: f0018eb6675864ac0bc3fef05d9f4194f0fc78c8e08ada0739bf14d781a45518
Instruction Fuzzy Hash: C301BCB2B4110DABCF14EBE0DA52AFE73B8AF15381F500429B906772E2DE345A0C9661

Function 00A58D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A58DEE

Strings

ComboBox, xrefs: 00A58D8F
ListBox, xrefs: 00A58DBA

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fa6d776fa056bb6a533f35f4c91f2494da9f367b983be10bf8f6780d0c87727a
Instruction ID: fa02a0d70b344ae9f928df892446d59302d8aa4d0c5aa5d22707a57d1a27d53a
Opcode Fuzzy Hash: fa6d776fa056bb6a533f35f4c91f2494da9f367b983be10bf8f6780d0c87727a
Instruction Fuzzy Hash: 6901DFB2B41109BBDB10EBE4DA52AFE73ACAB11341F104425BC05732D2DA355E0CD671

Function 00A64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A64F46
_wcscmp.LIBCMT ref: 00A64F58

Strings

#32770, xrefs: 00A64F52

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 416245cb9016e7113ce43b19044cafcde90221dd659b23e79a7d3ac5f56bee05
Instruction ID: 2c85c0acfde7f114c8e13660c845c527844d08287d4c045a774d1d18266b44b2
Opcode Fuzzy Hash: 416245cb9016e7113ce43b19044cafcde90221dd659b23e79a7d3ac5f56bee05
Instruction Fuzzy Hash: 5CE092326002292AE720DB99AC49EA7F7ACEB55B60F11016AFD04D2051D960AA5687E0

Function 00A3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B314: _memset.LIBCMT ref: 00A3B321

Part of subcall function 00A20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A3B2F0,?,?,?,00A0100A), ref: 00A20945

IsDebuggerPresent.KERNEL32(?,?,?,00A0100A), ref: 00A3B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A0100A), ref: 00A3B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A3B2FE

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 57299f6792795bb465aef62471023956afc0a3bf4e701e1e016479773a74482f
Instruction ID: 8871801aee77ce5e3e840ce79deb20fba43fc30e32e7a3152c071a81eb6cfc25
Opcode Fuzzy Hash: 57299f6792795bb465aef62471023956afc0a3bf4e701e1e016479773a74482f
Instruction Fuzzy Hash: 90E06D702107218FD720EF68E504782BAE4BF10304F00893CF856CB691EBB4E485CBB1

Function 00A57C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A57C82

Part of subcall function 00A23358: _doexit.LIBCMT ref: 00A23362

Strings

Error allocating memory., xrefs: 00A57C7B
AutoIt, xrefs: 00A57C76

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b4b697d33b43a43f15f53e6b7df33ed34951ba0f1d18d062e97db5b3db8e06bf
Instruction ID: d6061734177cad756b614d92fdd467168d0c3df8c7da04350121fe7150e7929d
Opcode Fuzzy Hash: b4b697d33b43a43f15f53e6b7df33ed34951ba0f1d18d062e97db5b3db8e06bf
Instruction Fuzzy Hash: ADD012323853683AD21572A97D06FCA66885B05B52F140825BB04695D349D6459142A5

Function 00A41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A41775

Part of subcall function 00A7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00A4195E,?), ref: 00A7BFFE
Part of subcall function 00A7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A7C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A4196D

Strings

WIN_XPe, xrefs: 00A41788

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: cccd2e0d490afc83aa707c750a19fc6d45384e812786a678b6931160917129c9
Instruction ID: 55c55b53489ebbb89e0554273d05a8f2f94bdd8741867a06ce4da8b4c2bc9e5f
Opcode Fuzzy Hash: cccd2e0d490afc83aa707c750a19fc6d45384e812786a678b6931160917129c9
Instruction Fuzzy Hash: D4F0E5B4800109EFDB25DBA1CA88BECBBF8BB88301F640095E112A60A0D7759F85DF64

Function 00A85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A859AE
PostMessageW.USER32(00000000), ref: 00A859B5

Part of subcall function 00A65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

Strings

Shell_TrayWnd, xrefs: 00A859A7

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: aa2f5a990c3467d70084210286465c5951eafdb7240bb9f0fc317e53849352b1
Instruction ID: a2503d1a42e64e52a99d54249c74b66d58f9830911e1f0165182170906a288e2
Opcode Fuzzy Hash: aa2f5a990c3467d70084210286465c5951eafdb7240bb9f0fc317e53849352b1
Instruction Fuzzy Hash: D8D0C9317803127AE668BBB09C0BFD66628BB04B50F000935B246AA1D1D9E4A801C754

Function 00A85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A8596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A85981

Part of subcall function 00A65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

Strings

Shell_TrayWnd, xrefs: 00A85967

Memory Dump Source

Source File: 00000000.00000002.1285174215.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1285139093.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285332068.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285528087.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1285579938.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_hZbkP3TJBJ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1b28249e23ff8ca7330d3d242435d3382df7bcc990727e3317636753b37cd817
Instruction ID: 84a7322bdec74111cf2f21ff15a9b13d5495725385c00b71a802b87c5604d2aa
Opcode Fuzzy Hash: 1b28249e23ff8ca7330d3d242435d3382df7bcc990727e3317636753b37cd817
Instruction Fuzzy Hash: 83D0C931784312BAE668BBB09C1BFD66A28BB00B50F000935B24AAA1D1D9E4A801C754

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hZbkP3TJBJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\aut905D.tmp

C:\Users\user\AppData\Local\Temp\aut9EA6.tmp

C:\Users\user\AppData\Local\Temp\autD98C.tmp

C:\Users\user\AppData\Local\Temp\peaks

C:\Users\user\AppData\Local\maneuverability\outbluffed.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outbluffed.vbs

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
hZbkP3TJBJ.exe

Function 00A03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00A049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00A04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre